ES2222790B2 - A PROVISION FOR H.323 MANDATARIES. - Google Patents

Abstract

The invention provides, in multimedia networks comprising firewalls, an arrangement for a communications unit, especially for H. 323 security servers, by which a network adapter (NA) (2,4) is provided. The NA (2,4) provides mechanisms to enable multimedia H 323 traffic through firewalls, and a wide range of functionalities such as firewall support, NAT, media stream multiplexing, QoS mechanisms, behavior improvements for signaling connections, clandestine listening, bridging, interaction with media channels and authentication of integrity and privacy between network adapters of the invention.

Description

A provision for H.323 agents.

Field of the invention

The present invention relates to executions of Large-scale multimedia network according to the recommendation of H.323 of the "International Telecommunication Union", and especially to such networks comprising partitions Firewall

The problem areas

The recommended H.323 standard describes networks of multimedia and communications in them, in which such networks they can include local area networks (LAN) such as a LAN in a private company, in a public agency, in a commercial company, or in some other type of organization. In order to protect a LAN connected to other networks against unauthorized access and possibly hostile network users outside the LAN, communication between LAN and other networks are usually done through a protection provision called "firewall partition". He firewall partition acts in reciprocity with the communication of mode that limits or rejects unwanted or unwanted communication, according to a given set of rules.

The important areas covered by H.323 are:

a) Warning signs of registration, admission and state (RAS),

b) Warning signs of Q.931 and H.245, and

c) Traffic and media channels

RAS warning signs usually go to previously defined ports and consequently it is trivial that get through the firewall partitions. Q.931 and the H.245 are usually notified by signals per assigned ports dynamically and therefore it is more difficult for them to move on to through the fire partitions. In a call channeled by the Goalkeeper (GK) H.323, such as when two endpoints meet communicate through a GK, and not directly, a GK has to act in some way in reciprocity with a firewall partition to In order to let such traffic pass. However, it is even more difficult that media channels pass through the partitions firewall, since such traffic is normally established directly between the extreme points. This means that a provision that comprises a GK somehow acts on reciprocity with a firewall and endpoints and / or a corresponding provision must be made.

Improvements in performances, for example, by traffic multiplexing, traffic prioritization or QoS (Quality of Service), listen secretly, interference with media (for example, to add ads) and bridging (for example, between protocols and / or protocol versions), mechanisms of security (integrity, authentication and privacy), all point to functionalities normally difficult to achieve in networks H.323.

Known solutions and their problems

A known solution to problems described above is to use extreme points and firewall partitions protected by property rights. This still does not solve the problems related to letting the H.323 traffic through the firewall partitions, with the traffic prioritization, with the Quality of Service, and with the security mechanisms.

Another known solution to let the media channels and warning signals through a partition Firewall consists of opening a wide range of ports to User Datagram Protocol (UDP) and Protocol traffic of Transmission Control (TCP). An important disadvantage of such a solution is that the firewall does not have then virtually any control of the traffic going to the LAN, which supposed to protect.

In addition, security mechanisms for purposes such as integrity, authentication and privacy could be obtained and supported by the endpoints themselves. The disadvantages of these solutions are that some extra time could be invested in negotiating security properties, and that other rules or agreements have to be developed and supported. Especially in UDP, which is the bearer of media traffic, Internet Protocol Security
(IPSEC) that could support, for example, media channel deprivation, is of little value since it is not deployed to a sufficient scale.

Other background material related to the technical area has been presented in a series of documents in relationship with Patents: US 5 802 058 in which a media manager in a communications network that acts as intermediary in establishing the connection between points ends and conduction resources for connection. In the document WO 98/37664 describes a network in which a set of media components, including IP traffic is encapsulated in an ATM VC (automated VC) as an entity, and switched using a robust warning signal system to use the records of resulting connection to charge on the basis of use; and US 5 898 890 describing a firewall partition that provides network security and user transparency improved.

There are and are also known mechanisms for let H.323 traffic through firewall partitions, providing for that a certain kind of provision of substitution. The problems of these mechanisms are related with a "quick start" and with the "tunneling", and with the fact that the elements of endpoints, mandatory and goalkeepers must necessarily cooperate all and act in reciprocity with each other to solve the problem.

Objects of the invention

Consequently, an object of the present invention is to propose a provision that is capable of resolving all problems mentioned in the Problem Areas section of this Descriptive memory.

Brief exposition of the invention

The objects of the present invention are achieved providing a representative of H.323, named here in what follow a network adapter (NA), which could be done by running it as a small computer application. He NA is typically located somewhere on the LAN, at the border of the corporate LAN, and usually in the demilitarized zone (DMZ) of a firewall partition. The network adapter of the Present invention is capable of solving all problems mentioned in the Problem Areas section of this Report Descriptive. The network adapter receives all the signals from notice (RAS / Q.931 / H.245 so it is in itself a GK) as well as all media (RTP / RTCP) from their connected endpoints, other network adapters and / or one or more gatekeepers (GK) of H.323. In a later section of this Descriptive Report a description of warning signs and media traffic.

Brief description of the drawings

Figure A is a schematic drawing of a example of a possible configuration of a multimedia network that incorporates the network adapter of the present invention, and Figure B is a schematic drawing of a network adapter of the present invention.

Detailed description of achievements

With reference to Figure 1, it has been illustrated in she an example of a typical warning signal scenario, in where an extreme point (1) behind an NA (2) is communicating  with another extreme point (5) behind another NA (4), and where both NAs are in communication with the same GK (3). The same warning signal scenario could also be described through:

extreme point (1) \ rightarrow adapter network (2) \ rightarrow porter (3) \ rightarrow network adapter (4) → extreme point (5).

The media follow to some extent the same way, but in the example in Figure 1 they are communicating directly between the two adapters of the NA network (2) and Na (4) respectively.

However, the relative network configuration to the positions of the end points, the NAs and the GKs it could be available in various ways, also different from that of the Example illustrated in Figure 1.

The important features of an adapter of the network of the present invention are:

to)

It is not it is necessary that the endpoints be updated fact that your traffic has passed through an adapter of the net.

b)

no there is a limitation in the number of network adapters that could Send traffic between endpoints.

With reference to Figure 2, it has been illustrated in she a network adapter consisting of two different modules. A module is a control part (6) to control the signals H.323 (RAS / Q.931 / H.245) and another is a shipping part (7) to send media packages.

The control module or part (6) is responsible of communication with extreme points, goalkeepers and others network adapters. It is also responsible for providing instructions to the shipping party regarding where to expect traffic, and where that traffic should be sent.

The sending module or part (7) simply sends media traffic from an NA port connected to a client H.323 to a port of the NA connected to another NA. Therefore, this part is a prerequisite when partitions are traversed Firewall Since the sending part also handles TCP, the T.120 is also supported for T.120 customers by assigning ports dynamically.

The NA of the present invention is also contemplated as including functionalities such as those of:

to)

Training support for partitions Firewall and Network Address Translation (NAT). When control both warning and media signals, the adapter of the network of the present invention can use part H.245 of H.323 to instruct the extreme points and the NAs on which port and IP address send traffic. When you control where to where endpoints and the NAs of the present invention receive and send its means, it is a simple matter to configure a firewall partition to support this provision, opening a range of previously defined ports. When extreme points are trained located in a different NAT to communicate with H.323, the network adapters of the present invention should be located in a Demilitarized Zone (DMZ): The F (8) interface (as has been illustrated in Figure 2) is used by the control part to instruct the sending party about what the connections should be to send traffic, as described in what precedes.

b)

He multiplexing of several media streams that go to the same network of reception. Multiplexing H.323 traffic between adapters the network, this traffic can be sent by underlying links separate or virtual connections. Such connections could have different QoS. Multiplexing means transmitting several media streams, otherwise sent by UDP connections separated, by the same UDP connection. Consequently, a multiplexing protocol must include a certain class of Original connection identity in the multiplexed UDP connection. This functionality will be provided by the control.

C)

The execution of other QoS mechanisms. This could be achieved. first determining the round trip delay, such as sending for this, samples or test packages from one NA to another Na identified, or by other means. Then, if you consider that the round trip delay is excessive, the NA could refuse a connection in an attempt to establish. Such functionality will be provided by the control part and can be used when Establish new connections.

d)

He multiplexing of the warning signal connections in order to improve the performances. This requires a multiplexing protocol of warning signals that could work in the same way as a media multiplexing protocol, although in TCP instead of in UDP. This functionality is provided by the part of control.

and)

The provision of integrity, authentication and privacy that may be Easily apply between network adapters. For such purposes, it They can apply IPSEC and / or SSL. A configuration manager You can decide the kind of security mechanisms to be apply between different NAs. As an example, SSL could be used  for all TCP connections (used for warning signals) between certain GKs and NAs identified. A manager can specify that among certain NAs, IPSEC must be used in all UDP connections. This functionality can be provided by the control part or by the sending part, or by a combination of these.

F)

That of Listen secretly. Since all media traffic is channeled through the network adapter, at this point you can hide and seek Listening secretly from the H.323 communications that do not pass through an adapter of the network is generally difficult, since there is no control over where traffic is circulating, or what set of ports are used by H.323 means. However, in the NA of the present invention, the execution of support for sneaking listening is simple. The control part, the F interface and the sending part, make use of UDP packet copy methods in certain previously defined connections, and then send such copies to the registration unit

g)

He support for local differences of H.323. They can be placed different kinds of bridging in the network adapter of the present invention Such bridging may consist of translating between different versions of the standard, such as version 1 of H.323 to version 2, or between different standards, such as the SIP to H.323. This functionality can be provided by the party.  control or by the shipping party, or by a combination of these.

h)

The reciprocal action with the media channels through a Media Application Programmers Interface (API), located On top of the shipping part. In this way they can be applied Easily advertisements and advertising. This can be achieved from different modes, such as replacing or combining certain parts of a video conference by text or commercial video, or by a  combination of these. Such media API must have possibilities to specify where to make such a replacement and with what replace. This is a fairly complex task, since it is due be able to obtain knowledge or information from parameters such as the video format, etc. Such information can be obtained without However, from and by means of warning signs or from the control. Therefore, a provision has to be provided that supports such functionality, both on the part of control and by the shipping part. In this context, another possibility that provides the NA of the present invention is the possibility of adding an identity of a person or of people taking part in a video conference This information should also be obtained. of, and through, the control part, reading for it the end user alias (typically the alias of the E.164 number or the email alias), and then insert the information from identity somewhere in the image of the videoconferencing

It should be noted that all mechanisms and functionalities described above can be applied in any means that provide the network.

Now, again with reference to Figure 2, it describes in the following an example of an execution of a interface F (8) between a control part (6) and a sending part (7) of a network adapter in accordance with this invention:

The sending part (7) provides an interface with three basic orders or messages and their corresponding messages Acknowledgment and return values:

to)

open Channel (address, protocol) \ rightarrow return Free port, status (ok / no ok) (ok / no ok)

b)

Start Channel (address, port, Remote IP address, Remote port, protocol) \ rightarrow return status (ok / no ok)

C)

close Channel (port, address, protocol) \ rightarrow return status (ok / no ok)

The address parameter indicates either from the LAN environment to the external environment or from the external environment to the LAN environment. The protocol parameter is either TCP or UDP. indicating that the example of a network adapter according to the present invention is also supporting the sending of TCP packets, although initially it is constructed to send UDP packets.

In the example described above, the reason for separating open Channel and start Channel was to optimize the code. The Open Channel message starts and establishes parts of the environment that can be started and prepared before the order to start Channel is executed, such as to obtain a free server port, etc.

The H.323 message that triggers both the Open channel and the Start channel message is the established Q.931 message when the fast boot is happening, and the H.245 message opens the Logical Channel when the H. is being passed. 323 alone. Upon closing, the Q.931 release Complete and the H.245 close Logical Channel, which invokes closing Channel , are in order. This applies in both cases when TCP and UDP are being passed. As a clarification, when the quick start is happening, the H.245 of opening Logical Channel is in fact tunneled into the established Q.931 message. The messages of opening Channel and starting Channel could have been fused in this scenario, but, nevertheless, in other scenarios it has been proven that it is useful to keep them separate.

The network adapter includes the functionality to allow signals / messages to cross several nodes. A node can be an endpoint, an NA (network adapter) or a porter (in SIP, a SIP server). In a network, there may be several endpoints, gatekeepers (SIP servers) and NAs, is say, both on the origin side and on the termination side. Systems alone, such as H.323, do not have such functionality, but this is planned in systems that include the NA according to the invention. Two different solutions or approaches They can withstand the crossing of the nodes:

one.

OR well each node stores such information, preferably, persistent; O well

2.

The signals / messages are updated with such information to be messages transported through the system, and therefore through the Nas.

The type of information to be obtained Access is such as:

to)

Addresses: each node, or its own message, they must keep data on which node sent a message and to which node has to pass the message.

b)

Data from extreme point or similar to extreme point: The domestic environment, represented by an H.323 porter (or SIP server) in this document, receive endpoint information and / or as the network adapter. Information such as the NA could be type of access (for example H323Phone, H323Pc PstnUni, PstnNni, H320Uni, H320Nni, GsmUni, GsmNni, PbxUni). Or in a similar way, for SIP, SipPhone, SipPc, etc. systems

If the message itself will keep the information on addresses, the following are added to the messages elements:

one.

List of address pairs. Each node of the system adds its addresses to the list of address pairs. There could be, of In fact, several addresses for each node. The physical address of the node, the address of the voice channel, the media channel, etc.

2.

Link Index: The Link Index identifies which node is currently being accessed in the list of address pairs. Messages can be issued already either from the extreme points or from the goalkeepers of domestic environment The link index only has to be used when messages are issued from the doormen domestic. Then, the path of access by integer to the endpoint, before the message travel to the extreme point. In the path only the link index is modified.

The range of ports that the part of will use NA delivery must be configured on both the firewall partition as in the NA.

Advantages

The important advantages provided by the NA of the present invention are:

-

that Firewall partitions can be traversed as if they were transparent by normal H.323 customers;

-

the Nat It is supported;

-

be you can apply listening to hide and seek;

-

be can add ads or advertising;

-

be they can easily apply the QoS mechanisms;

-

be they can get improvements in actions related to both traffic of warning signals such as media traffic, entering for it multiplexing protocols;

-

be you can easily apply the bridge between the different protocols, etc .;

-

be You can easily add security functionality;

-

due to which the sending part also handles TCP, the T.120 is supported also for T.120 customers dynamically assigning ports; Y

-

be you can get the widening, in which the shipping part of the network adapter can be used by applications not of H.323.

Acronyms

DMZ Zone Demilitarized Gk Goalkeeper IPSEC Security Internet Protocol NA Adapter net LAN Local area network

Claims (11)

1. An H.323 network adapter to provide an H.323 agent service that allows H.323 media traffic between a first H.323 endpoint in a first network and a second H.323 endpoint in a second network, said first network and said second network operating with a porter, characterized in that said network adapter is adaptable to operate together with said first network and to drive H.323 media between said first network and a second network adapter Corresponding H.323 adapted to operate in conjunction with said second network, the second corresponding H.323 network adapter being similar to said H.323 network adapter, and that said H.323 network adapter comprises a control part (6) in communication with a sending part (7), in which said control part (6) is adapted

to)

for process and mediate an H.323 call control message regarding at least said first end point, said second end point and said goalie, and

b)

for generate a media transport order for that shipping part (7) based on said H.323 call control message, and in which said shipping part is adapted to respond to said means transport order, and to receive and send said H.323 media traffic in accordance with said transport order of media.

2. The H.323 network adapter according to Claim 1, wherein said first network includes a firewall configured with a port, said means designated to allow media traffic to pass through the firewall without the firewall acting. in reciprocity with the media traffic, characterized in that the sending part (7) is configurable to effect an adaptation of a port designation of said media traffic in accordance with the firewall port based on a media transport order generated by the control part (6) on the basis of at least one of an RAS warning signal message, Q.931 and H.245 received and processed by the control part (6). 3. The H.323 network adapter according to Claim 2, characterized in that the control part (6) is adapted to generate means transport orders to open Channel (address, protocol) and to start Channel (address , port, remote IP address, remote port, protocol) upon receiving an established Q.931 message or an H.245 message to open Logical Channel, and to conduct said means transport orders to open Channel and initiate Channel to said sending part (7), and said sending part (7) is adapted, upon receiving said means transport orders to open Channel and start Channel, to effect the sending of said H.323 media traffic in accordance with said parameters (address, protocol, port, remote IP address and remote port), where the "address" parameter indicates media traffic to or from the first network, and the "port" parameter indicates the designated port of the firewall. 4. The H.323 network adapter according to Claim 2, characterized in that the control part (6) is adapted to generate a transport order of means of closing Channel (port, address, protocol) upon receiving a message Full release Q.931 or an H.245 message to close the Logical Channel, and to drive said order of transportation of dining means Channel to said shipping part (7), and said shipping part (7) upon receiving said order of means transport closing Channel carries out the non-continuous sending of said H.323 media traffic according to said parameters (port, address, protocol), wherein the "address" parameter indicates media traffic to or from the first network, and the "port" parameter indicates the designated port of the firewall. 5. The H.323 network adapter according to Claim 3, characterized in that the "protocol" parameter indicates TCP or UDP. 6. The H.323 network adapter according to any of claims 2, 3, 4 and 5, characterized in that said H.323 network adapter is located in the demilitarized zone (DMZ) of the firewall. 7. The H.323 network adapter according to any of the preceding claims, characterized in that the control part (6) is adapted to communicate with endpoints, porters, and other network adapters of said first and second networks . 8. The H.323 network adapter according to any of the preceding claims, characterized in that the sending part is adapted to send media traffic from a port of said H.323 network adapter connected to the first endpoint to a port of said adapter of the H.323 network connected to a port of the second adapter of the corresponding network, and vice versa. 9. The H.323 network adapter according to any of the preceding claims, characterized in that said network adapter is a doorman. 10. The H.323 network adapter according to any of the preceding claims, characterized in that said network adapter is adapted to provide support functions for firewalls, NAT partitions, multiplexing of the media stream, mechanisms of QoS, of better performances for connections of warning signals, of eavesdropping, bridging, of action in reciprocity with media channels, and of integrity, authentication and privacy between network adapters, or a combination of one or more more of the aforementioned functionalities. 11. An adapted telecommunications network R323, characterized in that the H.323 adapted telecommunications network includes an adapter of the H.323 network according to any one of the preceding claims.