JP5609519B2 - SIP equipment - Google Patents

Description

  The present invention relates to a SIP device that receives and processes a SIP (Session Initiation Protocol) request from both a LAN side and a WAN side.

  In general, IP telephones use SIP to establish connection between terminals (telephones), and perform voice signal transmission using VoIP (Voice over Internet Protocol). By the way, since both the SIP packet and the VoIP packet cannot pass through a NAT (Network Address Translation) unit built in the router, a terminal (IP telephone) on a LAN that is a local IP network is connected to a WAN that is a global IP network (IP). It was not possible to access the SIP server of the telecommunications carrier installed on the Internet. In order to realize this so-called NAT traversal, it was necessary to install a large-scale SIP proxy server or the like.

  Accordingly, the applicant has proposed a VoIP router device that can pass the SIP request message from the LAN to the WAN in order to realize this with a simple configuration (see Patent Document 1). Further, the applicant has realized a VoIP router device capable of transferring a SIP request between LAN and WAN.

JP-A-2005-160055

  When accepting a SIP request across the LAN and WAN, it is difficult to effectively eliminate unauthorized access. In particular, it is necessary to increase the security threshold for access from the WAN side. However, in IP filtering and SIP authentication, incoming calls from the WAN side and incoming calls from the LAN side are distinguished to effectively eliminate unauthorized access. Difficult to do. That is, there is a problem that if the security level is lowered, unauthorized access from the WAN side cannot be eliminated, and if the security level is raised, legitimate access from the LAN side is also eliminated.

  An object of the present invention is to provide a SIP device that can accurately eliminate unauthorized access from a WAN with a simple configuration and a simple procedure.

The present invention is a device that is inserted between a WAN and a LAN, and includes a SIP processing unit that processes a SIP request, and a SIP request message that is connected to the WAN and is received from the WAN side. A WAN communication unit that attaches the information to the SIP processing unit, and a LAN communication unit that is connected to the LAN and transfers a SIP request message received from the LAN side to the SIP processing unit, and processing unit, when the SIP request message arrives from the WAN side, the SIP request message, only if it is certain conditions SIP request message, wherein the receiving the SIP request message.
In the above invention, the SIP request message that satisfies the specific condition may include an INVITE request message from a station registered by sending a REGISTER request message in advance from us.
In the above invention, the SIP processing unit transmits the REGISTER request message to another SIP server on the WAN using a contact URI including a random character string for each SIP server, and the WAN side When the INVITE request message arrives, the partner station may be authenticated using this contact URI.

In the above invention, the SIP request message that satisfies the specific condition may include an INVITE request message that is a URI registered as a URI on the LAN side based on a REGISTER request received from the LAN side by the transmission source URI.

In the above invention, the SIP request message that satisfies the specific condition may include a peer-to-peer connection INVITE request message that is a URI registered in a URI list in which a transmission source URI is registered by a user operation. .

In the above invention, a REGISTER request message may be included as a SIP request message that satisfies the specific condition.

In the above invention, when the SIP processing unit does not accept the SIP request message received from the WAN side, the SIP processing unit may not return an error response to the transmission source terminal of the request message .

In the above invention, a router unit including a packet filter and a network address conversion unit may be provided in parallel with the SIP processing unit between the WAN communication unit and the LAN communication unit . In this case , the WAN communication unit and the LAN communication unit among the received packets, it Re to forward packets of at least SIP request message to the SIP processing unit.

  According to the present invention, the SIP request message received from the WAN side is attached to the SIP processing unit with information indicating that the SIP request message has been received from the WAN side, and various filtering processes are performed on the SIP request message input from the WAN side. By performing the above, unauthorized access from the WAN side can be accurately eliminated.

1 is a configuration diagram of an IP telephone system including a VoIP router according to an embodiment of the present invention. It is a block diagram of the VoIP router. It is a flowchart which shows operation | movement of the said VoIP router. It is a flowchart which shows operation | movement of the said VoIP router. It is a flowchart which shows operation | movement of the said VoIP router. It is a flowchart which shows operation | movement of the said VoIP router.

  An IP telephone system and a VoIP router according to an embodiment of the present invention will be described with reference to the drawings.

  FIG. 1 is a configuration diagram of an IP telephone system. The VoIP router 1 has a router function for connecting a LAN 2 that is a local IP network and a WAN (Internet) 3 that is a global IP network, and is a simple SIP that converts and forwards a SIP message between the LAN 2 and the WAN 3. It has a server function.

  Connected to the LAN 2 are an IP telephone 5 as an extension terminal and a gateway device 6 for connecting the IP telephone 5 to an exchange line. A personal computer 7 is also connected to the LAN 2. In this figure, only one IP telephone 5 is shown, but the number is not limited to one. Further, a normal telephone may be connected via a VoIP gateway. On the other hand, the SIP 3 of the communication carrier is connected to the WAN 3. A communication carrier is a carrier that provides public IP telephone service.

  In the system of this configuration, the VoIP router 1 functions as a normal router that connects the personal computer 7 to the WAN 3 that is the Internet, and also functions as a simple SIP server. The SIP server function of the VoIP router 1 includes: connection management of extension calls between IP telephones 5 in the LAN 2, call management of external IP telephones from the IP telephone 5 on the LAN 2 through the SIP server 4, and the SIP server 4 on the LAN 2 Management of incoming calls of an external IP telephone incoming to the IP telephone 5.

FIG. 2 is a block diagram of the VoIP router 1. The VoIP router 1 has a LAN communication unit 10, a TCP / IP processing unit 11, a NAT 12, an IP filter 13, and a WAN communication unit 14 arranged in this order in order to realize a router function. The LAN communication unit 10 includes a LAN port and is connected to the LAN 2. The WAN communication unit 14 includes a WAN port and is connected to the WAN 3. The TCP / IP processing unit 11 is a functional unit that processes packets exchanged between the LAN 2 and the WAN 3. The NAT 12 is a functional unit that converts a global IP address and a local IP address (including IP masquerade). The IP filter 13 is a functional unit that performs pass / non-pass filtering on packets received from the WAN via the WAN communication unit 14 based on various information written in the header thereof. The various information includes, for example, an IP address, a service name, a port number, and the like. The IP filter 13 is set so as not to pass the SIP packet.

  Further, a SIP processing unit 15 is connected to the LAN communication unit 10 and the WAN communication unit 14 so as to bypass the routes of the TCP / IP processing unit 11, NAT 12, and IP filter 13. The SIP processing unit 15 functions as an extension SIP server for the LAN 2 and also functions as a simple SIP proxy server between the WAN 3 and the LAN 2.

  When the service of the packet received from the LAN 2 is SIP or VoIP, the LAN communication unit 10 transfers the packet to the SIP processing unit 15, and transfers the other service packets to the TCP / IP processing unit 11. When the service of the packet received from the WAN 3 is SIP or VoIP, the WAN communication unit 14 transfers the packet to the SIP processing unit 15 and transfers packets of other services to the IP filter 13. When the WAN communication unit 14 transfers a SIP packet (SIP request message) to the SIP processing unit 15, information indicating that the packet has arrived from the WAN 3 is attached.

The SIP processing unit 15 processes the SIP request message transferred from the LAN communication unit 10 in a normal procedure. In addition, when the SIP request message is transferred from the WAN communication unit 14, the SIP processing unit 15 adds the above-mentioned “information indicating that the call has been received from the WAN 3” to the SIP request message. In order to maintain security for this SIP request message, by default, only the INVITE request sent from the SIP server 4 of the communication carrier is permitted, and other than that, The request message is discarded. Even if the request message is discarded, the UA (User
An error message is not returned to Agent. Note that it is possible to permit the arrival of a request message other than the INVITE request received from other than the SIP server 4 by setting by the user, and when the request message is discarded, an error message is sent to the transmission source UA. It is also possible to set to reply.

  Hereinafter, the processing procedure in which the SIP processing unit 15 processes the SIP request message received from the WAN 3 will be described in detail with reference to the flowcharts of FIGS. When the SIP processing unit receives a request message from the WAN 3, that is, when a SIP packet to which information indicating that it has arrived from the WAN 3 is transferred from the WAN communication unit 14, the SIP processing unit Perform the action.

  FIG. 3 shows a main routine. When a request message arrives from the WAN 3 to the domain of the SIP processing unit 15, it is determined whether the request message is a REGISTER request (S10) or an INVITE request (S12). In the case of a REGISTER request (YES in S10), REGISTER incoming processing (S11: see FIG. 5) is executed. In the case of an INVITE request (YES in S12), INVITE incoming processing (S13: refer to FIG. 6) is executed. If the request message received from WAN 3 is a message other than a REGISTER request or INVITE request (NO in S10 and S12), this message is discarded (S14). In other words, request messages other than REGISTER and INVITE are not accepted from WAN 3 in order to maintain security. The request message is discarded according to the procedure shown in FIG.

  FIG. 4 is a flowchart showing the request discarding process. This procedure is used to discard an incoming request message. First, it is determined whether or not an error message indicating that the request is to be discarded is returned to the sender UA (S20). Whether to allow a reply to the transmission source UA is set in advance by the user. If reply to the transmission source UA station is permitted (YES in S20), an error code (401, 403 or 404) corresponding to the reason for discarding the message is returned (S21). In the case of S14 in FIG. 3, 403 “Forbidden” is returned. If the reply to the transmission source UA is not permitted (NO in S20), the process ends without doing anything. The reason why the error code is not returned is to prevent the partner station from notifying the existence of the SIP processing unit 15.

  FIG. 5 is a flowchart showing REGISTER incoming processing. This processing operation is executed in S11 of FIG. 3 when a REGISTER request is received from WAN3. First, it is determined whether or not an incoming REGISTER request from the WAN 3 is permitted (S30). Whether or not to accept the REGISTER request from the WAN 3 is set in advance by the user. When the incoming REGISTER request is permitted (YES in S30), the transmitting station is authenticated (S32). This authentication process may be performed by, for example, general digest authentication. If the authentication is OK, the requested URI is registered in the database (S35). Thereafter, processing such as sending a reply to the effect that registration has been completed to the transmitting station is executed.

On the other hand, when the incoming REGISTER request from the WAN 3 is not permitted (NO in S30), the request is discarded according to the procedure shown in FIG. 4 (S31). When an error code is returned, 403 “Forbidden” is returned. Further, even (NO in S33) Similarly, if can not authenticate the transmission station performs processing of the request in the procedure shown in FIG. 4 (S34). In this case, the returned error code is 401 “Unauthorized”.

  FIG. 6 is a flowchart showing the INVITE incoming call process. This processing operation is executed in S13 of FIG. 3 when an INVITE request is received from WAN3. In this operation, first, a request URI corresponding to the destination URI is checked (S40). If the request URI is a registered URI, that is, the URI described in the contact header of the REGISTER request transmitted from this apparatus to the SIP server of the communication carrier (YES in S40), the communication carrier is Assuming that the call originates from the external IP phone that has passed through, it is determined whether it matches any of the phone numbers described in the database (S41). If they match (YES in S41), the INVITE request is transferred to the extension terminal (IP telephone 5) to which the telephone number is assigned to make an incoming call (S42). If the telephone numbers do not match, it is determined that the telephone number is different, and the request discarding process is executed according to the procedure shown in FIG. 4 (S43). When an error code is returned, 404 “Not found” is returned.

Here, the VoIP router 1 to the contact URI of REGISTER request message to be sent to the SIP server of the communication carrier is random string are included to prevent unauthorized access by spoofing. Therefore, if the request URI of the request message sent by the communication carrier to the VoIP server is a URI including this random character string, it is determined that the request message is sent from a valid SIP server. be able to. In S40, the other station is authenticated using this URI. In S41, the telephone number is extracted from the TO header (for example, telephone number @ domain or telephone number @ IP address) of the INVITE request message, and the database is searched with this telephone number.

  If the request URI is not a registered URI (NO in S40), the header contact URI is checked (S44). This contact URI corresponds to the transmission source URI of the present invention. If the contact URI in the header is a registered URI (YES in S44), the IP telephone 5 registered for extension via the LAN 2 is taken outside and received via the WAN 3, and this INVITE Is permitted, and the process proceeds to S41. The extension registered URI is a URI registered in the extension database by the REGISTER request received from the IP telephone 5 on the LAN 2.

  If the request URI is not registered at the upper level and the contact URI is not registered at the extension (NO in S44), it is determined whether this INVITE request is a request for peer-to-peer (P2P) communication, that is, P2P incoming ( S45). If the incoming call is a P2P incoming call (YES in S45), it is determined whether a P2P incoming call (outside line P2P incoming call) from the WAN 3 is permitted (S46). If the incoming P2P call is permitted, it is determined whether the FROM URI is registered in the VoIP telephone directory (S47). If it is registered (YES in S47), it is determined that the user of the VoIP router 1 is an incoming call from a communication partner registered by himself / herself, and this request is allowed to be received and INVITE processing is executed (S48). The VoIP phone book is a list of call destination URIs registered by the user.

  If the INVITE request is not a P2P request (NO in S45), if the unit does not permit incoming P2P calls (NO in S46), or if the telephone number is not registered in the VoIP phone book (NO in S47) In step S49, the request is discarded according to the procedure shown in FIG. When an error code is returned, 404 “Not found” is returned.

In this embodiment, when an INVITE request message arrives from the WAN side, “whether the INV I TE request message is from a station registered by sending a REGISTER request message in advance from us” Whether or not “the destination URI of the request message is the (higher registered) URI described in the REGISTER request transmitted in advance from us to the transmission source station of the INVITE request message”. Although it is determined, the determination is not limited to this.

1 VoIP router 2 LAN
3 WAN
10 LAN communication unit 14 WAN communication unit 15 SIP processing unit

Claims (8)

A device inserted between the WAN and the LAN,
A SIP processing unit for processing a SIP request;
Connected to said WAN, and the WAN communication unit which forwards the SIP request message arriving from the WAN side, the SIP processing portion denoted the information of the incoming call from the WAN side,
A LAN communication unit connected to the LAN and transferring a SIP request message received from the LAN side to the SIP processing unit;
With
The SIP processing unit, when the SIP request message arrives from the WAN side, the SIP request message, only if it is certain conditions SIP request message, SIP device that receives the SIP request message. The SIP device according to claim 1, comprising an INVITE request message from a station registered by sending a REGISTER request message from us in advance as the SIP request message satisfying the specific condition. The SIP processing unit sends the REGISTER request message to another SIP server on the WAN using a contact URI including a random character string for each SIP server, and the INVITE request message is transmitted from the WAN side. 3. The SIP device according to claim 2, wherein when receiving an incoming call, the partner station is authenticated using the contact URI. The SIP request message that satisfies the specific condition includes an INVITE request message that is a URI registered as a URI on the LAN side based on a REGISTER request received from the LAN side by a transmission source URI. SIP device according to the above. The SIP request message that satisfies the specific condition includes a peer-to-peer connection INVITE request message in which a sender URI is a URI registered in a URI list registered by a user operation. 4. The SIP device according to any one of 4. The SIP device according to any one of claims 1 to 5, wherein the SIP request message that satisfies the specific condition includes a REGISTER request message. The SIP device according to any one of claims 1 to 6 , wherein the SIP processing unit does not return an error response to the transmission source terminal of the request message when the SIP request message received from the WAN side is not accepted. A router unit including a packet filter and a network address conversion unit between the WAN communication unit and the LAN communication unit is provided in parallel with the SIP processing unit,
The SIP device according to any one of claims 1 to 7 , wherein the WAN communication unit and the LAN communication unit transfer at least a packet of a SIP request message among the received packets to the SIP processing unit.

Images