WO2002071717A2 - Traversee de pare-feu et de dispositif de traduction d'adresse reseau - Google Patents

Traversee de pare-feu et de dispositif de traduction d'adresse reseau Download PDF

Info

Publication number
WO2002071717A2
WO2002071717A2 PCT/US2001/048551 US0148551W WO02071717A2 WO 2002071717 A2 WO2002071717 A2 WO 2002071717A2 US 0148551 W US0148551 W US 0148551W WO 02071717 A2 WO02071717 A2 WO 02071717A2
Authority
WO
WIPO (PCT)
Prior art keywords
data
firewalls
network
per
transmitting data
Prior art date
Application number
PCT/US2001/048551
Other languages
English (en)
Other versions
WO2002071717A3 (fr
Inventor
Gur Kimchi
Original Assignee
Vocaltec Communications Ltd.
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US09/867,371 external-priority patent/US20020120760A1/en
Application filed by Vocaltec Communications Ltd. filed Critical Vocaltec Communications Ltd.
Priority to AU2001297602A priority Critical patent/AU2001297602A1/en
Priority to US10/450,751 priority patent/US20050125532A1/en
Publication of WO2002071717A2 publication Critical patent/WO2002071717A2/fr
Publication of WO2002071717A3 publication Critical patent/WO2002071717A3/fr

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2521Translation architectures other than single NAT servers
    • H04L61/2535Multiple local networks, e.g. resolving potential IP address conflicts
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/256NAT traversal
    • H04L61/2567NAT traversal for reachability, e.g. inquiring the address of a correspondent behind a NAT server
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/256NAT traversal
    • H04L61/2575NAT traversal using address mapping retrieval, e.g. simple traversal of user datagram protocol through session traversal utilities for NAT [STUN]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/256NAT traversal
    • H04L61/2578NAT traversal without involvement of the NAT server
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/029Firewall traversal, e.g. tunnelling or, creating pinholes

Definitions

  • the present invention relates generally to the field of network communications. More specifically, the present invention is related to a system and method for traversing firewalls and network address translators (NATs).
  • NATs network address translators
  • NATs and firewalls present a challenge to a network software programming, while their functions and operations are different: firewalls filter information into and out of the private network, while NATs hide or encapsulate a private network behind a single (or few) "real" Internet Protocol addresses. Their effect on many network applications is the same:
  • U.S. No. Patent 5,898,830 assigned to Network Engineering Software describes a system, which allows connectionless traffic across a firewall. Rule checking is performed on the first packet entering, and if it is determined that the packet needs to be sent, a virtual host sends it to the destination computer. A time limit is set and so long as the set time limit does not run out, the communication is allowed. Addressing is accomplished utilizing name based addressing for end-to-end communication, with virtual hosts/DNS servers providing the intermediate address routing information. A connection type session does not appear to be initiated for the UDP transport.
  • U.S. patent No. 5,915,087 discloses a firewall system, which allows communication, using a connectionless protocol.
  • the firewall holds a list of servers located on the private side, and intercepts any communications addressed to the servers.
  • the firewall then binds a port and notes it in a link table.
  • the packet is passed to a stack, on the private side, which forwards the packet to the server. Any communications from the server to the originating client is sent to the firewall, where the originating clients address is determined using the link table.
  • U.S. patent No. 5,778,174 describes a system, which utilizes an external machine, located on a public network to bypass a router firewall.
  • a client on the public network connects to the external machine.
  • a private channel is opened between the external machine and a machine internal to the private network.
  • the internal machine connects to the destination server, and communication between the client and server is conducted through the external and internal machines.
  • U.S. patent No. 5,941,988 provides for a proxy system that "glues" together two separate TCP connections terminating at a common host (proxy). When communications from one connection are received at the proxy, the headers are altered to address the socket at the end of the second connection, and the sequence numbers of the first connection are mapped to the sequence space of the second connection.
  • the non-patent literature entitled, "A Weakness in the 4.2 BSD Unix TCP/IP Software” describes the spoofing of a trusted host to communicate with a system, having a list of the trusted hosts, from a host that is not on the trusted list.
  • the present invention provides for a method and a system for allowing an incoming UDP packet to traverse a NAT/firewall comprising, opening a TCP connection and utilizing a Raw-IP interface which builds the UDP packet utilizing the parameters of the TCP connection (e.g., session number, port, etc.).
  • the present system provides for a method and system for allowing communication between two machines, at least one of which is behind a firewall. Connections are established between each machine and a proxy server sitting on a public network. The proxy then communicates the port and address information of each machine to the other machine, after which, each machine sends directly to each other using the supplied port and address information, while using the proxy servers port and address information as the source port and address.
  • Figure 1 illustrates the Intranet to Internet data transfer scenario.
  • Figure 2 illustrates the Internet to Intranet data transfer scenario.
  • FIG. 3 illustrates the Intranet to Intranet data transfer scenario.
  • Figure 4 illustrates a bi-directional connection, using TCP and HTTP, communicating indirectly with the proxy.
  • Figure 5 illustrates TCP spoofing of the present invention.
  • Figure 6 illustrates TCP spoofing of the present invention in the presence of a packet forwarder.
  • Figure 7 illustrates the methodology associated with the present invention.
  • a communicating device such as the Internet phone or a Voice-over-IP Gateway or an IETF MGCP Gateway or an ITU-T H.248 Gateway or a PacketCable Residential Gateway or a CPE Gateway (Customer premises equipment Gateway)
  • a communicating device such as the Internet phone or a Voice-over-IP Gateway or an IETF MGCP Gateway or an ITU-T H.248 Gateway or a PacketCable Residential Gateway or a CPE Gateway (Customer premises equipment Gateway
  • NATs network address translators
  • Firewalls Connections are always opened from the private network to the public network; taking advantage of the fact that TCP data communications are bi-directional.
  • NATs present an additional translation step when communicating.
  • NATs map the source addresses (in the private network) of the originating computer into a public address and a port number on the public interface of the NAT.
  • Multimedia signaling and media streaming is usually UDP-based for better efficiency, which introduces the problem - the ingress system sends UDP packets to the public interface on the NAT, and the NAT has no automatic method to map this UDP data-gram to the actual computer that is supposed to receive that data-gram.
  • the solution provided by the present invention is to stream audio and video (and other time-sensitive data) over TCP, but TCP streaming and windowing mechanizing hurts the real-time performance.
  • the present invention opens a TCP connection as usual (using TCP), and then switches to a Raw-IP interface that sends Raw-IP data-grams that are legal TCP messages using just opened TCP channel parameters (e.g., session number, port, etc.) To an intermediate system, these messages will look like standard TCP messages, but as they are sent using Raw-IP, the usual timing issues that TCP introduces to real-time media " streaming are not in place.
  • the present invention uses the protocol software to "spoof the TCP channel to enable real-time TCP communications.
  • the present invention uses a server proxy that both communication parties open their TCP channels to (using the previous procedure). Then, the proxy communicates to each party the other party's source address/port (of the TCP channel). Finally, each communication element sends information to the other party using the server proxy source address/port. It should be noted that packets are sent directly between the communicating entities, as the proxy is only used to hold the TCP state to "spoof the NATs and Firewalls.
  • TCP/HTTP which is universally supported, and in this instance, all information is tunneled over the simulated TCP/HTTP channel.
  • IPv4 IP address translation
  • firewall devices In the Internet as it exists today, using the small address space provided by IPv4, many networks deploy NAT (network address translation) devices to enlarge the internal address space. In addition, many networks deploy firewall devices to block intrusions and hacking. Many firewalls also support integrated NAT capabilities.
  • ingress traffic one originating outside the network and destined into the network
  • incoming connections are usually blocked for firewalls and are impossible to complete on NAT devices
  • originating (outside the NAT) IP host is unaware of the destination internal IP address.
  • users cannot place audio/video calls from NAT protected networks (as the audio and video will not penetrate back into the network from the remote called host), and in many cases users behind corporate firewalls are blocked from using such services.
  • a communications protocol such as the TrulyGlobalTM Protocol (TGP), (as described m the related application, "Communication Protocol”) can be used in conjunction with the present invention to operate over standard HTTP and remote TGP servers to use the HTTP back-channel to send information to the client; and ensuring that all actions carried by TGP traverse both NATs and firewalls.
  • TGP TrulyGlobalTM Protocol
  • Intranet is a network that is protected by a NAT or a firewall device, and blocks all incoming traffic into the protected network (e.g., TCP connections cannot be initiated into the network, and UDP traffic will be blocked at the entry-point into the network).
  • Internet is defined as a public addressed, unprotected network, where full IP communication is possible.
  • T e solution provided for by the present invention uses TCP and potentially HTTP, and a service is provided outside the Intranet (in the public Internet) to help both end- points to complete calls.
  • the first assumption made is that the clients inside the Intranet can initiate TCP or at least TCP/HTTP specifically to the public Internet, so some form of communications is possible.
  • HTTP can be used to insure safe traversal via HTTP proxies.
  • TCP/HTTP Once a TCP/HTTP connection is available, bi-directional communications are possible. Outwards messages use standard HTTP commands to request resources (using URLs), and incoming information flow returns using the HTTP reply channel (as TCP/HTTP is full-duplex).
  • the caller can initiate a TCP/HTTP connection (or a plain TCP connection) to a service that resides in the public Internet, and that service is responsible to "proxy" the request (using the reply leg of the remote HTTP session) to the called-device.
  • a TCP/HTTP connection or a plain TCP connection
  • proxy the request (using the reply leg of the remote HTTP session) to the called-device.
  • the solution as per the present invention is to spoof the TCP session to allow direct TCP communications between the two machines.
  • This scenario is illustrated in Figure 5.
  • a machine behind a proxy, NAT or firewall establishes a session with the outside world, the session is mapped on the outside of Intranet 1 and 2 on the public interface address(s) to an internal connection between Host 1 and 2 and their gateways to the Internet. Sending correctly formed TCP packets to that interface will result in the gateway forwarding these packets to the correct host inside the private network.
  • a session is established from Host 1 in Intranet 1 to the Proxy (AB session).
  • a session is established from Host 2 in Intranet 2 to the Proxy (DC session).
  • the Address B p public side of session A is found by inspecting the source address/port of B.
  • the external mapped addresses are provided to the other hosts, i.e., Host 1 is provided with address/pair C p and Host 2 is provided with address/port pair B p .
  • TCP session B parameters are provided to host 2.
  • Q TCP session C parameters are provided to host 1. 6.
  • Hosts 1 and 2 will spoof TCP packets for sessions B and C, sent to target address/port pairs B p and C p . This traffic will go directly between the two networks and not via the Proxy.
  • a virtual TCP session C'/B 1 is created by combining the two existing TCP sessions C and B.
  • the Proxy should not send any information on that session, as session parameters may be out-of-date.
  • the session is kept open for the duration Hosts 1 and 2 requires it, and will be closed by either Host when required.
  • the proxy is only used for establishing session, and does not use the session for anything else once it is "handed over”.
  • the internal network will filter spoofed packets (for security, e.g., hack prevention) and therefore will not let the packets with the spoofed source address leave the internal network.
  • the TCP connections will be handed over to a packet forwarder (that resides in the same server or a separate server) that handles the packet interchange.
  • TCP session parameters can be changed or completely ignored, as long as packets are synthetically correct (as per TCP), they can be sent without consideration to window-sizes, exponential back-off algorithms or slow-start mechanisms.
  • TCP session-establishment procedures described above allow any session to be established between any two computers. This is done as a result of Host 1 calling Host 2 (or the reverse).
  • the calling host will send a Call-Establishment message to the Proxy, which will (pending, any policy decision) forward the request to the called Host.
  • the called host will receive the Call Answer transaction over the back-channel of the session it already has with the Proxy, requesting it to answer the call. If the called host responses positively, one or more media channel(s) will be established between Host 1 and 2, with the help of the proxy as required by the session's parameters (audio only, audio and video, etc).
  • the Proxy contains all the required functionality (e.g., signaling a RTP:Address:Port destination instead of a H323:Address:Port destination).
  • IETF SIP by manipulating IETF Session Description Protocol (SDP) parameters
  • ITU H.323 by Manipulating ITU-T H.245 OpenLogicalChannel or FastStart parameters
  • SDP Session Description Protocol
  • ITU H.323 by Manipulating ITU-T H.245 OpenLogicalChannel or FastStart parameters
  • the present invention is implemented using a raw-IP interfaces that spoofs the TCP sessions.
  • a limited TCP stack is implemented that creates synthetically correct TCP packets, to insure the packets are interpreted and forwarded correctly by the NATs, proxies and firewalls in the way.
  • Such a spoofed-TCP stack does not need to support any reliable transmission, as it is only used for real-time sensitive transmission purposes.
  • FIG. 7 summarizes the methodology 700 associated with the present invention.
  • both hosts establish a connection (e.g., TCP connection or TCP/HTTP connection) with a TCP proxy server.
  • a connection e.g., TCP connection or TCP/HTTP connection
  • external mapped addresses B p and C p associated with the firewalls of both hosts are identified.
  • the identified external mapped addresses are exchanged between the two hosts.
  • the TCP packets are spoofed to transmit the data (e.g., streaming multimedia data) between the hosts.
  • the present invention includes a computer program code based product, which is a storage medium having program code stored therein, which can be used to instruct a computer to perform any of the methods associated with the present invention.
  • the computer storage medium includes any of, but not limited to, the following: CD-ROM, DVD, magnetic tape, optical disc, hard drive, floppy disk, ferroelectric memory, flash memory, ferromagnetic memory, optical storage, charge coupled devices, magnetic or optical cards, smart cards, EEPROM, EPROM, RAM, ROM, DRAM, SRAM, SDRAM, or any other appropriate static or dynamic memory, or data storage devices.
  • Implemented in computer program code based products are software modules for: aiding in establishing a communication link with a proxy server over a network, wherein a first and second device can access the network over a firewall; inspecting said firewalls and identifying an external mapped addresses B p associated with said first device and identifying an external mapped address C p associated with said second device; notifying said first device regarding said identified external mapped address C p and notifying said second device regarding said identified external mapped address B p ; and aiding said first or second device in spoofing TCP packets via transmitting data with said notified external mapped address as the destination address.
  • Also implemented in computer program based products are software modules for: aiding in establishing a communication link with a proxy server over a network, each of said first and second devices accessing said network over a firewall; inspecting said firewalls and identifying an external mapped addresses B p associated with said first device and identifying an external mapped address C p associated with said second device; notifying said packet forwarder regarding said identified external mapped addresses C p and B p , and forwarding TCP packets via transmitting data with said packet forwarder as said destination address and computer readable program code aiding said packet forwarder in forwarding said data with C p as the destination address, or forwarding TCP packets via transmitting data with said packet forwarder as said destination address and computer readable program code aiding said packet forwarder in forwarding said data with B p as the destination address.
  • the present invention may be implemented on a multi-nodal system (e.g., LAN) or networking system (e.g., Internet, WWW, wireless web). All programming, and data related thereto are stored in computer memory, static or dynamic, and may be retrieved by the user in any of: conventional computer storage, display (i.e., CRT) and/or hardcopy (i.e., printed) formats.
  • the programming of the present invention may be implemented by one of skill in the art of network communications.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

L'invention concerne la possibilité pour un paquet UDP entrant de traverser un dispositif de traduction d'adresse réseau ou un pare-feu. Premièrement, une connexion TCP est établie, et une interface de type brut-IP (raw-IP) est utilisée pour l'établissement des paquets du type UDP, sur la base des paramètres de la connexion TCP (par exemple, numéro de session, port, etc.). En outre, lorsqu'un ou deux appareils de communication se trouvent derrière le pare-feu, une connexion est établie entre chaque appareil et un serveur mandataire de réseau public. Le serveur mandataire communique à chaque appareil l'information de port et d'adresse. Pour cela, le serveur mandataire utilise son port et son adresse comme information source de port et d'adresse, ou bien il communique à chaque appareil l'adresse d'un système de (re)transmission de paquets approprié (essentiellement en fonction du critère de la proximité du réseau).
PCT/US2001/048551 2000-05-26 2001-12-13 Traversee de pare-feu et de dispositif de traduction d'adresse reseau WO2002071717A2 (fr)

Priority Applications (2)

Application Number Priority Date Filing Date Title
AU2001297602A AU2001297602A1 (en) 2000-12-14 2001-12-13 Traversing firewalls and nats
US10/450,751 US20050125532A1 (en) 2000-05-26 2001-12-13 Traversing firewalls and nats

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US25542200P 2000-12-14 2000-12-14
US60/255,422 2000-12-14
US09/867,371 US20020120760A1 (en) 2000-05-26 2001-05-29 Communications protocol
US09/867,371 2001-05-29

Publications (2)

Publication Number Publication Date
WO2002071717A2 true WO2002071717A2 (fr) 2002-09-12
WO2002071717A3 WO2002071717A3 (fr) 2003-03-27

Family

ID=26944694

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/US2001/048551 WO2002071717A2 (fr) 2000-05-26 2001-12-13 Traversee de pare-feu et de dispositif de traduction d'adresse reseau

Country Status (2)

Country Link
AU (1) AU2001297602A1 (fr)
WO (1) WO2002071717A2 (fr)

Cited By (15)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2005043848A1 (fr) * 2003-11-03 2005-05-12 Immertec Co., Ltd. Procede et systeme de communication par paquets udp pour terminaux ip prives
WO2005081492A1 (fr) * 2004-02-20 2005-09-01 Matsushita Electric Industrial Co., Ltd. Procede et systeme pour des communications tcp/ip de bout en bout securisees par serveur mandataire dit proxy
AT414067B (de) * 2002-12-03 2006-08-15 Loytec Electronics Gmbh Verfahren zum betrieb von cn/ip-knoten hinter nat-routern
WO2006099803A1 (fr) * 2005-03-22 2006-09-28 Huawei Technologies Co., Ltd. Procédé de mise en œuvre pour la traversee du pare-feu par le message ipv6 mobile et pare-feu
WO2006119683A1 (fr) * 2005-05-12 2006-11-16 Zte Corporation Procede d'implementation de traversee nat mms
WO2006125383A1 (fr) * 2005-05-23 2006-11-30 Huawei Technologies Co., Ltd. Procede permettant de traverser un dispositf de conversion d’adresse reseau/coupe-feu
WO2006131600A1 (fr) * 2005-06-07 2006-12-14 Teliasonera Ab Connectivite sur des pare-feu a etats
EP1865676A1 (fr) * 2005-03-11 2007-12-12 AdIn Research, Inc. Dispositif de relais, systeme de communication et procede de controle et programme y afferant
CN100384168C (zh) * 2005-12-30 2008-04-23 四川长虹电器股份有限公司 H.323系统的多媒体会话穿越nat设备的方法
US7392323B2 (en) 2004-11-16 2008-06-24 Seiko Epson Corporation Method and apparatus for tunneling data using a single simulated stateful TCP connection
US7406533B2 (en) 2003-10-08 2008-07-29 Seiko Epson Corporation Method and apparatus for tunneling data through a single port
CN100440850C (zh) * 2003-12-24 2008-12-03 华为技术有限公司 多媒体业务网络地址转换穿越的方法及其系统
WO2010045834A1 (fr) * 2008-10-21 2010-04-29 中兴通讯股份有限公司 Procédé et système pour système de surveillance vidéo permettant aux supports de passer par une traduction d'adresse réseau
CN102231763A (zh) * 2011-06-20 2011-11-02 北京思创银联科技股份有限公司 一种基于nat穿透的共享方法
CN104219589A (zh) * 2013-06-03 2014-12-17 福达新创通讯科技(厦门)有限公司 图像传输方法、系统及其记录媒体

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6052788A (en) * 1996-10-17 2000-04-18 Network Engineering Software, Inc. Firewall providing enhanced network security and user transparency

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP3354433B2 (ja) * 1997-04-25 2002-12-09 株式会社日立製作所 ネットワーク通信システム

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6052788A (en) * 1996-10-17 2000-04-18 Network Engineering Software, Inc. Firewall providing enhanced network security and user transparency

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
ESCHENBURG A: "WO LAUFEN SIE DENN? ICQ HAELT VERBINDUNG ZU BEKANNTEN" CT MAGAZIN FUER COMPUTER TECHNIK, VERLAG HEINZ HEISE GMBH., HANNOVER, DE, no. 22, 26 October 1998 (1998-10-26), pages 92-95, XP000779803 ISSN: 0724-8679 *
J.ROSENBERG,D.DREW,H.SCHULZRINNE: "<draft-rosenberg-sip-firewalls-00.txt> - Getting SIP through Firewalls and NATs" INTERNET DRAFT, [Online] 22 February 2000 (2000-02-22), XP002218607 Retrieved from the Internet: <URL:http://www.jdrosen.net/papers/draft-r osenberg-sip-firewalls-00.txt> [retrieved on 2002-10-28] *
NORIFUSA M: "Internet security: difficulties and solutions" INTERNATIONAL JOURNAL OF MEDICAL INFORMATICS, ELSEVIER SCIENTIFIC PUBLISHERS, SHANNON, IR, vol. 49, no. 1, March 1998 (1998-03), pages 69-74, XP004149463 ISSN: 1386-5056 *
PATENT ABSTRACTS OF JAPAN vol. 1999, no. 02, 26 February 1999 (1999-02-26) & JP 10 303947 A (HITACHI LTD), 13 November 1998 (1998-11-13) & US 6 195 366 B1 (KATOH ERI ET AL) 27 February 2001 (2001-02-27) *

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
AT414067B (de) * 2002-12-03 2006-08-15 Loytec Electronics Gmbh Verfahren zum betrieb von cn/ip-knoten hinter nat-routern
US7406533B2 (en) 2003-10-08 2008-07-29 Seiko Epson Corporation Method and apparatus for tunneling data through a single port
WO2005043848A1 (fr) * 2003-11-03 2005-05-12 Immertec Co., Ltd. Procede et systeme de communication par paquets udp pour terminaux ip prives
CN100440850C (zh) * 2003-12-24 2008-12-03 华为技术有限公司 多媒体业务网络地址转换穿越的方法及其系统
WO2005081492A1 (fr) * 2004-02-20 2005-09-01 Matsushita Electric Industrial Co., Ltd. Procede et systeme pour des communications tcp/ip de bout en bout securisees par serveur mandataire dit proxy
US7392323B2 (en) 2004-11-16 2008-06-24 Seiko Epson Corporation Method and apparatus for tunneling data using a single simulated stateful TCP connection
EP1865676A4 (fr) * 2005-03-11 2010-06-02 Adin Res Inc Dispositif de relais, systeme de communication et procede de controle et programme y afferant
EP1865676A1 (fr) * 2005-03-11 2007-12-12 AdIn Research, Inc. Dispositif de relais, systeme de communication et procede de controle et programme y afferant
WO2006099803A1 (fr) * 2005-03-22 2006-09-28 Huawei Technologies Co., Ltd. Procédé de mise en œuvre pour la traversee du pare-feu par le message ipv6 mobile et pare-feu
WO2006119683A1 (fr) * 2005-05-12 2006-11-16 Zte Corporation Procede d'implementation de traversee nat mms
WO2006125383A1 (fr) * 2005-05-23 2006-11-30 Huawei Technologies Co., Ltd. Procede permettant de traverser un dispositf de conversion d’adresse reseau/coupe-feu
WO2006131600A1 (fr) * 2005-06-07 2006-12-14 Teliasonera Ab Connectivite sur des pare-feu a etats
US8332532B2 (en) 2005-06-07 2012-12-11 Teliasonera Ab Connectivity over stateful firewalls
CN100384168C (zh) * 2005-12-30 2008-04-23 四川长虹电器股份有限公司 H.323系统的多媒体会话穿越nat设备的方法
WO2010045834A1 (fr) * 2008-10-21 2010-04-29 中兴通讯股份有限公司 Procédé et système pour système de surveillance vidéo permettant aux supports de passer par une traduction d'adresse réseau
CN102231763A (zh) * 2011-06-20 2011-11-02 北京思创银联科技股份有限公司 一种基于nat穿透的共享方法
CN104219589A (zh) * 2013-06-03 2014-12-17 福达新创通讯科技(厦门)有限公司 图像传输方法、系统及其记录媒体
CN104219589B (zh) * 2013-06-03 2017-10-03 福达新创通讯科技(厦门)有限公司 图像传输方法、系统及其记录媒体

Also Published As

Publication number Publication date
AU2001297602A1 (en) 2002-09-19
WO2002071717A3 (fr) 2003-03-27

Similar Documents

Publication Publication Date Title
US20050125532A1 (en) Traversing firewalls and nats
US8607323B2 (en) Method for providing media communication across firewalls
US9350699B2 (en) Scalable NAT traversal
Holdrege et al. Protocol complications with the IP network address translator
EP1687958B1 (fr) Procédé et système de filtrage du trafic multimedia a base d&#39;associations d&#39;adresses ip
US8200827B1 (en) Routing VoIP calls through multiple security zones
US7639668B2 (en) Method for securing RTS communications across middleboxes
US8767590B2 (en) Multimedia conference system and method which enables communication between private network and internet
US7369537B1 (en) Adaptive Voice-over-Internet-Protocol (VoIP) testing and selecting transport including 3-way proxy, client-to-client, UDP, TCP, SSL, and recipient-connect methods
JP5216018B2 (ja) 移動体電話機用ストリーミング・メディア・サービス
WO2002071717A2 (fr) Traversee de pare-feu et de dispositif de traduction d&#39;adresse reseau
US7411917B1 (en) Method and system for providing registration-based SIP NAT traversal
EP1613024A1 (fr) Méthode et serveur d&#39;appel pour établir un lien de communication bidirectionnel d&#39;égal à égal
US9088542B2 (en) Firewall traversal driven by proximity
Paulsamy et al. Network convergence and the NAT/Firewall problems
US20060168266A1 (en) Apparatus and method for providing signaling mediation for voice over internet protocol telephony
US8576854B2 (en) System for communication between private and public IP networks
Koski et al. The SIP-based system used in connection with a firewall
US20050177718A1 (en) Systems and methods for video transport service
KR100957432B1 (ko) 미디어 전송 방법
Evers et al. Handover-aware SIP-based VoIP provided by a Roaming-Enabled Architecture (REACH)
Asghar et al. Security issues of SIP
Topal et al. Enabling peer-to-peer communication for hosts in private address realms using IPv4 LSRR option and IPv4+ 4 addresses
Chang et al. KaiKai: A NAT Traversal Approach by Using Protocol Behavior Analysis
Khan et al. An extensive study on application level gateways (ALGs)

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A2

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CO CR CU CZ DE DK DM DZ EC EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ OM PH PL PT RO RU SD SE SG SI SK SL TJ TM TN TR TT TZ UA UG US UZ VN YU ZA ZM ZW

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZM ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE TR BF BJ CF CG CI CM GA GN GQ GW ML MR NE SN TD TG

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
121 Ep: the epo has been informed by wipo that ep was designated in this application
REG Reference to national code

Ref country code: DE

Ref legal event code: 8642

122 Ep: pct application non-entry in european phase
WWE Wipo information: entry into national phase

Ref document number: 10450751

Country of ref document: US

NENP Non-entry into the national phase

Ref country code: JP

WWW Wipo information: withdrawn in national office

Country of ref document: JP