JP2007235638A - Sip communication system, sip gateway device and sip communication control method used for the same - Google Patents

Abstract

<P>PROBLEM TO BE SOLVED: To provide an SIP communication system in which an address in a base is constituted of a private address to thereby prevent the tapping and alteration of RTP communication. <P>SOLUTION: During a process in which an SIP gateway 1-1 existing in a base 201 and an SIP gateway 1-2 existing in a base 202 establish an RTP session such as telephone call between an SIP terminal 2-1 existing in the base 201 and an SIP terminal 2-2 existing in the base 202, addresses of the SIP gateways 1-1, 1-2 are recorded in a payload in an SIP packet. The SIP gateway 1-1 detects the address of the SIP gateway 1-2 included in the payload of the SIP packet, an RTP address and a port number used between the SIP terminal 2-1 and the SIP terminal 2-2 and dynamically sets an IPsec tunnel 101 which encapsulates the RTP communication between the SIP gateway 1-1 and the SIP gateway 1-2 by IPsec. <P>COPYRIGHT: (C)2007,JPO&INPIT

Description

  The present invention relates to a SIP communication system, a SIP gateway device, and a SIP communication control method used therefor, and more particularly, to a SIP (Session Initiation Protocol) communication from a private address base via the Internet.

  Conventionally, as a representative of SIP communication from a private address base via the Internet, there is a communication system that performs SIP communication using SIP-NAT (Network Address Translator) (for example, see Non-Patent Document 1). The configuration of this system is shown in FIG.

  6, in this communication system, a SIP terminal 2-1 and SIP-NAT5-1 represented by an IP (Internet Protocol) phone exist at a base 201, and a SIP terminal 2-2 and a SIP-NAT5 at a base 202. -2 exists, and the SIP server 3 and the center router 4 exist in the center base 300.

  The SIP-NAT5-1, SIP-NAT5-2, and the center router 4 can set an IPsec (IP security protocol) tunnel, and an IPsec tunnel 102 is set between the SIP-NAT5-1 and the center router 4, An IPsec tunnel 103 is set in advance between the SIP-NAT 5-2 and the center router 4.

  Since SIP packet communication between the SIP terminal 2-1 and the SIP terminal 2-2 passes through the SIP server 3, on the global network 100, the SIP-NATs 5-1 and 5-2 and the center router 4 are connected. It passes through the IPsec tunnel using the global address. That is, the security of the SIP packet is maintained by setting the IPsec tunnel 102 and the IPsec tunnel 103 in advance.

RFC (Request For Comments) 1631 “The IP Network Address Translator (NAT)” (May 1994)

  However, in SIP communication over the Internet represented by the above-described conventional SIP-NAT or the like, in RTP (Real-time Transport Protocol) communication of a call transmitted from SIP-NAT5-1, the destination is SIP-NAT5- 2, the global address normally passes through the global network 100 directly without passing through the IPsec tunnel 102 and the IPsec tunnel 103. Therefore, in this SIP communication, there is a problem that there is a risk that the RTP communication of a call will be wiretapped or altered in the Internet.

  Also, in conventional SIP communication, in order to avoid the above problem, when all RTP communication is set to pass through the IPsec tunnel 102 or IPsec tunnel 103, the RTP communication of all bases is concentrated on the center router 4. However, when the load is greatly increased or the center router 4 and the bases 201 and 202 are located very far apart, there is a problem that the delay of the call is also affected.

  Furthermore, in conventional SIP communication, since the RTP port number is indefinite until it is determined by the SIP sequence, it is difficult to set the RTP communication to pass through the firewall existing on the RTP communication path on the global network 100. There's a problem.

  Furthermore, in the conventional SIP communication, in the case of the implementation method using SIP-NAT, since all private addresses included in the SIP payload need to be converted into global addresses, the address managed in the cache or the like becomes too large. As a result, there is a problem that the memory increases and the processing becomes complicated.

  Accordingly, an object of the present invention is to solve the above-mentioned problems, configure the SIP address system, SIP gateway apparatus, and the SIP communication system apparatus that can configure the in-site address with a private address and prevent eavesdropping and modification of RTP communication. It is to provide a SIP communication control method.

The SIP communication system according to the present invention is a SIP communication system in which first and second SIP (Session Initiation Protocol) gateway devices are respectively connected to a SIP server,
Each of the first and second SIP gateway devices uses IPsec [Real-time Transport Protocol (IPP)] to dynamically perform RTP (Real-time Transport Protocol) communication between the first SIP gateway device and the second SIP gateway device. An IP (Internet Protocol) security protocol] means for setting a tunnel is provided.

A SIP gateway device according to the present invention is a SIP gateway device connected to a SIP (Session Initiation Protocol) server,
There is provided means for setting an IPsec [IP (Internet Protocol) security protocol] tunnel for performing RTP (Real-time Transport Protocol) communication dynamically with other SIP gateway devices.

A SIP communication control method according to the present invention is a SIP communication control method used in a SIP communication system in which first and second SIP (Session Initiation Protocol) gateway devices are respectively connected to a SIP server,
Each of the first and second SIP gateway devices uses IPsec [Real-time Transport Protocol (RTP) communication dynamically between the first SIP gateway device and the second SIP gateway device. A process of setting an IP (Internet Protocol) security protocol tunnel is executed.

  That is, the SIP (Session Initiation Protocol) communication system of the present invention analyzes the SIP payload by SIP communication and sets an IPsec tunnel for performing RTP (Real-time Transport Protocol) communication dynamically between SIP gateways. Yes. In the SIP communication system of the present invention, the gateway address is inserted into the SIP payload by the secure SIP gateway device.

  As a result, in the SIP communication system of the present invention, it is possible to prevent eavesdropping and modification of RTP in SIP communication between bases connected via the Internet, and to prevent the extreme concentration of RTP communication on the center router.

  More specifically, in the SIP communication system of the present invention, the first SIP gateway existing at the first base and the second SIP gateway existing at the second base are connected to the IP (Internet Protocol) phone. In the process of establishing an RTP session such as a call between a first SIP terminal present at a representative first base and a second SIP terminal present at a second base, a SIP gateway is included in the payload of the SIP packet. Record the address.

  The first SIP gateway detects the address of the opposing second SIP gateway included in the payload of the SIP packet and the RTP address and port number used between the first SIP terminal and the second SIP terminal. Thus, an IPsec tunnel that encapsulates RTP used in a call or the like between the first SIP gateway and the second SIP gateway with IPsec (IP security protocol) is dynamically set.

  Thereby, in the global network, since the global address used in the RTP communication is limited to the address of the SIP gateway, a private address can be used for the network of the first base and the second base. Further, in the SIP communication system of the present invention, since RTP communication between the first SIP gateway and the second SIP gateway is protected by IPsec, it is possible to prevent eavesdropping and modification of RTP communication in the global network. It becomes.

  Furthermore, in the SIP communication system of the present invention, the address and protocol for RTP communication in the global network are fixed by ESP (Encapsulating Security Payload: Encrypted Payload) or IKE (Internet Key Exchange). Even if a firewall exists in the global network, it is not necessary to open all the port numbers for the RTP port, and security management becomes easy.

  As described above, in the SIP communication system of the present invention, RTP communication between SIP gateways is encapsulated with IPsec using the global address of the SIP gateway, so that the address in the base can be configured with a private address. . In this case, in the SIP communication system of the present invention, since RTP communication between SIP gateways is protected by an IPsec tunnel, wiretapping and modification of RTP communication can be prevented.

  Further, in the SIP communication system of the present invention, RTP communication between SIP gateways is directly connected by an IPsec tunnel, so that RTP communication does not need to be routed through the center router, and the load on the center router can be reduced.

  Further, in the SIP communication system of the present invention, since an IPsec tunnel is dynamically established when RTP communication between SIP gateways is required, resources for establishing an IPsec tunnel are not always occupied.

  Furthermore, in the SIP communication system of the present invention, since the security policy and the address of the SIP gateway are added to the SIP packet and transmitted, it is necessary to separately prepare a security server for controlling the IPsec tunnel of the SIP gateway in this configuration. There is no.

  By adopting the configuration and operation as described above, the present invention can configure the base address as a private address, and can obtain an effect of preventing eavesdropping and modification of RTP communication.

  Next, embodiments of the present invention will be described with reference to the drawings. FIG. 1 is a block diagram showing a configuration of a SIP (Session Initiation Protocol) communication system according to an embodiment of the present invention. In FIG. 1, in one embodiment of the present invention, a base 201, a base 202, and a center base 300 can be connected via the global network 100.

  The base 201 includes a SIP terminal 2-1 represented by an IP (Internet Protocol) phone and a SIP gateway 1-1, and the base 202 includes a SIP terminal 2-2 and a SIP gateway 1-2. The center base 300 includes the SIP server 3 and the center router 4.

  The SIP gateway 1-1, the SIP gateway 1-2, and the center router 4 can set an IPsec (IP security protocol) tunnel, and the IPsec tunnel 102 is connected between the SIP gateway 1-1 and the center router 4 as an SIP gateway. An IPsec tunnel 103 is set in advance between 1-2 and the center router 4.

  Since SIP packet communication between the SIP terminal 2-1 and the SIP terminal 2-2 passes through the SIP server 3, on the global network 100, the SIP gateways 1-1 and 1-2 and the center router 4 are connected. It passes through the IPsec tunnel using the global address. Thus, even if the addresses of the SIP terminal 1-1 and the SIP terminal 1-2 are private addresses, they are not used in the global network 100.

  FIG. 2 is a block diagram showing the configuration of the SIP gateways 1-1 and 1-2 in FIG. In FIG. 2, the SIP gateways 1-1 and 1-2 are collectively expressed as the SIP gateway 1. The SIP gateway 1 includes interfaces 11, 12, a SIP determination unit 13, a SIP parser 14, a SIP payload control unit 15, a SIP information storage unit 16, a routing processing unit 17, an IPsec processing unit 18, and an IPsec control. Part 19. The processes of the SIP determination unit 13, the SIP parser 14, the SIP payload control unit 15, the routing processing unit 17, the IPsec processing unit 18, and the IPsec control unit 19 can be replaced by a computer executing a program.

  A packet input through the interface 11 is determined by the SIP determination unit 13 as to whether it is a SIP packet. If not a SIP packet, the SIP determination unit 13 passes the packet to the routing processing unit 17. The routing processing unit 17 selects an optimum interface 12 according to the destination address of the IP packet transmitted from the SIP terminals 2-1, 2-2 and the like.

  Thereafter, the packet is transferred from the routing processing unit 17 to the IPsec processing unit 18. The IPsec processing unit 18 encapsulates an IP packet having a designated transmission address, destination address, and port number with IPsec according to a preset security policy. Note that the routing processing unit 17 and the IPsec processing unit 18 are equivalent to the functions of a well-known router, and thus detailed description of the operation is omitted. The packet for which these processes are completed is output from the interface 12.

  Next, when the SIP determination unit 13 determines that the packet is a SIP packet, the SIP packet is passed to the SIP parser 14. The SIP parser 14 analyzes the payload of a SIP packet represented by a UDP (User Datagram Protocol) port number 5060, and acquires an address and a port number used in RTP (Real-time Transport Protocol) communication. The acquired information is stored in the SIP information storage unit 16.

  This SIP packet is passed from the SIP parser 14 to the SIP payload control unit 15. The SIP payload control unit 15 assigns a global address assigned to the interface 12 side of the SIP gateway 1 or a preset security policy to the payload of the SIP packet. The SIP parser 14 also has a function of acquiring information provided by the SIP payload control unit 15. When this information is acquired by the SIP parser 14, such information is also stored in the SIP information storage unit 16.

  After the processing is performed by the SIP payload control unit 15, the SIP packet is transferred to the routing processing unit 17, and the IP packet transmitted from the SIP terminals 2-1, 2-2, etc. by the routing processing unit 17 according to the destination address. The optimum interface 12 is selected. Thereafter, the SIP packet is passed from the routing processing unit 17 to the IPsec processing unit 18. The IPsec processing unit 18 encapsulates an IP packet having a designated transmission address, destination address, and port number with IPsec according to a preset security policy, and outputs it from the interface 12.

  The SIP payload control unit 15 dynamically sets an IPsec tunnel in the IPsec processing unit 18 through the IPsec control unit 19 when information for setting an IPsec tunnel between SIP gateways is prepared in the SIP information storage unit 16. This dynamically set IPsec tunnel is indicated by IPsec tunnel 201 in FIG.

  3 to 5 are sequence charts showing the operation of the SIP communication system according to one embodiment of the present invention. The operation of the SIP communication system as a security SIP network according to an embodiment of the present invention will be described with reference to FIGS. The SIP sequences shown in FIG. 3 to FIG. 5 are examples of general SIP sequences, and may differ depending on the combination of the SIP server and the SIP terminal, but are not related to the present invention. The description about is omitted. In addition, descriptions of SIP sequences that are not important for the description of the SIP communication system according to an embodiment of the present invention are also omitted.

  When IP phone # 1 (SIP terminal 2-1) makes a call to IP phone # 2 (SIP terminal 2-2), the SIP packet “INVITE (inbyte) request (session) is sent from IP phone # 1 to the SIP server. Establishment request) "is transmitted (see a1 in FIG. 3). This “INVITE request” includes the standby address and port number of IP phone # 1 necessary for RTP communication during a call.

  When SIP gateway # 1 (SIP gateway 1-1) receives this “INVITE request”, it reads the RTP standby address and port number of IP phone # 1 and stores them in the SIP information storage unit 16 (a2 in FIG. 3). reference). The SIP gateway # 1 writes the address and security policy of the SIP gateway # 1 in the “INVITE request” (see a3 in FIG. 3) and transfers it to the SIP server (see a4 in FIG. 3).

  When the SIP server receives the “INVITE request”, it performs general SIP processing and then transmits the “INVITE request” to the IP phone # 2 (see a5 in FIG. 3). The “INVITE request” includes information given by the SIP gateway # 1.

  When the SIP gateway # 2 (SIP gateway 1-2) receives the "INVITE request", it reads the RTP standby address and port number of the IP phone # 1, the address of the SIP gateway # 1, and the security policy, and the SIP information storage unit 16 (see a6 in FIG. 3). Here, the SIP gateway # 2 deletes information added by the SIP gateway # 1 and unnecessary for the IP phone # 2 (see a7 in FIG. 3). Thereafter, the SIP gateway # 2 transfers the “INVITE request” from which unnecessary information is deleted to the IP phone # 2 (see a8 in FIG. 3).

  Upon receiving the “INVITE request”, IP phone # 2 performs a general SIP process and then transmits a “200 OK response” to the SIP server (see a9 in FIG. 4). This “200 OK response” includes the standby address and port number of IP phone # 2 necessary for RTP communication during a call.

  When the SIP gateway # 2 receives the “200 OK response”, it reads the RTP standby address and port number of the IP phone # 2 and stores them in the SIP information storage unit 16 (see a10 in FIG. 4). SIP gateway # 2 writes the address of SIP gateway # 2 and the security policy response received from SIP gateway # 1 in "200 OK response" (see a11 in FIG. 4), and transfers it to the SIP server (FIG. 4). a12).

  When the SIP server receives the “200 OK response”, it performs a general SIP process and then transmits a “200 OK response” to IP phone # 1 (see a13 in FIG. 4). The “200 OK response” includes information given by the SIP gateway # 2.

  When the SIP gateway # 1 receives the “200 OK response”, it reads the RTP standby address and port number of the IP phone # 2, the address of the SIP gateway # 2, and the security policy response, and stores them in the SIP storage unit 16 ( (See a14 in FIG. 4). Here, the SIP gateway # 1 deletes the information given by the SIP gateway # 2 and unnecessary for the IP phone # 1 from the “200 OK response” (see a15 in FIG. 4). The SIP gateway # 1 transfers the “200 OK response” from which unnecessary information is deleted to the IP phone # 1 (see a16 in FIG. 4).

  When the IP phone # 1 receives the “200 OK response”, it sends “ACK (ACKnowledgement)” to the SIP server (see a17 in FIG. 5), and opens the RTP port used for the call.

  When the SIP gateway # 1 receives “ACK”, the SIP gateway # 1 uses the information stored in the SIP storage unit 16 to make settings for encapsulating the RTP packet used in the call with IPsec (see a18 in FIG. 5). ). The SIP gateway # 1 adds the ACK of the security policy response received from the SIP gateway # 2 to “ACK” (see a19 in FIG. 5), and transfers it to the SIP server (see a20 in FIG. 5).

  Upon receiving “ACK”, the SIP server performs general SIP processing and then transmits “ACK” to IP phone # 2 (see a21 in FIG. 5). When receiving “ACK”, the SIP gateway # 2 uses the information stored in the SIP storage unit 16 above to make settings for encapsulating the RTP packet used in the call with IPsec (see a22 in FIG. 5). ).

  The SIP gateway # 2 deletes the information given by the SIP gateway # 1 and unnecessary for the IP phone # 2 from “ACK” (see a23 in FIG. 5). The SIP gateway # 2 transfers “ACK” from which unnecessary information is deleted to the IP phone # 1 (see a24 in FIG. 5). Upon receiving “ACK”, IP phone # 2 performs general SIP processing and opens an RTP port used for a call.

  Through the series of operations described above, the RTP communication between the IP phone # 1 and the IP phone # 2 (see a25 and a27 in FIG. 5) and the RTP communication between the SIP gateway # 1 and the SIP gateway # 2 are made IPsec. The IPsec tunnel (see a26 in FIG. 5) to be encapsulated is established.

  As a result, since the RTP communication passes through the IPsec tunnel 101 set by the global addresses of the SIP gateway 1-1 and the SIP gateway 1-2 on the global network 100, the SIP terminal 2-1 and the SIP terminal 2 -2 private address is never used on the global network 100.

  In this embodiment, it is assumed that eavesdropping and modification of the security policy itself are protected by the IPsec tunnel 103 and the IPsec tunnel 102 in FIG. In this embodiment, when the security policy is not protected by the IPsec tunnel 103 or the IPsec tunnel 102, a protocol such as encrypting and exchanging the security policy itself can be considered. These descriptions are not detailed because they are not relevant.

  In this way, in this embodiment, RTP communication between the SIP gateways 1-1 and 1-2 is encapsulated with IPsec using the global addresses of the SIP gateways 1-1 and 1-2. Can be configured with a private address. In this case, in this embodiment, since the RTP communication between the SIP gateways 1-1 and 1-2 is protected by the IPsec tunnel 101, wiretapping and modification of the RTP communication can be prevented.

  In this embodiment, since the RTP communication between the SIP gateways 1-1 and 1-2 is directly connected by the IPsec tunnel 101, the RTP communication does not need to go through the center router 4 and the load on the center router 4 is reduced. be able to.

  Further, in this embodiment, since the IPsec tunnel 101 is dynamically established when RTP communication between the SIP gateways 1-1 and 1-2 becomes necessary, it is possible to always occupy resources for establishing the IPsec tunnel. Absent.

  Furthermore, in this embodiment, since the security policy and the addresses of the SIP gateways 1-1 and 1-2 are added to the SIP packet and transmitted, the IPsec tunnels of the SIP gateways 1-1 and 1-2 are controlled in this configuration. There is no need to prepare a separate security server.

  As another embodiment of the present invention, the basic configuration is as described above, but the IPsec processing unit can be replaced with a simple IPoverIP processing unit or the like. The IPoverIP processing unit encapsulates an IP packet such as an RTP packet with an IP header terminated with the addresses of the SIP gateways 1-1 and 1-2.

  In this configuration, it is not necessary to write the IPsec security policy in the SIP packet, and only the addresses of the SIP gateways 1-1 and 1-2 need be written. In this embodiment, it is necessary to take a workaround such as the SIP terminals 2-1 and 2-2 encrypting the RTP packet and transmitting the risk of eavesdropping or alteration by IPsec, but other effects are maintained. This is useful in a configuration in which RTP can be encrypted by the SIP terminals 2-1 and 2-2.

It is a block diagram which shows the structure of the SIP communication system by one Example of this invention. It is a block diagram which shows the structure of the SIP gateway of FIG. It is a sequence chart which shows operation | movement of the SIP communication system by one Example of this invention. It is a sequence chart which shows operation | movement of the SIP communication system by one Example of this invention. It is a sequence chart which shows operation | movement of the SIP communication system by one Example of this invention. It is a block diagram which shows the structure of the conventional SIP communication system.

Explanation of symbols

1, 1-1, 1-2 SIP gateway 2-1, 2-2 SIP terminal
3 SIP server
4 Center router
11,12 interface
13 SIP decision part
14 SIP parser
15 SIP payload controller
16 SIP information storage unit
17 Routing processor
18 IPsec processing section
19 IPsec control unit 19
100 Global network 201,202 locations
300 Center locations

Claims (15)

A SIP communication system in which first and second SIP (Session Initiation Protocol) gateway devices are respectively connected to a SIP server,
Each of the first and second SIP gateway devices uses IPsec [Real-time Transport Protocol (IPP)] to dynamically perform RTP (Real-time Transport Protocol) communication between the first SIP gateway device and the second SIP gateway device. An SIP communication system comprising means for setting an IP (Internet Protocol) security protocol] tunnel.   The first and second SIP gateway apparatuses each include means for analyzing the SIP payload of SIP communication through the SIP server and obtaining information for setting the IPsec tunnel. The described SIP communication system.   3. The SIP communication system according to claim 2, wherein the first and second SIP gateway apparatuses perform the SIP communication by setting the IPsec tunnel between the SIP server and the SIP server, respectively.   RTP between the first and second SIP gateway devices connected to the first SIP gateway device and the second SIP gateway device connected to the second SIP gateway device. 4. The SIP communication system according to claim 2, wherein addresses of the first and second gateway apparatuses are recorded in the SIP payload in a process of establishing a session.   The first and second SIP gateway devices include addresses of the opposing second and first SIP gateway devices included in the SIP payload and between the first SIP terminal and the second SIP terminal. Detecting an RTP address and a port number to be used, and dynamically setting the IPsec tunnel for encapsulating the RTP communication between the first SIP gateway device and the second SIP gateway device. The SIP communication system according to claim 4, wherein: A SIP gateway device connected to a SIP (Session Initiation Protocol) server,
An SIP gateway apparatus comprising means for setting an IPsec [IP (Internet Protocol) security protocol] tunnel for performing RTP (Real-time Transport Protocol) communication dynamically with another SIP gateway apparatus .   7. The SIP gateway apparatus according to claim 6, further comprising means for obtaining information for setting up the IPsec tunnel by analyzing a SIP payload of SIP communication through the SIP server.   8. The SIP gateway apparatus according to claim 7, wherein the SIP communication is performed by setting the IPsec tunnel with the SIP server.   The address of the own device is recorded in the SIP payload in a process of establishing an RTP session between a SIP terminal connected to the own device and a SIP terminal connected to another SIP gateway device. The SIP gateway device according to claim 7 or 8.   In order to encapsulate the RTP communication with the other SIP gateway device by detecting the address of another opposing SIP gateway device included in the SIP payload and the RTP address and port number used between the SIP terminals. The SIP gateway apparatus according to claim 9, wherein the IPsec tunnel is dynamically set. A SIP communication control method used in a SIP communication system in which first and second SIP (Session Initiation Protocol) gateway devices are respectively connected to a SIP server,
Each of the first and second SIP gateway devices uses IPsec [Real-time Transport Protocol (RTP) communication dynamically between the first SIP gateway device and the second SIP gateway device. An SIP (Internet Protocol) security protocol] SIP communication control method characterized by executing a process of setting a tunnel.   The first and second SIP gateway apparatuses each execute a process of obtaining information for setting the IPsec tunnel by analyzing a SIP payload of SIP communication through the SIP server. 11. The SIP communication control method according to 11.   13. The SIP communication control method according to claim 12, wherein the first and second SIP gateway devices each perform the SIP communication by setting the IPsec tunnel with the SIP server.   RTP between the first and second SIP gateway devices connected to the first SIP gateway device and the second SIP gateway device connected to the second SIP gateway device. 14. The SIP communication control method according to claim 12, wherein in the process of establishing a session, addresses of the first and second gateway devices are recorded in the SIP payload.   The first and second SIP gateway devices are located between the addresses of the opposing second and first SIP gateway devices included in the SIP payload and between the first SIP terminal and the second SIP terminal. Detecting an RTP address and a port number to be used, and dynamically setting the IPsec tunnel for encapsulating the RTP communication between the first SIP gateway device and the second SIP gateway device. The SIP communication control method according to claim 14, characterized in that:

Images