九、發明說明: 【發明所屬之技術領域】 本發明大體而言係關於封包資料通信,且更具體言之, 係關於封包資料通信期間之封包資料流的監控及控制。 【先前技術】 網路之全球互連允許無關地理距離地即刻存取資訊。圖1 展示網絡之全球連接之一簡化示意圖,該網路通常被稱為 由參考數字20所表示之網際網路。該網際網路20本質上係 連接在一起的具有不同層級水平的許多網路。該網際網路 20係在由IETF(網際網路工程組)發佈之IP(網際網路協定) 下運作。可在由IETF發佈之RFC(請求註解)791中發現IP之 詳細資料。 連接至該網際網路20的係各種個別網路,其視網路大小 有時被稱為LAN(區域網路)或WAN(廣域網路)。圖1中展示 的係某些此等網路22、24及26。 在網路22、24及26中之每一者内,可存在多件彼此連接 且彼此通信的設備。實例為電腦、列印機及伺服器等。每 一設備皆具有一通常被稱為MAC(媒體存取控制)位址之唯 一的硬件位址。具有MAC位址之設備通常被稱為節點。當 該節點經由該網際網路20在其自身網路外通信時,需要將 一 IP位址指派給該節點。 IP位址之指派可為手動的或自動的。舉例而言,IP位址 之手動指派可由一網路管理員來執行。更通常地,IP位址 係自動指派的‘。舉例而言,在LAN中,IP位址可由一存在 103444.doc 於節點之LAN内部之稱為DHCp(動態主機控制協定)祠服器 (未圖示)之祠服器來指派。而且,在一支持無線技術之爾 中’可自動且遠程地指派Ip位址。 現轉回至圖卜作為一實例,假設該網路22中之一節點30 試圖將一資料封包發送至該網路24中之另一節點34。在【p 下,每一資料封包必須具有一源位址及一目的位址。在此 狀況下,該源位址係該網路22中之該節點3〇之位址。該目 的位址係該網路24中之該節點34之位址。以此方式運作, 該等節點30及34被說成在簡單的卩傳輸模式下通信,在該 模式下,節點30及34在資料封包之互換中皆僅使用其自身 的IP位址以與IP—致。 無線技術之出現允許節點自其最初註冊之網路離開而移 動至另一網珞。舉例而言,返回參看圖丨,不永久接線至網 路22之該節點30可為一無線裝置,諸如pDA(個人裝置助 理)、蜂窩電話或行動電腦。該無線節點3〇可在其本籍網路 22之界限外運行。因此,該節點3〇可離開其本籍網路。漫 遊至一外籍網路26。在此情形下,指派至該節點3〇之原始 位址將不再適用於該節點30。因此,以該節點3〇之彼位址 為目的之資料封包不可能達到該節點3 〇。 由IETF陳述之行動IP(行動網際網路協定)希望處理節點 移動性問題。根據*IETF公佈之RFC 2〇〇2,該節點3〇無論 何時離開該本籍網路22並在另一網路中漫遊,其均被指派 一.縮寫為CoA(轉交位址)的"轉交位址"。 在RFC 2002下,存在兩種類型之c〇A,即,FA CoA(外籍 103444.doc 1378694 代理器轉交位址)及CCoA(共同定位轉交位址)β FA CoΑ本質上係一FA(外籍代理器)之位址,該fa係該節 點30所處之外籍網路中的一指定伺服器。fa CoA之使用適 用於IPv4中。 CCoA係由外籍網路指派至該節點3〇之獨立但暫時的位 址。CCoA之使用適用於IPv4及ιρν6兩者中。 在任何狀浞下,無論該節點30何時處於外籍領域中,節 點30必須在其本籍網路22上註冊c〇A,不管其為fa c〇a或 CCoA,以使該本籍網路22始终知曉該節點3〇在何處。在註 冊後,該CoA被儲存在由一稱為該本籍網路222HA(本籍代 理器)2 5的指定伺服器維持之路由表中。 列舉一些實例來進行說明 對於FACoA之情形,假設該節點3〇漫遊至該外地網絡% 中。在達到該外籍網路26之區域性限制後,該冑點3〇自該 外籍網路26接收一廣告訊息,其告知該節點3〇其存在於外 猎領域中H點30自該廣告訊息知曉該外籍網路以之^ 36的位址。該冑點3〇接著在該本籍網路22中用註冊μ. CoA 〇 當該外籍網路26中之該節點3G將—f料封包發送至該網 路中之該即點34時,例如’知曉該網路24中之該節點μ 之位址可直接發送該資料封包。意即,根據ip,在資料 封包中’可將源位址設定成該節點30的HoA,且可將目的 位址設定成該網路24中之該節點34的位址該。資料封包之 方向係展示為圖1中所示之資料路徑38。 103444.doc 1378694 對於反向的資料通信而言,其並不是直進的。在反向資 . 料路由中,當該網路24中之該節點34試圖將一資料封包發 送至現在位於該外籍網路26中之該節點3〇時,,如上所述, 為與IP-致’源位址及目的位址必須在資料封包中被指定。 在此狀況下,該源位址係該網路24中之該節點“的^位址。 對於目的位址而言,因不具有來自該節點3〇之任何更新通 知,故該節點34僅知曉該節點3〇之H〇A而不知曉該節點3〇 之FA C〇A。因此,目的位址將被設定成該節點3〇iH〇A。 然而’因為該節點30之FACoA係儲存在該本籍網路22中之 HA 25的路由表中,所以當資料封包到達該本籍網路22時, 該網路22之該HA 25用所儲存之FA c〇A封裝所接收之資料 封包並將其發送至該外籍網路26中之該節點3〇。意即,該 經封裝之資料封包將該FACoA用作目的位址。一旦該外籍 網路26接收該經封裝之資料封包,該FA36僅去掉該經封裝 之FA CoA並將原始封包發送至該行動節點3〇。資料封包之 鲁 路控被展示為圖1中之資料路徑4〇。 亦應注意’諸如路徑38及40之資料路徑事實上通過該網 際網路20多次。為簡潔起見,免於使圖1模糊,該等路徑僅 被展示為通過相關伺服器,諸如HA 25及FA 36。意即,該 等資料路徑38及40被展示為圖1中所示之邏輯路徑。 以上述方式運作,該行動節點3〇被說成在行動ιρ隧道傳 輸模式下使用該FACoA來與該對應節點34通信。 在上述實例中,即使該行動節點30看似直接自相應節點 9〇接收資料封包’ 一資料隧道亦被說成經由該HA 25而存在 103444.doc 1378694 於節點30與34之間。使用隧道傳輸模式之優勢在於:當該 行動節點30移動至另一外籍網路時,除了至本籍網路22之 更新通知外,該行動節點30無需發送相似通知至相應節點 34 ^因此,由相應節點34發送並接收之資料看似不受干擾。IX. INSTRUCTIONS: TECHNICAL FIELD OF THE INVENTION The present invention relates generally to packet data communication and, more particularly, to monitoring and controlling packet data streams during packet data communication. [Prior Art] The global interconnection of the network allows instant access to information regardless of geographic distance. Figure 1 shows a simplified schematic diagram of one of the global connections of a network, commonly referred to as the Internet represented by reference numeral 20. The Internet 20 is essentially a network of many different levels of hierarchy that are connected together. The Internet 20 operates under an IP (Internet Protocol) issued by the IETF (Internet Engineering Group). Details of the IP can be found in the RFC (Request for Comments) 791 published by the IETF. The various networks connected to the Internet 20 are sometimes referred to as LAN (Regional Network) or WAN (Wide Area Network). Some of these networks 22, 24, and 26 are shown in FIG. Within each of the networks 22, 24, and 26, there may be multiple pieces of equipment that are connected to each other and that communicate with each other. Examples are computers, printers, and servers. Each device has a unique hardware address commonly referred to as a MAC (Media Access Control) address. Devices with MAC addresses are often referred to as nodes. When the node communicates over its own network via the Internet 20, an IP address needs to be assigned to the node. The assignment of IP addresses can be manual or automatic. For example, manual assignment of IP addresses can be performed by a network administrator. More generally, the IP address is automatically assigned ‘. For example, in a LAN, the IP address can be assigned by a server called DHCp (Dynamic Host Control Protocol) server (not shown) that exists inside the LAN of the node. Moreover, the Ip address can be assigned automatically and remotely in a wireless technology support. Turning back to FIG. 2 as an example, assume that one of the nodes 30 in the network 22 attempts to send a data packet to another node 34 in the network 24. Under [p], each data packet must have a source address and a destination address. In this case, the source address is the address of the node 3 in the network 22. The destination address is the address of the node 34 in the network 24. Operating in this manner, the nodes 30 and 34 are said to communicate in a simple transmission mode in which the nodes 30 and 34 use only their own IP address to IP in the data packet interchange. Zhizhi. The advent of wireless technology allows a node to move away from its originally registered network to another network. For example, referring back to the figure, the node 30 that is not permanently wired to the network 22 can be a wireless device such as a pDA (Personal Device Assistant), a cellular telephone, or a mobile computer. The wireless node 3 can operate outside the boundaries of its home network 22. Therefore, the node 3 can leave its home network. Travel to a foreign network26. In this case, the original address assigned to the node 3 will no longer be applicable to the node 30. Therefore, it is impossible for the data packet for the purpose of the address of the node to reach the node. The Action IP (Mobile Internet Protocol) stated by the IETF wishes to address node mobility issues. According to the RFC 2〇〇2 published by the *IETF, the node 3 is assigned one. Whenever it leaves the home network 22 and roams in another network, it is assigned a "transfer of the CoA (transfer address) Address ". Under RFC 2002, there are two types of c〇A, namely, FA CoA (external 103444.doc 1378694 agent transfer address) and CCoA (co-located transfer address) β FA CoΑ essentially FA (expatriate agent) The address of the device, which is a designated server in the foreign network where the node 30 is located. The use of fa CoA is applicable to IPv4. The CCoA is assigned by the foreign network to the independent but temporary address of the node. The use of CCoA applies to both IPv4 and ιρν6. In any event, regardless of when the node 30 is in the foreign domain, the node 30 must register c〇A on its home network 22, whether it is fa c〇a or CCoA, so that the home network 22 is always known. Where is the node 3? After registration, the CoA is stored in a routing table maintained by a designated server called the home network 222HA (Traditional Server) 25. Some examples are given for explanation. In the case of FACoA, it is assumed that the node 3〇 roams into the foreign network %. After reaching the regional restriction of the foreign network 26, the defect 3 receives an advertisement message from the foreign network 26, which informs the node 3 that it exists in the field of hunting. H point 30 is known from the advertisement message. The foreign network is the address of ^ 36. The node 3 then registers the μ.CoA in the home network 22 when the node 3G in the foreign network 26 sends the packet to the point 34 in the network, for example ' Knowing the address of the node μ in the network 24 can directly send the data packet. That is, the source address can be set to the HoA of the node 30 in the data packet according to ip, and the destination address can be set to the address of the node 34 in the network 24. The direction of the data packet is shown as the data path 38 shown in FIG. 103444.doc 1378694 For reverse data communication, it is not straightforward. In the reverse routing, when the node 34 in the network 24 attempts to send a data packet to the node 3 now in the foreign network 26, as described above, with IP- The source address and destination address must be specified in the data packet. In this case, the source address is the address of the node in the network 24. For the destination address, since there is no update notification from the node 3, the node 34 only knows The node 3〇H〇A is not aware of the node 3〇FA C〇A. Therefore, the destination address will be set to the node 3〇iH〇A. However, because the FACoA system of the node 30 is stored in the node In the routing table of the HA 25 in the home network 22, when the data packet arrives at the home network 22, the HA 25 of the network 22 encapsulates the received data packet with the stored FA c〇A and The node is sent to the node in the foreign network 26. That is, the encapsulated data packet uses the FACoA as the destination address. Once the foreign network 26 receives the encapsulated data packet, the FA 36 is only removed. The encapsulated FA CoA sends the original packet to the mobile node 3. The data packet is shown as the data path 4 in Figure 1. It should also be noted that the data paths such as paths 38 and 40 are in fact Passing the Internet 20 times. For the sake of brevity, avoiding obscuring Figure 1, these are The paths are only shown as passing through relevant servers, such as HA 25 and FA 36. That is, the data paths 38 and 40 are shown as the logical paths shown in Figure 1. In this manner, the mobile node 3 is It is said that the FACoA is used to communicate with the corresponding node 34 in the mobile mode transmission mode. In the above example, even if the mobile node 30 appears to receive the data packet directly from the corresponding node 9', a data tunnel is said to be via The HA 25 exists between 103444.doc 1378694 between nodes 30 and 34. The advantage of using the tunneling mode is that when the mobile node 30 moves to another foreign network, in addition to the update notification to the home network 22, The mobile node 30 does not need to send a similar notification to the corresponding node 34. Therefore, the information transmitted and received by the corresponding node 34 appears to be undisturbed.
對於CCoA之情形而言,當該節點30離開該本籍網路22漫 遊時,替代請求一 FA CoA,該節點30反而可向外籍網路請 求一 CCoA。若該網路26係一支持諸如由TIA/EIA(電信產業 協會/電子工業協會)及3GPP2(第三代行動通訊合作計劃2) 發佈之cdma 2000標準之無線技術的WAN,則該CCoA可藉 由外籍網路26經由(例如)一PDSN(資料封包服務節點)4與 該行動節點30之間的一 PPP(點對點協定)在i而遠端地加以 請求及指派。該PDSN 41基本上係該網路36中的一伺服並處 理該網路26之無線部分中之資料流量的伺服器。然而,與 由該外籍網路26指派之CCoA不同,該節點30執行一外籍代 理器(諸如先前提及之FA 3 6)之所有功能。再次,該行動節 點30必須用該本籍網路22來註冊cc〇A » 舉例而言’為與該網路24中之節點34—致,該節點3〇發 送一具有兩層位址之資料封包。在外層中,源位址被設定 成CCoA,且目的位址被設定成HA 25。在内層中,源位址 係該節點30之HoA且目的位址係該外籍網路24中之該節點 34之位址。一旦自漫遊節點30接收到資料封包,該hA 25 即剝去外部位址層並將該資料封包發送至内部位址層之該 節點34。該資料封包之邏輯路徑被展示為圖1中之資料路徑 42。 "" 103444.doc ⑧ -10- 1378694 在反向的資料路徑中,意即,當該節點34將一資料封包 發送至該節點30時,該資料封包僅具有—個位址層,並且 源位址被設定成該節點34且目的位址被設定成該節 點30之In the case of CCoA, when the node 30 is roaming away from the home network 22, instead of requesting a FA CoA, the node 30 can instead request a CCoA from the foreign network. If the network 26 is a WAN supporting wireless technologies such as the cdma 2000 standard issued by TIA/EIA (Telecommunications Industry Association/Electronic Industries Association) and 3GPP2 (3rd Generation Partnership Project 2), the CCoA can borrow Requested and assigned by the foreign network 26 at a remote location via, for example, a PPP (Point-to-Point Protocol) between a PDSN (Data Packet Service Node) 4 and the Mobile Node 30. The PDSN 41 is basically a server in the network 36 that processes and processes data traffic in the wireless portion of the network 26. However, unlike the CCoA assigned by the foreign network 26, the node 30 performs all of the functions of a foreign agent, such as the previously mentioned FA 36. Again, the mobile node 30 must register the cc〇A with the home network 22. For example, 'for the node 34 in the network 24, the node 3 sends a data packet with two layers of addresses. . In the outer layer, the source address is set to CCoA and the destination address is set to HA 25. In the inner layer, the source address is the HoA of the node 30 and the destination address is the address of the node 34 in the foreign network 24. Upon receipt of the data packet from the roaming node 30, the hA 25 strips the external address layer and sends the data packet to the node 34 of the internal address layer. The logical path of the data packet is shown as data path 42 in FIG. "" 103444.doc 8 -10- 1378694 In the reverse data path, meaning that when the node 34 sends a data packet to the node 30, the data packet has only one address layer, and The source address is set to the node 34 and the destination address is set to the node 30
HoA。一旦接收到該資料封包,該HA 25即以cc〇a為目的 位址及以該HA 25之位址為源位址封裝該資料封包並將該 經封裝之資料封包發送至該節點3〇。該節點3〇自身執行解 封裝而無需經過FA 36。該資料封包之方向被展示為圖4 之資料路徑44。 以上述方式運作,該漫遊節點30被說成在行動IP隧道傳 輸模式下使用CCoA來與通信節點34通信。 經常,該等節點之間的資料通信由於不同原因而必須受 到監控及控制。舉例而言,t該行動節點3()及相應節點Μ 在V〇IP(網際網路語音通信)會話中_,必須確信的是:參與 方(在此狀況下為該行動節點3〇及該相應節點3 其中,對於每-資料封包而言,必須確定源位1、、-目驗的位 址及目的4。若該會話係㈣的,則出於帳戶處理之目的 需要實施用於追蹤的方法。由於安全性及隱私原因,在該 等節點之間互換之資料封包通常係、經加密的。用於傳輸模 式下及随道傳輸模式下之封包資料之加密方㈣不同的。 因此’對經加密之資料封包之監控提出一特別挑戰。仍存 在對共用網路之安全及隱私通信之日益增加的需求。 因此’必須提供用於具有經加密之資料流的封包資料通 信之安全監控方案。 【發明内容】 103444.doc 1378694 由於:ic i ϋ及機&、性原因’通常,資料流係以經加密之 通信資料封包來安全地傳送。有時,資料流必須經由一用 於資料流#控制之監控媒介來監控。該等經加密之資料封 匕包括用以識別用於資料解密之SA(安全關聯)之spi(安全 參數索引)。根據本發明之一例示性實施例,搜尋與彼此進 订通化之節點在建立任何正式的資料通信之前首先經由該 孤控媒介來發送信令訊息中之sp卜此後,該監控媒介使來 自該等信令訊息之該等SPI與自該等資料封包選取之spi相 匹配。在資料流量控制期間’若發現該等spi中之匹配,則 該監控媒介允許資料流通過。否則,該等資料流被拒絕。 如所女排地運作,該監控媒介因此可相對快速地實施資 料流量控制。 自下列詳細描述連同隨附圖式一起,彼等熟習此項技術 者可瞭解此等及其它特徵及優勢,該等圖式中相同參考數 字指示相同部件。 【實施方式】 展示了下列描述以使得任何熟習本發明者可製造及使用 本發明。在下列描述中陳述了詳細資料用於解釋之目的。 應瞭解,普通熟習本發明者將認識到:可在不使用此等特 定詳細資料之情況下實施本發明。在其它實例中,未詳細 闡述所熟知之結構及程序而不以不必要之詳細資料使本發 明之描述模糊。因此,不希望本發明受所示實施例限制, 但是本發明應符合與本文中所揭示之原理及特徵相一致的 最廣泛範鳴。 103444.doc -12- ⑤ 1378694 根據由第三代行動通訊合作計劃(3GPP)及第三代行動通 訊合作計劃2(3GPP2)發佈之IMS/MMD(IP多媒體子系統/多 媒體網域),下文描述之實施例係可運作的。可在標題為"3rd Generation Partnership Project: Technical Specification Group Services and System Aspects, IP Multimedia Subsystem (IMS), Stage 2" 3GPP TS 23.228 ; "3rd Generation Partnership Project: Technical Specification Group Core Network, End-to-end Quality of Service (QoS) Signaling Flows" 3GPP TS 29.208 ;及"IP Multimedia System, Stage 2" 3GPP2 X.S0013-002及 3GPP2 X.P0013-012的公佈 文獻中發現IMS/MMD之總括論述。 IMS可應用於諸如cdma2000、WCDMA(寬頻分碼多重進 接)、GPRS(通用封包無線電服務)及各種其它WAN之多種標 準中。 現參看圖2,其示意地展示了本發明之一例示性實施例。 整個系統通常由參考數字50來表示,該系統包括一骨幹網 路52,諸如企業内部網路或網際網路。 以實例說明,如圖2中所示,除其它網路外,連接至該骨 幹網路52的係一 HN(本籍網路)54、一 FN(外籍網路)56及一 RN(遠端網路)58。 在該HN 54中,存在一 HA(本籍代理器)62,其承擔管理 該HN 54中之資料流量的任務且亦用於控制用於入站及出 站路由之該HN 54之資料流量。若該HN 54支持無線技術, 則通常存在一安裝並連接至一 PDSN(封包資料服務節點)64 103444.doc -13- 之RAN(無線存取網路)55。舉例而言,若該RAN 55在cdma 2000標準下運作,則該RAN 55通常包括至少一BSC(基地台 控制器)及複數個BS(基地台)。該PDSN 64本質上係該骨幹 網路52與該RAN 55之間的一存取閘道器。 為執行各種IMS/MMD功能及特徵,服務提供者在該HN 54中安裝不同的伺服器。此等伺服器之實例包括P-CSCF(代 理呼叫狀態會話功能)70及S-CSCF(服務呼叫狀態會話功 能)72。此等伺服器之功能描述將隨後與系統50之運作說明 一起加以描述。 除上述節點外,該HN 54中存在其它節點,但是為簡潔起 見而未展示其。此等節點可為各種類型之電腦、列印機及 可為行動或非行動之任何其它裝置。 如圖2中所示,FN 5 6及RN 5 8被連接至該骨幹網路52。而 且,為簡潔及易於解釋之目的,該FN 56及該RN 58被說明 為與該HN 54有些相似。應瞭解,取決於使用,該FN 56及 該RN 58可非常不同地被構造。因此,在此狀況下,該FN 56 亦包括一 FA(外籍代理器)66、一 RAN 76、一 PDSN 68、一 P-CSCF 71及一PCRF(策略及計費規則功能)75。同樣,該 RN 58亦包括一 PDSN 78、一 P-CSCF 80、一 S-CSCF 82及一 PCRF 84。 應注意,在圖2中,該FN 56中之該FA 66及PDSN 68被展 示為獨立實體。通常,該FA 66及該PDSN 68被整合為一個 一 单兀。 在該系統50中,存在一 MN(行動節點)60,其最初以一 103444.doc • 14·HoA. Upon receiving the data packet, the HA 25 encapsulates the data packet with the destination address of cc〇a and the address of the HA 25 as the source address and sends the encapsulated data packet to the node. The node 3 itself performs decapsulation without going through the FA 36. The direction of the data packet is shown as data path 44 of FIG. Operating in the manner described above, the roaming node 30 is said to communicate with the communication node 34 using CCoA in the mobile IP tunnel transmission mode. Often, data communication between such nodes must be monitored and controlled for different reasons. For example, t the mobile node 3 () and the corresponding node Μ in the V〇IP (Internet Voice Communication) session _, must be sure: the party (in this case, the action node 3 〇 Corresponding node 3, for each data packet, the source bit 1, the - the visual address and the destination 4 must be determined. If the session is (4), it needs to be implemented for tracking purposes for account processing. Method: For security and privacy reasons, the data packets exchanged between the nodes are usually encrypted and encrypted. The encryption method (4) used for the packet data in the transmission mode and the channel transmission mode is different. The monitoring of encrypted data packets poses a particular challenge. There is still an increasing demand for secure and private communications for shared networks. Therefore, a security monitoring scheme for packet data communication with encrypted data streams must be provided. SUMMARY OF THE INVENTION 103444.doc 1378694 Due to: ic i 机 & machine & for sexual reasons 'typically, the data stream is transmitted securely with encrypted communication data packets. Sometimes the data stream must pass A monitoring medium for data flow control is monitored. The encrypted data package includes a spi (security parameter index) for identifying an SA (security association) for data decryption. According to an exemplary embodiment of the present invention In an embodiment, the node that searches for and subscribes to each other first sends the signaling message through the orphaned medium before establishing any formal data communication, and the monitoring medium causes the SPI from the signaling message. Matches the spi selected from the data packets. During the data flow control period, if the match in the spi is found, the monitoring medium allows the data flow to pass. Otherwise, the data flow is rejected. The monitoring medium can therefore implement data flow control relatively quickly. From the following detailed description together with the accompanying drawings, those skilled in the art can understand these and other features and advantages, the same reference numerals in the drawings The same components are indicated. [Embodiment] The following description is presented to enable any person skilled in the art to make and use the invention. The details are set forth for the purpose of explanation. It will be appreciated that the present invention will be understood that the invention may be practiced without the specific details disclosed. In other instances, well-known structures are not described in detail. The present invention is not to be construed as being limited to the details of the present invention. The present invention is not limited by the illustrated embodiments, but the invention should be accorded with the broadest scope of the principles and features disclosed herein. 103444.doc -12- 5 1378694 According to the IMS/MMD (IP Multimedia Subsystem/Multimedia Domain) issued by the 3rd Generation Partnership Project (3GPP) and 3rd Generation Partnership Project 2 (3GPP2), The embodiments described below are operational. Available under the heading "3rd Generation Partnership Project: Technical Specification Group Services and System Aspects, IP Multimedia Subsystem (IMS), Stage 2" 3GPP TS 23.228; "3rd Generation Partnership Project: Technical Specification Group Core Network, End-to-end Quality of Service (QoS) Signaling Flows" 3GPP T S 29.208; and "IP Multimedia System, Stage 2" 3GPP2 X.S0013-002 and 3GPP2 X.P0013-012 publications The general discussion of IMS/MMD is found in the literature. IMS can be used in a variety of standards such as cdma2000, WCDMA (Wide-Watch Multiple Access), GPRS (General Packet Radio Service), and various other WANs. Referring now to Figure 2, an illustrative embodiment of the present invention is schematically illustrated. The entire system is generally indicated by reference numeral 50, which includes a backbone network 52, such as an intranet or an internetwork. By way of example, as shown in FIG. 2, among other networks, an HN (local network) 54, an FN (foreign network) 56, and an RN (remote network) are connected to the backbone network 52. Road) 58. In the HN 54, there is an HA (Crowd Agent) 62 that undertakes the task of managing the data traffic in the HN 54 and is also used to control the data traffic of the HN 54 for inbound and outbound routing. If the HN 54 supports wireless technology, there is typically a RAN (Radio Access Network) 55 installed and connected to a PDSN (Packet Data Service Node) 64 103444.doc -13-. For example, if the RAN 55 operates under the cdma 2000 standard, the RAN 55 typically includes at least one BSC (Base Station Controller) and a plurality of BSs (Base Stations). The PDSN 64 is essentially an access gateway between the backbone network 52 and the RAN 55. To perform various IMS/MMD functions and features, the service provider installs different servers in the HN 54. Examples of such servers include a P-CSCF (Proxy Call State Session Function) 70 and an S-CSCF (Serving Call State Session Function) 72. The functional description of these servers will be described later along with the operational description of system 50. In addition to the above nodes, there are other nodes in the HN 54, but they are not shown for the sake of brevity. These nodes can be various types of computers, printers, and any other device that can be mobile or non-action. As shown in FIG. 2, FN 5 6 and RN 5 8 are connected to the backbone network 52. Moreover, for simplicity and ease of explanation, the FN 56 and the RN 58 are illustrated as somewhat similar to the HN 54. It will be appreciated that the FN 56 and the RN 58 can be constructed very differently depending on the use. Therefore, in this case, the FN 56 also includes a FA (foreign agent) 66, a RAN 76, a PDSN 68, a P-CSCF 71, and a PCRF (Policy and Charging Rules Function) 75. Similarly, the RN 58 also includes a PDSN 78, a P-CSCF 80, an S-CSCF 82, and a PCRF 84. It should be noted that in Figure 2, the FA 66 and PDSN 68 in the FN 56 are shown as separate entities. Typically, the FA 66 and the PDSN 68 are integrated into a single unit. In the system 50, there is a MN (Action Node) 60, which initially has a 103444.doc • 14·
HoA(本籍位址)用該HN 54中之該HA 62來註冊。該MN 60 能移動至諸如FN 56的其它外籍網路且可在行動IP(行動網 際網路協定)下經由該FN 56或其它網路來獲取該骨幹網路 52之存取。該MN 60事實上可呈(例如)PDA(個人數位助理)、 膝上型電腦或行動電話之形態。 假設該MN 60在FN 56中漫遊。在此特定實例中,假定該 MN 60之使用者希望具有一視訊會議會話,其中另一使用 者運作該RN 58中之一 CN(通信節點)90。該節點90可係行動 的或非行動的。 一旦到達該FN 56之領域,該MN 60可經由由該FN 56進 行之廣告來獲取FA 66之位址。該MN 60接著以該HN 54中 之該HA 62來註冊FA CoA,以使該HA 62可追蹤該MN 60之 位置。作為一替代,該MN 60可向該FA 66請求一 CCoA。該 MN 60接著亦出於相同原因以註冊CCoA,意即,允許該HA 62與該MN 60保持接觸。 在建立任何通信流量之前,該MN 60必須經過一發信過 程。為完成此目的,該MN 60經由一如下文將描述之媒介 發送一邀請訊息至該CN 90。同樣,該CN 90必須用一回應 發信過程來確定該遨請訊息。 在此實例尹,該MN 60使用最初由該HN 54中之該HA 62 指派之HoA來在該HN 54中用S-CSCF 72註冊用於存取 SIP(會話初始化協定)網路,該網路包括該HN 54中之 S-CSCF 72。 該MN 60接著將一 SIP INVITE訊息發送至該HN 54中之 103444.doc 15 該P-CSCF 70 〇應注意,在實際運作中,由於具有所有其它 資料通信流量,該SIP INVITE訊息在達到該P-CSCF 70之前 首先經過該RAN 76、該PDSN 68、該FA 66、該骨幹網路52 及該HA 62。此外,如此項技術中亦已知,該資料通信流量 係以電訊號之形式經由一訊號載體在該系統50中運行。為 簡潔起見,以相似描述地以上方式,資料流量被簡單地說 明為邏輯路徑。意即,在以下描述中,除非加以特定強調, 否則僅描述該資料流量之邏輯路徑。 應進一步注意,該MN 60可將該SIP INVITE訊息發送至 該FN 56中之該P-CSCF 71以初始化會議會話作為一替代。 意即,替代使用用於發信之該HN 54中之SIP網路,該MN 60 可使用該FN 56中之SIP網路作為一替代。為解釋之一致性 及簡潔性,在以下描述中,該HN 54中之該SIP網路用於發 信過程。 假定希望視訊會議會話為一專用會話。同樣,如通常所 實踐的,對在該MN 60與該CN 90之間交換之資料封包進行 加密。 在此時,幫助作出一概括地解釋IP安全性及詳細地解釋 未經加密與經加密之資料封包之間的進一步差異之離題。 在IP下,根據IPSec(網際網路安全性協定)加密資料封包, 該IPSec係一具有處理參與方之間的資料隱秘性、完整性及 驗證的各種標準之安全性協定。可於RFC 2401、24 12及2451 中發現IPSec之詳細資料。 根據IPSec,搜尋安全通信之通信節點需要首先預先對一 '103444.doc -16 - 1378694 組被稱為SA(安全關聯)之安全性參數達成共識。SA可包括 加密演算法、驗證演算法、加密鑰及驗證鑰。因此,在同 意後,S A被儲存在請求安全通信會話的節點中之每一者中 共同SA可由一連同每一資料封包一起傳送之spi(安全參數 索弓丨)來識別。在任何安全通信會話期間,接收節點總是可 自任何資料封包選取SPI並調用所儲存之來解密。具有共 同加密演算法及密鑰之SA允許該等接收節點解密該等經加 密之資料封包。 於圖3中展示經加密及未經加密之資料封包的不同形式。 參考數字100指示一共同預加密之資料封包β資料封包 100包括一 IP標頭102,如在IP下所需要的,該標頭儲存諸 如該封包100之源位址及目的位址之資訊。鄰近該IP標頭 102的係一層4標頭104。層4係一傳輸層,其包括關於該資 料封包100是TCP(傳輸控制協定)或是UDP(使用者資料報 協定)下之資訊。TCP及UDP之詳細資料可分別在RFC 793 及RFC 768中發現。該層4標頭1〇4因此以最小量識別該封包 100是一 TCP封包或是一 UDP封包並進一步包括源埠及目的 埠之位置。關於目的埠之資訊對於監控媒介執行其資料監 控之任務係至關重要的。鄰近該層4標頭1〇4的係由該資料 封包100載運之有效負載資料i 〇6。 參考數字108指示傳輸模式下的一經加密之資料封包。陰 影部分表示已加密之資料區域。該經加密之資料封包1〇8亦 包括一與該未經加密之封包1〇0相同之IP標頭1〇2。然而, 該經加密之封包108之該層4標頭104A及該有效負載資料 103444.doc 106 A係該未經加密之資料封包100之相應的層4標頭104及 有效負載資枓106之經加密對應物。在該資料封包108中, 安置於該IP標頭102與該層4標頭104A之間的係一 ESP(封裝 安全性有效負載)標頭110。該ESP標頭110包括SPI,該SPI 可用於如先前所述地以用於解密該資料封包1〇8之預排列 演算法來識別SA。在該資料封包1〇8的末端係一 ESP尾部 112及驗證資料114。該ESP尾部112包括識別下一 ESP標頭 之資訊。若執行任何驗證協定,則該驗證資料區段114具有 用於此目的之資訊。 參考數字118表示一根據IPSec在隧道傳輸模式下之經加 密之資料封包。在該資料封包118中,基本上,預加密封包 100被加密並封裝入該封包118中。因此,封包區段IP標頭 102B、層4標頭104B及有效負載資料106B含有原始封包U〇 之相應區段的資訊。然而,該封包118之前IP標頭1〇2具有 的内容不同於該IP標頭102B之内容。舉例而言,該π>標頭 102包括隧道之外部層位址,而該IP標頭102B具有該随道之 内部層位址。鄰近該IP標頭102的係該ESP標頭11〇,其大體 上與該資料封包108中之ESP標頭110相同。意即,該ESP標 頭110包括用於以一用於解密該資料封包118之預排列演算 法來識別SA之SPI。該ESP尾部112及該驗證資料114大體上 與該封包108的相同。 應瞭解,在IPv6下,在封包1〇8、1〇〇及118中之每一者中 的IP標頭102之後,存在一稱為"流標號”之可選標頭,其包 括識別該資枓封包108、1〇〇或118是一音訊封包或是一視訊 103444.doc •18· 1378694 封包之資訊。為了簡潔及簡明,該流標號標頭未圖示於圖3 中0 如圖3中可看出’在該資料封包⑽中,該層4標頭賴 被加密。同樣地’該監控媒介不能識別(例如)該封包1〇8是 - TCP封包或是-UDP封包。首先,該層4標頭職包括關 於不可容易利用之目的崞之資訊。任何不具有關於目的蜂 之任何資訊的監控媒介不能執行任何資料監控。 同樣,在該資料封包118中,除加密該層4標頭i〇4b外, 該IP標頭102B亦被加密。舉例而言,不具有來自該^標頭 104B之資訊,該監控媒介不能進一步知曉該資料封包 之内部層位址。因此,該資料封包118不可能被監控。 如較早所述的,嵌入資料封包1〇8及118中之每一者中的 係SPI ’該SPI可用以識別用於資料解密之相關SA。然而, 在此實施例中’SPI亦被隱含地用以識別且與一與該經加密 之資料封包108或118相關聯的特定目的埠一致。更特定言 之,在該經加密之資料封包108或118中,各別Esp標頭 中之每一SPI對應於一特定資料流,該特定資料流之特徵又 在於.例如,該流是一音訊流或是一視訊流及對目的埠的 進步識別。根據例示性實施例,在最初發信過程期間, 該SPE被經由監控媒介直接發送且最終到達該監控媒介。在 負料監控期間,該監控媒介僅必須使發信過程期間獲得之 SPI與自經加密之資料封包選取之相應SPI相匹配。若發現 匹配’則特定流(意即,音訊流或視訊流)連同經加 料封包之目的埠可因此被隱含地識別。 103444.doc -19- 現轉向參看圖2。為初始化視訊會議會話,該MN 60如較 早所述地經由SIP網路發送一 SIP INVITE訊息。該SIP IN VITE訊息包括一稱為SDP(會話描述協定)之描述部分, 該SDP本質上描述用於適當執行所請求之視訊會議會話之 基本要求。舉例而言,包括於該SDP中的係該MN 60之IP位 址及埠數目及該會話之解碼器(codec)規格。更重要地,在 此實施例中,該SDP包括由該MN 60使用之SPI。在通信會 話係一視訊會議會話之實例中,需要兩個SPI,意即,一個 用於視訊流而另一個用於音訊流。如較早所提及地,每一 SPI對應於一特定資料流,該資料流又唯一地與一特定目的 埠相關聯。為重複地做,在資料監控期間,若包括於該SIP INVITE訊息中之SPI與自負載通信之資料封包選取之SPI相 匹配,則可隱含地識別目的埠。該負載通信係會議會話之 音訊及視訊訊號之内容流。利用目的埠位址之識別連同源 位址及目的位址,該資料監控媒介可完成其資料監控之任 務。 現返回圖2,該HN 54中之該P-CSCF 70係一承擔呼叫會話 管理之任務的節點。一旦接收到該SIP INVITE訊息,該 P-CSCF 70即將該SIP INVITE訊息發送至該HN 54中之該 S-CSCF 72。該C-CSCF 72又將該SIP INVITE訊息發送至該 RN 5 8以請求接收。 一旦該HN 54中之該S-CSCF 72批准了該會話且該RN 58 中之該CN 90接受了該會議會話,該P-CSCF 70接著將諸如 計費規則、經授權之QoS(服務品質)及流標識符之與策略相 103444.doc •20· 關之k訊發送至該HN 54中之該pcRF 74。 同時,意即’在由該CN 90接受後,該MN 60將一 TFT(通 信流1模板)連同所要求之q〇s發送至該FN 56中之該PDSN 68以建立負载通信。 該PDSN 68接著如較早提及地向該FN 56中之該PCRF 75 請求與策略相關之相同資訊,意即,用於會議會話之經授 權之Q〇S、計費規則及流標識符。該PCRF 75接著將該請求 轉遞至該HN 54中之該PCRF 74並獲得用於該等流之上述參 數。由該PCRF 75准許之任何參數必須與特定經委託之策略 一致。此等策略可包括IMS/MMD標準下的指定規則 '網路 間的特定協議(諸如該HN 54與該FN 56之間之關於負載通 信之處理的協議)、網路所特有的策略,諸如僅特用於該FN 5 6之策略《若所請求之會議會話係收費的,則該等策略可 包括用於計算目的之特定追蹤程序。首先,未經授權之通 信將被阻塞。該等策略之實施在IMS/MMD標準下被稱為 SBBC(基於服務之負載控制)。 SBBC之運作詳細資料可在標題為"3GPP2 MMD ServiceThe HoA (Home Address) is registered with the HA 62 in the HN 54. The MN 60 can move to other foreign networks, such as FN 56, and can access the backbone network 52 via the FN 56 or other network under Mobile IP (Mobile Internet Protocol). The MN 60 may in fact be in the form of, for example, a PDA (Personal Digital Assistant), a laptop or a mobile phone. It is assumed that the MN 60 roams in the FN 56. In this particular example, assume that the user of the MN 60 wishes to have a video conferencing session in which another user operates one of the RNs 58 (communication node) 90. The node 90 can be actionable or inactive. Once the field of the FN 56 is reached, the MN 60 can obtain the address of the FA 66 via the advertisement made by the FN 56. The MN 60 then registers the FA CoA with the HA 62 in the HN 54 so that the HA 62 can track the location of the MN 60. As an alternative, the MN 60 may request a CCoA from the FA 66. The MN 60 then registers the CCoA for the same reason, i.e., allows the HA 62 to remain in contact with the MN 60. The MN 60 must go through a signaling process before establishing any traffic. To accomplish this, the MN 60 sends an invite message to the CN 90 via a medium as will be described below. Similarly, the CN 90 must use a response to the signaling process to determine the request message. In this example, the MN 60 uses the HoA originally assigned by the HA 62 in the HN 54 to register with the S-CSCF 72 in the HN 54 for accessing a SIP (Session Initiation Protocol) network. The S-CSCF 72 in the HN 54 is included. The MN 60 then sends a SIP INVITE message to the 103444.doc in the HN 54. The P-CSCF 70 should note that in actual operation, the SIP INVITE message reaches the P due to all other data traffic. The CSCF 70 first passes through the RAN 76, the PDSN 68, the FA 66, the backbone network 52, and the HA 62. Moreover, it is also known in the art that the data communication traffic operates in the system 50 via a signal carrier in the form of an electrical signal. For the sake of brevity, data traffic is simply described as a logical path in a similar manner. That is, in the following description, only the logical path of the data flow is described unless specifically emphasized. It should be further noted that the MN 60 can send the SIP INVITE message to the P-CSCF 71 in the FN 56 to initialize the conference session as an alternative. That is, instead of using the SIP network in the HN 54 for signaling, the MN 60 can use the SIP network in the FN 56 as an alternative. For the sake of consistency and simplicity of explanation, in the following description, the SIP network in the HN 54 is used for the signaling process. Suppose you want a video conferencing session to be a dedicated session. Also, as is conventional practice, the data packets exchanged between the MN 60 and the CN 90 are encrypted. At this point, it helps to provide a general explanation of IP security and a detailed explanation of the further differences between unencrypted and encrypted data packets. Under IP, the data packet is encrypted according to IPSec (Internet Security Protocol), which is a security protocol with various standards for handling data confidentiality, integrity and authentication between participants. Details of IPSec can be found in RFC 2401, 24 12 and 2451. According to IPSec, the communication node searching for secure communication needs to first agree on the security parameters of a group called '103444.doc -16 - 1378694 called SA (security association). The SA may include an encryption algorithm, a verification algorithm, an encryption key, and a verification key. Thus, after agreeing, the SA is stored in each of the nodes requesting the secure communication session. The common SA can be identified by a spi (security parameter) transmitted along with each data packet. During any secure communication session, the receiving node can always select the SPI from any data packet and call the stored one to decrypt it. An SA with a common encryption algorithm and key allows the receiving nodes to decrypt the encrypted data packets. Different forms of encrypted and unencrypted data packets are shown in FIG. Reference numeral 100 indicates that a common pre-encrypted data packet beta data packet 100 includes an IP header 102 that stores information such as the source and destination addresses of the packet 100 as needed under IP. Adjacent to the IP header 102 is a layer 4 header 104. Layer 4 is a transport layer that includes information about whether the data packet 100 is under TCP (Transmission Control Protocol) or UDP (User Datagram Protocol). Details of TCP and UDP can be found in RFC 793 and RFC 768, respectively. The layer 4 header 1〇4 thus identifies, to a minimum, whether the packet 100 is a TCP packet or a UDP packet and further includes the location of the source and destination. Information about the purpose of the information is critical to the monitoring medium's task of performing its data monitoring. Adjacent to the layer 4 header 1〇4 is the payload data i 〇6 carried by the data packet 100. Reference numeral 108 indicates an encrypted data packet in the transmission mode. The shaded portion indicates the encrypted data area. The encrypted data packet 1 〇 8 also includes an IP header 1 〇 2 identical to the unencrypted packet 〇 0. However, the layer 4 header 104A of the encrypted packet 108 and the payload data 103444.doc 106 A are the corresponding layer 4 headers 104 and payloads 106 of the unencrypted data packet 100. Encrypt the counterpart. In the data packet 108, an ESP (Package Security Payload) header 110 is disposed between the IP header 102 and the Layer 4 header 104A. The ESP header 110 includes an SPI that can be used to identify the SA as previously described with a pre-arranged algorithm for decrypting the data packet 1-8. At the end of the data packet 1-8 is an ESP tail 112 and verification data 114. The ESP trailer 112 includes information identifying the next ESP header. If any verification agreement is executed, the verification material section 114 has information for this purpose. Reference numeral 118 denotes an encrypted data packet in accordance with IPSec in tunneling mode. In the data package 118, substantially, the pre-sealed package 100 is encrypted and packaged into the package 118. Therefore, the packet section IP header 102B, the layer 4 header 104B, and the payload data 106B contain information of the corresponding section of the original packet U〇. However, the IP header 1〇2 of the packet 118 has a different content than the IP header 102B. For example, the π > header 102 includes the outer layer address of the tunnel, and the IP header 102B has the internal layer address of the track. Adjacent to the IP header 102 is the ESP header 11A, which is substantially identical to the ESP header 110 in the data packet 108. That is, the ESP header 110 includes an SPI for identifying the SA with a pre-arranged algorithm for decrypting the data packet 118. The ESP tail 112 and the verification data 114 are substantially identical to the packet 108. It should be appreciated that under IPv6, after the IP header 102 in each of the packets 1〇8, 1〇〇, and 118, there is an optional header called a "flow label" that includes identifying the The resource packet 108, 1 or 118 is an audio packet or a video 103444.doc • 18· 1378694 packet. For the sake of brevity and conciseness, the stream label header is not shown in Figure 3, as shown in Figure 3. It can be seen that in the data packet (10), the layer 4 header is encrypted. Similarly, the monitoring medium cannot identify (for example) the packet 1 to 8 is a TCP packet or a -UDP packet. First, the The layer 4 header includes information about the purpose of not being easily usable. Any monitoring medium that does not have any information about the target bee cannot perform any data monitoring. Also, in the data packet 118, in addition to encrypting the layer 4 header In addition to i〇4b, the IP header 102B is also encrypted. For example, without the information from the header 104B, the monitoring medium cannot further know the inner layer address of the data packet. Therefore, the data packet 118 Impossible to be monitored. As mentioned earlier, embedding The data SPI in each of the data packets 1 〇 8 and 118 'This SPI can be used to identify the relevant SA for data decryption. However, in this embodiment 'SPI is also implicitly used to identify and The specific purpose associated with the encrypted data packet 108 or 118 is consistent. More specifically, in the encrypted data packet 108 or 118, each of the individual Esp headers corresponds to a particular data. The stream, the particular stream of data is further characterized by, for example, the stream being an audio stream or a video stream and progressive identification of the destination. According to an exemplary embodiment, the SPE is monitored during the initial signaling process. The medium transmits directly and eventually arrives at the monitoring medium. During the monitoring of the negative material, the monitoring medium only has to match the SPI obtained during the sending process with the corresponding SPI selected from the encrypted data packet. If a match is found, then the specific stream (ie, the audio stream or video stream) can be implicitly identified along with the purpose of the fed packet. 103444.doc -19- Now turn to Figure 2. To initialize the video conferencing session, the MN 60 is as early as Description A SIP INVITE message is sent over the SIP network. The SIP IN VITE message includes a description portion called SDP (Session Description Protocol), which essentially describes the basic requirements for properly performing the requested video conference session. Included in the SDP is the IP address and number of MNs of the MN 60 and the decoder (codec) specification of the session. More importantly, in this embodiment, the SDP includes the SPI used by the MN 60. In the case where the communication session is a videoconferencing session, two SPIs are required, that is, one for the video stream and the other for the audio stream. As mentioned earlier, each SPI corresponds to a particular data stream that is uniquely associated with a particular destination. To be repeated, during the data monitoring, if the SPI included in the SIP INVITE message matches the SPI selected from the data packet of the payload communication, the destination 可 can be implicitly identified. The load communication is the content stream of the audio and video signals of the conference session. Using the identification of the destination address and the source address and destination address, the data monitoring medium can perform its data monitoring tasks. Returning now to Figure 2, the P-CSCF 70 in the HN 54 is a node that assumes the task of call session management. Upon receiving the SIP INVITE message, the P-CSCF 70 sends the SIP INVITE message to the S-CSCF 72 in the HN 54. The C-CSCF 72 in turn sends the SIP INVITE message to the RN 58 to request reception. Once the S-CSCF 72 in the HN 54 approves the session and the CN 90 in the RN 58 accepts the conference session, the P-CSCF 70 will then proceed with, for example, charging rules, authorized QoS (Quality of Service). And the stream identifier is sent to the pcRF 74 in the HN 54 with the policy phase 103444.doc •20. At the same time, meaning that after receiving by the CN 90, the MN 60 sends a TFT (Communication Flow 1 template) along with the required q〇s to the PDSN 68 in the FN 56 to establish load communication. The PDSN 68 then requests the same information related to the policy to the PCRF 75 in the FN 56 as mentioned earlier, i.e., the authorized Q〇S, charging rules and flow identifiers for the conferencing session. The PCRF 75 then forwards the request to the PCRF 74 in the HN 54 and obtains the above parameters for the streams. Any parameters permitted by the PCRF 75 must be consistent with a particular mandated strategy. Such policies may include a specified rule under the IMS/MMD standard 'a specific protocol between networks (such as a protocol for processing of load communication between the HN 54 and the FN 56), a network-specific policy, such as only The strategy specific to the FN 56 "If the requested conference session is charged, then the policies may include a specific tracking procedure for computing purposes. First, unauthorized communications will be blocked. The implementation of these policies is referred to as SBBC (Service-Based Load Control) under the IMS/MMD standard. Details of the operation of SBBC can be found under the heading "3GPP2 MMD Service
Based Bearer Control Document, Work in Progress,"3GPP2 X.P0013-012的文獻中發現。SDP之描述可在標題為"IP Multimedia Call Control Protocol Based on SIP and SDP), Stage 3” 3GPP2-X.S0013-0004之文獻中發現。 安裝該FN 56中之該PCRF 75來判定所有強加策略。在決 策過程中,該PCRF 75被插在該HN 54中之該PCRF 74與該 FN 56中之該PDSN 68之間。而且,存在一插在該PDSN 68 103444.doc -21 - 與該PCRF 75之間的Ty介面92。亦存在一安置在如圖2中所 示之該HN 54中之該PCRF 74與該P-CSCF 70之間的Tx介面 94。上述Ty及Τχ介面用於會議會話與載體通信之間的策略 控制。Ty及Tx介面之詳細資料可在以下文獻中發現:由 3GPP發佈之3GPP TS 23.107及由3〇??2發佈之3〇?卩2 X.P0013-012。 現返回圖2,若該SIP INVITE訊息中陳述之所請求之會話 參數經授權,則其係經由該HN 54中之該PCRF 74及該FN56 中之該PCRF 75自該P-CSCF 70傳送至該PDSN 68。 在此實施例中’假定該CN 90具有一由該RN 58指派之 CCoA。因此,一旦接收到該SIP INVITE訊息,該CN 90即 以一 SIP 200 OK訊息來回應。該SIP 200 OK訊息基本上再肯 定該原始SIP INVITE訊息之參數。此外,在此實施例中’ 該CN 90亦包括該SIP 200 OK訊息之SDP中之由該CN 90所 用之用於負载通信的SPI。該SIP 200 OK與該SIP INVITE訊 息遵循相同的資料路徑但次序相反。 該MN 60接著藉由將一確認訊息(ACK)沿與該原始SIP INVITE訊息相同之資料路徑發送回來而確定該SIP 200 OK 訊息之接收。 此後’負載通信準備好根據該SIP INVITE訊息所設定之 經授權參數藉由該FN56中之該PDSN 68來建立。 如先前所述,在IMS/MMD標準下,負載通信必須藉由網 路經由SBBC來力π.以監控及控制。在此實例中’由該FN56 中之該PCRF75導引之該pDSN 68承擔迫使SBBC與前述該 103444.doc 1378694 等策略一致的任務。 在SBBC實施期間’每一資料封包必須在被允許通過之前 經篩選。由於負載通信之資料封包係如較早所述地加密, 故諸如目的埠識別之某些重要訊息不可容易且方便地獲 得。在此實施例中’如上文所提及地,該PDSN 68適當地預 先具有來自最初發信過程期間之該SIP INVITE訊息及該 SIP 200 0K訊息之資料流之SPI之訊息。在運作中,該pdsN 68自每一資料封包選取SBBC所需之基本訊息,諸如源位址 及目的位址及隱含地識別資料流之SPI,且若該訊息與自發 信過程獲得之相應資訊相匹配,則允許該資料封包作為 SBBC實施之部分通過。另一方面,若存在一失配,則該資 料封包被說成使SBBC失敗且被拋棄。 以上文所述之方式運作’意即,用包括於信令訊息之SDP 中之SPI,該PDSN 68可迅速地實施對所請求之視訊會議會 話之經加密之資料流量的SBBC。SBBC之實施係持續的, 直至該MN 60與該CN 90之間的會話終止。 上文所述之過程被展示於圖4之流程圖中。 圖5示意地展示了根據本發明由參考數字121表示之一行 動節點裝置之硬體建構的部分。該裝置121可在諸如膝上型 電腦、PDA或蜂窩式電話之各種裝置中建構並併入其中。 該裝置121包含一將若干電路鏈接在一起的中心資料匯 流排122。該等電路包括一CPU(中央處理單元)或一控制器 、一接收電路126、一傳輸電路128及一記憶體單元。 該接收電路126及該傳輸電路128可連接至一圖式中未圖 103444.doc -23 · ⑤ 示的RF(無線電頻率)電路。該接收電路ι26在將所接收訊號 發送至資料匯流排122之前處理並緩衝該等訊號。另一方 面’該傳輸電路128在將來自該資料匯流排122之資料發送 裝置121之前處理並緩衝該等資料。該cpu/控制器124執行 該負料匯流排122之資料管理功能及進一步的通用資料處 理之功能,其包括執行該記憶體單元130之指令性内容。 該記憶體單元130包括通常由參考數字131表示之一組指 令。在此實施例中,該等指令包括諸如行動ιρ用戶132及§11> 用戶134之部分。該SIP用戶134包括根據先前所述之本發明 之指令組。該行動IP用戶132包括用於允許該裝置^在卩 及行動IP下運作的指令組’諸如獲取各種模式之通信的各 種類型之位址(亦如上文所述)。 在此實施例中’該記憶體單元130係一 RAM(隨機存取記 隐體)電路。该4例示性指令部分13 2及13 4係軟體常用程式 或模組。該記憶體單元130可固定至可係揮發性或非揮發性 類型之另一 5己憶體電路(未圖不)。作為一替代,該記憶體單 元130可由諸如EEPROM(電可擦除可程式化唯讀記憶體)、 EPROM(電可程式化唯讀記憶體)、r〇m(唯讀記憶體)、磁 盤、光碟及此項技術中已知的其它記憶體的其它電路類型 製成。 圖6示意地展示了根據本發明並由參考數字"ο表示之 PDSN裝置之硬體建構之部分。該PdSn裝置14〇包含一將若 干電路連接在一起的中心資料匯流排142。該等電路包括一 cpu(中央處理單元)或一控制器丨44、一接收電路146、一傳 103444.doc -24- 1378694 輸電路148、一資料庫儲存單元149及一記憶體單元15〇。Based on the Bearer Control Document, Work in Progress, "3GPP2 X.P0013-012. A description of the SDP can be found in the document entitled "IP Multimedia Call Control Protocol Based on SIP and SDP, Stage 3" 3GPP2-X.S0013-0004. The PCRF 75 in the FN 56 is installed to determine all imposed strategies. During the decision making process, the PCRF 75 is inserted between the PCRF 74 in the HN 54 and the PDSN 68 in the FN 56. Also, there is a plug in the PDSN 68 103444.doc -21 - with the PCRF A Ty interface 92 between 75. There is also a Tx interface 94 disposed between the PCRF 74 and the P-CSCF 70 in the HN 54 as shown in Figure 2. The Ty and UI interfaces described above are used for conference sessions. Policy control between the carrier and the carrier. Details of the Ty and Tx interfaces can be found in 3GPP TS 23.107 issued by 3GPP and 3〇?X.P0013-012 issued by 3〇??2. Returning to FIG. 2, if the requested session parameter stated in the SIP INVITE message is authorized, it is transmitted from the PCRF 74 in the HN 54 and the PCRF 75 in the FN 56 from the P-CSCF 70 to the PDSN 68. In this embodiment 'it assumes that the CN 90 has a CCoA assigned by the RN 58. Therefore, once received The SIP INVITE message, the CN 90 responds with a SIP 200 OK message. The SIP 200 OK message substantially reaffirms the parameters of the original SIP INVITE message. Further, in this embodiment, the CN 90 also includes the SIP 200. The SPI in the SDP of the OK message used by the CN 90 for load communication. The SIP 200 OK follows the same data path as the SIP INVITE message but in the reverse order. The MN 60 then passes an acknowledgement message (ACK). The receipt of the SIP 200 OK message is determined along the same data path as the original SIP INVITE message. Thereafter, the payload communication is ready to be authorized according to the SIP INVITE message by the PDSN 68 in the FN 56. Established. As previously stated, under the IMS/MMD standard, load communication must be monitored and controlled via the SBBC via the network. In this example, the pDSN 68 is guided by the PCRF 75 in the FN 56. Undertake the task of forcing SBBC to be consistent with the aforementioned strategy of 103444.doc 1378694. During the implementation of SBBC, 'each data packet must be screened before being allowed to pass. Since the data packet of the payload communication is encrypted as described earlier, some important information such as the purpose of identification cannot be easily and conveniently obtained. In this embodiment, as mentioned above, the PDSN 68 suitably pre-fetches the SPI message from the SIP INVITE message during the initial signaling process and the SIP 200K message data stream. In operation, the pdsN 68 selects the basic information required by the SBBC from each data packet, such as the source and destination addresses and the SPI that implicitly identifies the data stream, and if the message and the self-sent process receive corresponding information Matching allows the data packet to be passed as part of the SBBC implementation. On the other hand, if there is a mismatch, the data packet is said to have failed the SBBC and was discarded. Operating in the manner described above, that is, with the SPI included in the SDP of the signaling message, the PDSN 68 can quickly implement the SBBC of the encrypted data traffic for the requested video conference session. The implementation of the SBBC is ongoing until the session between the MN 60 and the CN 90 is terminated. The process described above is shown in the flow chart of Figure 4. Figure 5 is a schematic representation of a portion of a hardware construction of a mobile node device, indicated by reference numeral 121, in accordance with the present invention. The device 121 can be constructed and incorporated into various devices such as a laptop, PDA or cellular telephone. The device 121 includes a central data bus 122 that links a number of circuits together. The circuits include a CPU (Central Processing Unit) or a controller, a receiving circuit 126, a transmitting circuit 128, and a memory unit. The receiving circuit 126 and the transmitting circuit 128 can be connected to an RF (Radio Frequency) circuit not shown in Fig. 103444.doc -23. The receiving circuit ι26 processes and buffers the received signals before transmitting them to the data bus 122. The other side of the transmission circuit 128 processes and buffers the data prior to the data transmitting device 121 from the data bus 122. The CPU/controller 124 performs the data management function of the negative bus 122 and further general data processing functions including executing the instructional content of the memory unit 130. The memory unit 130 includes a set of instructions, generally indicated by reference numeral 131. In this embodiment, the instructions include portions such as action ι user 132 and § 11 > user 134. The SIP user 134 includes a set of instructions in accordance with the present invention as previously described. The mobile IP user 132 includes a set of instructions for allowing the device to operate under the action and action IPs, such as various types of addresses (also as described above) for obtaining communications in various modes. In this embodiment, the memory unit 130 is a RAM (random access memory) circuit. The four exemplary instruction sections 13 2 and 13 4 are software common programs or modules. The memory unit 130 can be fixed to another 5 memory circuit (not shown) that can be of a volatile or non-volatile type. As an alternative, the memory unit 130 can be composed of, for example, an EEPROM (Electrically Erasable Programmable Read Only Memory), EPROM (Electrically Programmable Read Only Memory), r〇m (read only memory), a disk, Optical discs and other circuit types of other memories known in the art are made. Figure 6 is a schematic representation of a portion of the hardware construction of a PDSN device in accordance with the present invention and represented by the reference numeral " The PdSn device 14A includes a central data bus 142 that connects the plurality of circuits together. The circuits include a CPU (Central Processing Unit) or a controller 44, a receiving circuit 146, a 103444.doc -24-1378694 transmission circuit 148, a database storage unit 149, and a memory unit 15A.
該接收電路146及該傳輸電路148可連接至一連接至該 PDSN裝置14〇之網路資料匯流排(未圖示)。該接收電路146 在將自網路資料匯流排(未圖示)接收之訊號發送至内部資 料匯流排142之前處理並緩衝該等訊號。該傳輸電路148在 將來自該資枓匯流排142之資料發送至該裝置14〇之前處理 並缓衝該等資料。該CPU/控制器144執行資料匯流排142之 資料管理功能且進-步執行通用資料處理功能,其包括執 行該記憶體單元150之指令内容。該資料庫儲存單元149儲 存資料紀錄,諸如具有各種參數之s A。 該記憶體單元150包括-組通常由參考數字154表示之指 令。在此實施例中,該等指令包括諸如?刪功能156及 SBBC功能158之部分《該記憶體單元可由如上所述且不再 進一步重複的記憶體電路類型製成。該pDSN功能156及該 SBBC功能158包括根據先前所述之本發明的指令組。The receiving circuit 146 and the transmitting circuit 148 are connectable to a network data bus (not shown) connected to the PDSN device 14A. The receiving circuit 146 processes and buffers the signals received from the network data bus (not shown) before transmitting them to the internal data bus 142. The transmission circuit 148 processes and buffers the data from the asset bus 142 prior to transmitting it to the device 14. The CPU/controller 144 performs the data management function of the data bus 142 and proceeds to perform the general data processing function, which includes executing the instruction content of the memory unit 150. The database storage unit 149 stores data records such as s A having various parameters. The memory unit 150 includes a set of instructions, generally indicated by reference numeral 154. In this embodiment, the instructions include such as? Part of the delete function 156 and the SBBC function 158, "The memory unit can be made of a memory circuit type as described above and not further repeated. The pDSN function 156 and the SBBC function 158 include a set of instructions in accordance with the present invention as previously described.
最後’在該實施财描述在行動Ip下使用cc〇a來運作之 顧60。如上文所述,該_⑹可在通訊之其它模式下良好 運作且採用其它類型之位址。舉例而t,作為許多替代實 施例中之—f例,該讀6G可使用FA CgA且在行動„>隨道 傳輸模式T與CN9Qit訊。此外,在該㈣财描述雙向* 應用於該_6〇與該CN9G之間的加密。亦可能僅單向而导 雙向地應用f料加密。此外,如料的,料諸被描匈 為一漫遊至一外籍網路之行動裝置。應理解,該節點60, 恰好為固定的。此外,可在硬體、軟體、㈣或其組合中 103444.doc •25· 1378694 實施結合該等實施例描述之任何邏輯組塊、電路及演算步 驟°彼等熟習此項技術者將理解,可在不偏離本發明之範 疇及精神的情況下對形式及細節作出此等及其它改變。 【圖式簡單說明】 圖1係網路之全球連接的示意圖; 圖2係展示本發明之一實施例的示意圖; 圖3係各種格式之未加密及經加密之資料封包的示意圖; 圖4係展示根據本發明之實施例用於初始發信及建立内 容通信之步驟的流程圖; 【主要元件符號說明】 圖5係根據本發明而組態之一行動節點之電路的示意圖;且 圖6係根據本發明之一監控媒介之電路的示意圖。 20 網際網路 22 網路/本籍網路 24 網路 25 本籍代理器 26 網路/外籍網路 30 節點 34 節點 36 網路/FA 38 資料路徑 40 資料路徑 41 PDSN(封包資料服務節點) 42 資料路徑 103444.doc 1378694Finally, in the implementation of the financial description, use cc〇a to operate under Action Ip. As mentioned above, this _(6) works well in other modes of communication and uses other types of addresses. For example, t, as an example of many alternative embodiments, the read 6G can use FA CgA and in the action „> the transmission mode T and CN9Qit. In addition, the bidirectional* in the (four) financial description is applied to the _ 6〇 Encryption with the CN9G. It is also possible to use only one-way and two-way application of f-material encryption. In addition, as expected, it is described as a mobile device roaming to a foreign network. It should be understood that The node 60, which is exactly fixed. Further, any of the logical blocks, circuits, and calculation steps described in connection with the embodiments may be implemented in hardware, software, (4), or a combination thereof, 103444.doc • 25·1378694 Those skilled in the art will appreciate that these and other changes can be made in form and detail without departing from the scope and spirit of the invention. [FIG. 1 is a schematic diagram of a global connection of a network; 2 is a schematic diagram showing an embodiment of the present invention; FIG. 3 is a schematic diagram of unencrypted and encrypted data packets in various formats; and FIG. 4 is a diagram showing steps for initial signaling and content communication establishment according to an embodiment of the present invention. Flow chart BRIEF DESCRIPTION OF THE DRAWINGS FIG. 5 is a schematic diagram of a circuit for configuring a mobile node according to the present invention; and FIG. 6 is a schematic diagram of a circuit for monitoring a medium according to the present invention. 20 Internet 22 Network/Home Network Road 24 Network 25 Local Agent 26 Network/Foreign Network 30 Node 34 Node 36 Network/FA 38 Data Path 40 Data Path 41 PDSN (Packet Data Service Node) 42 Data Path 103444.doc 1378694
44 資料路徑 50 系統 52 骨幹網路 54 本籍網路 55 無線存取網路 56 外籍網路 58 遠端網路 60 行動節點 62 本籍代理器 64 封包資料服務節點 66 外籍代理器 68 PDSN(封包資料服務節點) 70 P-CSCF(代理呼叫狀態會話功能) 71 P-CSCF(代理呼口Η狀態會話功能) 72 S-CSCF(服務呼叫狀態會話功能) 74 PCRF 75 PCRF(策略及計費規貝|J功能) 76 無線存取網路 78 PDSN(封包資料服務節點) 80 P-CSCF(代理呼叫狀態會話功能) 82 S-CSCF(服務呼叫狀態會話功能) 84 PCRF(代理及計費規則函數) 90 相應郎點 92 Ty介面 103444.doc -27- ⑤ 1378694 94 Tx介面 100 資料封包 102 IP標頭 104 層4標頭 104A 層4標頭 106 有效負載資料 106A 有效負載資料 108 加密資料封包 110 ESP(封裝安全性有效負載)標頭 112 ESP尾部 114 驗證資料 118 資料封包 102B 封包區段IP標頭 106B 有效負載資料 120 IP標頭 121 行動節點裝置 122 中心資料匯流排 124 CPU/控制器 126 接收電路 128 傳輸電路 130 記憶體單元 131 指令 132 行動IP用戶 134 SIP用戶 103444.doc .28· ⑤ 1378694 140 PDSN裝置 142 中心資料匯流排 144 CPU/控制器 146 接收電路 148 傳輸電路 149 資料庫儲存單元 150 記憶體單元 154 指令 156 PDSN功能 158 SBBC功能 103444.doc ·29· ⑤44 Data path 50 System 52 Backbone network 54 Home network 55 Wireless access network 56 Foreign network 58 Remote network 60 Mobile node 62 Local agent 64 Packet data service node 66 Foreign agent 68 PDSN (Packet data service Node) 70 P-CSCF (Proxy Call Status Session Function) 71 P-CSCF (Proxy Call Status Session Function) 72 S-CSCF (Service Call Status Session Function) 74 PCRF 75 PCRF (Policy and Billing Rules | J Function) 76 Wireless Access Network 78 PDSN (Packet Data Service Node) 80 P-CSCF (Proxy Call Status Session Function) 82 S-CSCF (Serving Call Status Session Function) 84 PCRF (Proxy and Charging Rules Function) 90 Corresponding Lang Point 92 Ty Interface 103444.doc -27- 5 1378694 94 Tx Interface 100 Data Packet 102 IP Header 104 Layer 4 Header 104A Layer 4 Header 106 Payload Data 106A Payload Data 108 Encrypted Data Packet 110 ESP (Package Security Sexual payload) header 112 ESP tail 114 verification data 118 data packet 102B packet segment IP header 106B payload data 120 IP header 121 rows Node device 122 central data bus 124 CPU/controller 126 receiving circuit 128 transmission circuit 130 memory unit 131 instruction 132 mobile IP user 134 SIP user 103444.doc .28· 5 1378694 140 PDSN device 142 central data bus 144 CPU/ Controller 146 Receive Circuit 148 Transfer Circuit 149 Library Storage Unit 150 Memory Unit 154 Command 156 PDSN Function 158 SBBC Function 103444.doc · 29· 5