WO2012019508A1 - 基于中继的媒体通道建立方法及系统 - Google Patents
基于中继的媒体通道建立方法及系统 Download PDFInfo
- Publication number
- WO2012019508A1 WO2012019508A1 PCT/CN2011/077592 CN2011077592W WO2012019508A1 WO 2012019508 A1 WO2012019508 A1 WO 2012019508A1 CN 2011077592 W CN2011077592 W CN 2011077592W WO 2012019508 A1 WO2012019508 A1 WO 2012019508A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- service identifier
- media
- relay device
- media relay
- session
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/60—Network streaming of media packets
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/1066—Session management
- H04L65/1069—Session establishment or de-establishment
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/256—NAT traversal
- H04L61/2589—NAT traversal over a relay server, e.g. traversal using relay for network address translation [TURN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/10—Architectures or entities
- H04L65/102—Gateways
- H04L65/1023—Media gateways
- H04L65/103—Media gateways in the network
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/60—Network streaming of media packets
- H04L65/75—Media network packet handling
- H04L65/765—Media network packet handling intermediate
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/141—Setup of application sessions
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/14—Session management
- H04L67/146—Markers for unambiguous identification of a particular session, e.g. session cookie or URL-encoding
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/24—Negotiation of communication capabilities
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/083—Network architectures or network communication protocols for network security for authentication of entities using passwords
Definitions
- the present invention relates to the field of communications, and in particular to a method and system for establishing a media channel based on a relay. Background technique
- FIG. 1 is a schematic diagram of a network structure for solving a symmetric NAT traversal in the prior art.
- a user equipment (User Equipment, UE for short) 101 is a terminal device used by a user, and a NAT 102 is located between the UE and the Internet, and is responsible for shielding the UE.
- the media relay control server 103 is responsible for allocating the media relay device 104 for the user session and controlling the media relay device 104 to reserve resources for the user session; the media relay device 104 is responsible for forwarding the communication data for both communication users.
- the media relay control server 103 and the media relay device 104 are generally located in the public Internet.
- FIG. 2 is a process flow for resolving NAT traversal based on the relay technology and establishing a peer-to-peer connection of the user node, which mainly includes the following steps:
- both UE A and UE B need to register with the media relay control server.
- the UE A sends a session request to the media relay control server, where the request carries the first destination address-port pair A1 of the UE B receiving the UE B reply message;
- the relay service controller requests the media relay device to reserve a media resource for the session.
- the media resource allocated by the media relay device includes a first public network address-port pair for receiving the media data message sent by the UE A, and a second public network address-port pair for receiving the media data message sent by the UE B, and Establish a binding relationship between the first public network address-port pair and the second public network address-port pair; 5203.
- the media relay device returns the reserved media resource information to the media relay control server, and at the same time, the media relay device starts to reserve resources, that is, the first public network address-port pair and the second public network address-port. Listening to the data on the address;
- the media relay control server replaces the first destination address-port pair A1 in the session request message by using the first public network address-port pair;
- the media relay control server forwards the replaced session request message to the UE B;
- the UE B receives the session request, extracts the first public network address-port pair as the communication address information of the UE A from the session request message, and returns an acknowledgement response message to the media relay control server.
- the response message includes the UE B.
- the UE A receives the session confirmation response message, and extracts the second public network address-port pair as the communication address information of the UE B from the confirmation response message.
- FIG. 3 is a flowchart of establishing a media channel between UE A, UE B, and media relay device in the prior art, which mainly includes the following steps:
- the UE A After receiving the session confirmation response message of the UE B, the UE A sends the first media data packet to the UE B, because the UE A extracts the second public network address-port pair from the acknowledgment response message as the communication address of the UE B. Therefore, the media data packet of the UE A is sent to the second public network address-port pair of the media relay device; S302, the media relay device receives the first media data packet of the UE A, and establishes the first purpose.
- the binding relationship between the address port pair A2 that is, the media plane address port pair of the UE A
- the media data packet sent by the UE A is buffered until the media data packet of the UE B is received. ;
- the UE B sends a first media data packet to the UE A, where the media data packet is sent to the first public network address-port pair of the media relay device.
- the media relay device receives the UE B. a media data packet, the binding relationship between the second destination address port pair B2 (ie, the media plane address port pair of the UE B) and the first public network address-port pair, and the media data packet of the UE B is cached.
- the media relay device Until receiving the media data message of UE A; S305-306, after receiving the first media data packet of UE A and UE B, respectively, the media relay device establishes a first destination address port pair A2, a second public network address-port pair, and a first public network address- The relationship between the port pair and the second destination address port pair B2, and uses the association relationship to forward the received data of the second public network address-port pair to the UE B through the first public network address-port pair. Transmitting, by the first public network address-port, the received data to the UE A via the second public network address-port pair;
- step S307-308 the subsequent media data packet between the UE A and the UE B is transited by the media relay device according to the association relationship.
- the above step S301 302 and step S303 304 can be performed synchronously, but the step S301 304 must be completed before the S305 and other steps subsequent thereto can be performed.
- the media relay device After pre-assigning a pair of public network address-port pairs, the media relay device starts to listen to the two ports, when a public network address- When the first media packet is received on the port pair, the source IP address-port of the media packet is bound to the public IP address-port, and the final destination of the media packet is through another public network address-port.
- a primary object of the present invention is to provide a relay-based media channel setup to address at least the above-mentioned first media data packet received by a media relay device on a public network address-port pair. , causing the problem of media channel establishment failure.
- a relay-based media channel establishing method including: during a session negotiation process between a first user equipment (UE) and a second UE, the media relay control server allocates the first The service identifier and the second service identifier are sent to the first UE, and the second service identifier is sent to the second UE, and the first service identifier and the second service identifier are sent to the media relay device.
- the media relay device receives the service identifier reported by the first UE and the second UE, and the media relay device verifies the first UE and the second UE according to the first service identifier and the second service identifier delivered by the media relay control server.
- the service identifier is verified, and the media channel between the first UE and the second UE is established.
- Business identity
- the receiving, by the media relay device, the service identifier reported by the first UE and the second UE includes: sending, by the first UE, the first media to the media relay device after the session negotiation ends Before the data packet, the first binding request is sent to the media relay device; the media relay device receives the first binding request, and obtains the service identifier reported by the first UE from the data packet; After the end of the session negotiation, the second UE first sends a second binding request to the media relay device before sending the first media data message to the media relay device; the media relay device receives And obtaining, by the second binding request, the service identifier reported by the second UE.
- the first service identifier and the second service identifier are a string or a serial number, or the first service identifier and the second service identifier are username-password pairs.
- the first service identifier and the second service identifier are ranges of the start sequence number of the packet; the media relay device respectively receives the service identifiers reported by the first UE and the second UE, including: The media relay device receives the first packet from the first UE and the second UE after the session negotiation is completed, and obtains the sequence number of the packet; the media relay device verifies the first
- the service identifier reported by the UE and the second UE includes: determining, by the media relay device, whether a sequence number of the first packet from the first UE is within a range indicated by the first service identifier, and Determining whether the sequence number of the first message from the second UE is within the range indicated by the second service identifier, and if yes, the verification is passed.
- a relay-based media channel establishing system including: a media relay control server, configured to allocate a first service during a session negotiation process between a first UE and a second UE And the first service identifier is sent to the first UE, and the second service identifier is sent to the second UE, and the first service identifier and the second service identifier are sent to the media relay device;
- the relay device is configured to receive the service identifier reported by the first UE and the second UE, and verify the service reported by the first UE and the second UE according to the first service identifier and the second service identifier delivered by the media relay control server Identifying, verifying, establishing a media channel between the first UE and the second UE.
- the media relay device is configured to: after the end of the session negotiation, receive the first media data packet sent by the first UE and the second UE, and obtain the first UE and the second The service identifier reported by the UE.
- the media relay device is configured to: after the end of the session negotiation, receive a binding request sent by the first UE and the second UE before sending the first media data packet, and obtain the first The service identifier reported by the UE and the second UE.
- the media relay control server sends a unique identifier assigned to the session at the same time in the session negotiation process of requesting the media relay device to reserve resources; the media relay device establishes the session media channel for the user.
- FIG. 1 is a network scenario in which a peer-to-peer network node is connected to a NAT traversal;
- FIG. 2 is a flowchart of a prior art user traversing a NAT to establish a peer-to-peer connection
- FIG. 3 is a flowchart of establishing a media stream channel in the prior art
- 4 is a schematic structural diagram of a relay-based media channel establishing system according to Embodiment 1 of the present invention
- FIG. 5 is a flowchart of a relay-based media channel establishing method according to Embodiment 2 of the present invention
- FIG. 7 is a flowchart of establishing a secure media stream channel according to Embodiment 3 of the present invention
- FIG. 8 is a flowchart of establishing a secure media stream channel according to Embodiment 4 of the present invention
- FIG. 9 is a flowchart of establishing a secure media stream channel according to Embodiment 5 of the present invention
- FIG. 10 is a flowchart of establishing a secure media stream channel according to Embodiment 6 of the present invention
- FIG. 11 is a flowchart according to an embodiment of the present invention. Seven of the flow chart for establishing a secure media stream channel. BEST MODE FOR CARRYING OUT THE INVENTION
- FIG. 4 is a schematic structural diagram of a relay-based media channel establishing system according to Embodiment 1 of the present invention.
- the system mainly includes: a media relay control server 10 and a media relay device 20.
- the media relay control server 10 is configured to allocate a first service identifier and a second service identifier in a session negotiation process between the first UE and the second UE, and send the first service identifier to the first UE.
- the second service identifier is sent to the second UE, and the first service identifier and the second service identifier are sent to the media relay device 20, and the media relay device 20 is configured to receive the service reported by the first UE and the second UE, respectively.
- the media relay server 10 may be a randomly generated username-password pair for the first UE and the second UE, or may be a randomly generated string, a sequence number, etc. having a certain meaning, for example, the first UE. And a starting sequence number of the message sent by the second UE, and the like.
- the first service identifier allocated by the media relay server 10 for the first UE may be the same as or different from the second service identifier allocated for the second UE.
- the media relay device 20 when the media relay device 20 establishes a media channel for both parties of the session, when the first data packet is received on a certain public network address-port pair, the source IP address of the data packet-port and the public The network IP address-port binding enables the third party to attack the address-port pair of the media relay device 20 by malicious scanning, causing the media to fail to establish.
- the media relay server 10 allocates service identifiers to the two parties in the session negotiation process. When the media channel is established, the service identifiers reported by the two parties are based on the media channels, thereby avoiding the malicious data packets. Security risks ensure the security of network node connections and improve the success rate of media channel establishment.
- the first UE and the second UE may carry the service identifier allocated by the media relay server 10 in the first media data packet after the end of the session negotiation, or may send a binding before sending the first media data packet.
- the request is made to request the media relay device 20 to bind the terminal communication address-port pair and the assigned corresponding public network address-port pair, and carry the service identifier assigned by the media relay server 10 in the binding request.
- the media relay device 20 may be configured to receive the first media data packet sent by the first UE and the second UE, and obtain the service identifier reported by the first UE and the second UE, and obtain the service identifier reported by the first UE and the second UE, and After the verification is passed, the media channel between the first UE and the second UE is established.
- the media relay device 20 may be configured to receive the first UE and the second after the session negotiation ends.
- UE is sending the first media datagram
- the binding request sent before the text obtains the service identifier reported by the first UE and the second UE, so as to avoid the problem that the peer data cannot be sent because one of the two parties does not send the media data for a long time.
- Step S502 During a session negotiation process between the first UE and the second UE, the media relay control server 10 assigns the service identifier to the session, and sends the service identifier to the service identifier.
- the media relay control server 10 transmits the first service identifier and the second service identifier, and sends the first service identifier to the first UE, and the second service identifier Sending to the second UE, the first service identifier and the second service identifier are sent to the media relay device 20; wherein the service identifier assigned by the media relay control server 10 may be a unique username/password pair, or may be The special character string or the serial number, etc.; in addition, the service identifiers allocated by the media relay control server 10 to the UE1/UE2 may be the same or different; in step S504, the media relay device 20 receives the first UE and the first And the service identifier sent by the media relay control server 10, when the first media data packet is sent, the first UE and the second UE may carry the service identifier delivered by the media relay control server 10 when the first media data packet is sent.
- the service identifier sent by the media relay control server 10 to the first UE and the second UE is a username-password pair
- the first UE and the second UE respectively send the first media to the peer user.
- the username and password pair are carried in the data packet.
- the media relay device 20 After receiving the first media data packet sent by the first UE, the media relay device 20 obtains the service identifier reported by the first UE, and after receiving the first media data packet sent by the second UE, Obtaining a service identifier reported by the second UE. In this way, the UE only needs to carry the assigned service identifier in the first media data packet to be sent without additionally sending a message.
- the first UE and the second UE may not carry the service identifier in the first media data packet sent to the media relay device 20, but send the first media data packet after the session negotiation ends.
- a special binding request is sent to the media relay device 20 for requesting the media relay device 20 to bind the terminal communication address-port pair and the corresponding corresponding public network address port pair, and carry the binding request in the binding request.
- a service identifier after receiving the binding request sent by the first UE and the second UE, the media relay device 20 obtains the first UE and the first The service identifier reported by the UE is performed, and then step S506 is performed, so as to avoid the problem that the media channel between the first UE and the second UE can be established only after both parties send data.
- the media relay device 20 verifies the service identifiers reported by the first UE and the second UE according to the first service identifier and the second service identifier delivered by the media relay control server 10, and the verification succeeds to establish the first UE and the first UE.
- the media channel between the two UEs For example, if the media relay control server 10 assigns a username-password pair to the first UE and the second UE, the media relay device 20 verifies the username-password pair and media relay reported by the first UE and the second UE. The user name-password pair assigned by the control server 10 is matched. If yes, the verification passes, and the media channel between the first UE and the second UE is established, that is, the forwarding address binding is established.
- the media relay control server 10 allocates service identifiers for the current sessions of the two parties in the session negotiation process, and determines the service identifiers reported by the two parties and the media relay control server when establishing the media data flow. 10 Whether the assigned service identifiers match, thereby effectively avoiding the problem that the malicious port scan fails to establish the media channel establishment of both parties.
- the session parties may send a binding request to the media relay device 20 after the session negotiation process is completed, requesting to establish an address binding, so as to avoid that one party of the session does not send data for a long time. The problem that caused the other party's data to be unsent.
- the third embodiment of the present invention describes the process of using the technical solution provided by the embodiment of the present invention to implement a peer-to-peer connection through the NAT.
- the media relay control server 10 when processing the session request of the UE, issues a pair of unique session service identifiers for the session, and the session service identifier is simultaneously advertised to the UE A, the UE B, and the corresponding media. Following the device 20.
- the unique session service identifier allocated by the media relay control server 10 may be a randomly generated username-password pair, or may be a randomly generated string, serial number, or the like having a special meaning; Moreover, the session service identifiers advertised to UE A and UE B may be the same or different.
- FIG. 6 is a signaling flowchart of establishing a peer-to-peer connection between UE A and UE B through symmetric NAT according to an embodiment of the present invention, which mainly includes the following steps: Step S601: Before the session, UE A and UE B are both in the media relay control server.
- UE A When the session is established, UE A sends a session request to the media relay control server, where the session request message carries the first destination address-port pair A1 that UE A receives the UE B reply message; Step S602, the relay service controller allocates a pair of unique session service identifiers (the session service identifier 1 and the session service identifier 2 respectively) to the two parties, and requests the media relay device to reserve the media resource for the session.
- the media resource reservation request message carries the session service identifier 1/2 allocated to the two parties of the session.
- the media resource allocated by the media relay device includes a second public message for receiving the media data packet sent by the UE A.
- Step S603 The media relay device returns the reserved media resource information to the media relay control server, and at the same time, the media relay device starts to reserve resources (ie, the first public network address-port pair and the second public Network address-port pair) listening data; step S604, the media relay control server replaces the first destination address-port pair A1 in the session request message with the first public network address-port pair, and The session service identifier 2 assigned to the UE B is inserted into the replaced session request message; Step S605, the media relay control server forwards the replaced session request message to the UE B; Step S606, the UE B receives the session request, from the session Extracting, by the request message, the first public network address-port pair as the communication address information of the UE A, extracting and saving the session service identifier 2 for subsequent media channel establishment, and returning
- step S607 the media relay control server replaces the second destination address-port pair B1 in the acknowledgment response message with the second public network address-port pair. And inserting the session service identifier 1 allocated to the UE A into the replacement acknowledgement response message; Step S608, the UE A receives the session confirmation response message, and extracts the second public network address-port pair from the acknowledgement response message as the UE B. Communication address information, extract and save session service identifier 1 for subsequent media channel construction
- Steps S609 ⁇ S610, 1 and 18, and the media relay device establishes a secure media channel by using the session service identifier 1/2.
- the process of establishing a secure media channel using the session service identifier 1/2 (ie, the above steps S609-S610) is as shown in FIG. 7.
- UE A and UE B are transmitting the first.
- a media data packet must carry the session service identifier 1/2 extracted from the session confirmation message/session request message, and the media relay device extracts the first media data packet of the UE A/UE B when the listening port receives the message.
- the media channel establishment mainly includes the following steps: Step S701: After receiving the session confirmation response message of the UE B, the UE A starts to send the first media data packet to the UE B.
- the second public network address-port pair is extracted as the communication address of the UE B in the response message, so the media data packet of the UE A is sent to the second public network address-port pair of the media relay device; meanwhile, the UE A sends the The first data packet must carry the session service identifier 1 extracted from the session confirmation response message; in step S702, the media relay device receives the first media data packet of the UE A, and checks the port from the first destination address. If there is no complete association between A2 (that is, the address port pair of the UE A media plane), the session service identifier 1 is extracted from the packet and verified. After the authentication is correct, the first destination address port is established to the A2 and the second public network.
- step S703 the UE B sends the first media data packet to the UE A, because the UE B extracts the first public network address-port pair as the communication address of UE A from the session request, so the media data packet of UE B is sent to the first public network address-port pair of the media relay device; meanwhile, UE B The first data packet sent must carry the session service identifier 2 extracted from the session request message.
- Step S704 The media relay device receives the first media data packet of the UE B, and checks the address from the second destination.
- the session service identifier 2 is extracted from the data packet and verified, and the second destination address port pair B2 and the second are established after the verification is correct.
- a public network address-port pair binding relationship and buffering the media data message from the UE B until the media data message of the UE A is received; in steps S705-706, the media relay device receives the UE A and the respectively After the first media data packet of the UE B, the first destination address port pair A2, the second public network address-port pair, the first public network address-port pair, and the second destination address port pair B2 are established.
- the second public network address-port forwards the received data to the UE B through the first public network address-port pair, and the first public network address-port pair receives the data through the second public The network address-port pair is forwarded to the UE A.
- Steps S707-708 the subsequent media data packets between the UE A and the UE B are transited by the media relay device according to the association relationship.
- the packet is discarded and continues to be monitored. Ports, thereby effectively avoiding malicious port scanning, resulting in unsuccessful media channel establishment between UE A/UE B.
- Embodiment 4 the media session negotiation process between UE A and UE B is the same as that in Embodiment 3, except that in the media data flow establishing process, that is, the UE in step S707 508 of FIG. 7
- the first media data packet of A and UE B may not carry the session service identifier 1/2 information, but is carried in the binding request sent before the media data packet is sent.
- FIG. 8 is a flowchart of the process of establishing a media channel after the UE A/UE B completes the session negotiation in the embodiment of the present invention. The difference from the flow described in FIG.
- Step S801 After receiving the session confirmation response message of the UE B, the UE A starts to send to the UE B immediately.
- the first binding request the binding request must carry the session service identifier 1 extracted from the session confirmation response message; since UE A extracts the second public network address-port pair from the session confirmation response message as the communication address of UE B Therefore, the media data packet of the UE A is sent to the second public network address-port pair of the media relay device.
- the media relay device receives the binding request of the UE A, and extracts the session service from the packet. After the authentication is performed, the binding relationship between the first destination address port pair A2 and the second public network address-port pair is established.
- the media relay device returns a binding success response message to the UE A.
- Step S804 After receiving the session request message of the UE A, the UE B immediately starts sending the first binding request to the UE A, and the binding request must carry the session service identifier 2 extracted from the session request message; In the session request message from a UE B extracts the first public IP address - port pair, and thus UE B media data packets are sent as a communication address of the UE A to the first public network address of the media relay device - of the port; Step S805: The media relay device receives the binding request of the UE B, extracts the session service identifier 2 from the binding request, and performs verification. After the verification is correct, the second destination address port pair B2 and the first public network address are established.
- Step S806 the media relay device returns a binding success response message to the UE B; Steps S807-808, after the above steps, the media relay device establishes the first destination address-port pair A2, the second Public network address-port pair, first public network address-port pair, second destination address-port pair B2 complete association relationship, media data packets between UE A and UE B are pressed by the media relay device The relationship is transited.
- the above step S801 803 and steps S804-806 can be performed simultaneously.
- a Session Initiation Protocol SIP
- RTP Real-Time Transport Protocol
- the UEs and the UEs of the session first use the process described in FIG. 6 to perform the media negotiation.
- the message flow is basically the same, and therefore, the media relay control server is not described in the embodiment of the present invention.
- the session service identifier 2/1 is embedded in the Session Description Protocol (SDP) message body and distributed to the UE B/UE A.
- SDP Session Description Protocol
- FIG. 9 illustrates a specific process of establishing a media channel after the media session negotiation is completed by the UE A and the UE B in the embodiment of the present invention. As shown in FIG. 9 , the method includes the following steps: Step S901: UE A receives the session confirmation response of UE B.
- the binding request is immediately sent to the UE B, and the binding request must carry the username 1/password 1 extracted from the session confirmation response message; since the UE A extracts the second public network address from the session confirmation response-port For the communication address of the UE B, the binding request of the UE A is sent to the second public network address-port pair of the media relay device; Step S902, the media relay device receives the binding request of the UE A, from the The user name 1/password 1 is extracted from the binding request packet and verified. After the authentication is correct, the binding relationship between the first destination address port A2 and the second public network address-port pair is established.
- Step S903 the media relay device Returning a binding success response message to UE A;
- Step S904 after receiving the session request message of the UE A, the UE B immediately starts sending a binding request to the UE A, and the binding request must carry the username 2/password 2 extracted from the session request message;
- the requesting message extracts the first public network address-port pair as the communication address of the UE A, so the media data packet of the UE B is sent to the first public network address-port pair of the media relay device;
- Step S905 the media relay The device receives the binding request from UE B, extracts the user name 2/password 2 from the binding request packet, and performs verification. After the verification is correct, the second destination address port pair B2 and the first public network address-port pair are established.
- Step S906 the media relay device returns a binding success response message to the UE B; Step S907 ⁇ 908, after the above steps, the media relay device establishes the first destination address-port pair A2, the second public network The address-port pair, the first public network address-port pair, the second destination address-the port-to-B2 complete association relationship, and the media data packets between the UE A and the UE B pass the association relationship through the media relay device. Transfer.
- the sixth embodiment of the present invention describes a media channel establishment process based on the RTP protocol. In the embodiment of the present invention, the media channel establishes a sequence number of the RTP packet header to carry the session service identifier.
- the two parties of the session first perform media negotiation based on the process described in FIG. 6, and the message flow is basically the same, and is not illustrated.
- the session service identifier 1/2 may be advertised to the UE A and the UE B in a SIP message or an SDP message, where the session service identifier 1/2 is a range of the RTP packet start sequence number (that is, the UE A and the UE B are sent.
- the range of the serial number of the first RTP message). 10 is a specific flowchart of establishing a media channel between UE A and UE B according to an embodiment of the present invention, which mainly includes the following steps: Step S1001: After receiving the session confirmation response message of UE B, UE A starts to send to UE B.
- the first RTP message is a media data message
- UE A extracts the second destination address from the session confirmation response-port pair B2 pair as the communication address of UE B, so the media data message of UE A
- the second public network address-port pair sent to the media relay device; wherein the sequence number of the first RTP message sent by the UE A must be within the range specified by the session service identifier 1; Step S1002, the media relay device Receiving the first RTP packet of the UE A, and checking that the port from the first destination address has no complete association relationship with the A2, extracting the RTP sequence number from the RTP packet and verifying whether it is within the range specified by the service identifier 1.
- the UE B sends the first RTP message to the UE A, the RTP report
- the message is a media data packet.
- the UE B extracts the first public network address-port pair as the communication address of the UE A from the session request. Therefore, the media data packet of the UE B is sent to the first public network of the media relay device.
- Step S1004 the media relay device receives the first RTP packet of the UE B, If it is found that there is no complete association relationship from the second destination address port B2, the RTP sequence number is extracted from the RTP packet and verified whether the session service identifier 2 is within the specified range, and the second destination address port is established after the verification is correct.
- the binding relationship between the B2 and the first public network address-port pair; and the media data packet of the UE B is buffered until the media data packet of the UE A is received; in steps S1005 to 1006, the media relay device receives the media data packet separately.
- UE A and UE B After the RTP packet, a complete association relationship between the first destination address port pair A2, the second public network address-port pair, the first public network address-port pair, and the second destination address port pair B2 is established, and the relationship is established.
- the association forwards the received data to the UE B via the first public network address-port pair, and the received data of the first public network address-port pair to the second public network address.
- the port pair is forwarded to the UE A.
- Steps S1007 ⁇ 1008 the subsequent media data packets between the UE A and the UE B are transited by the media relay device according to the foregoing association relationship.
- Embodiment 7 describes a secure real-time transport protocol based on a secure real-time transport protocol (Secure Real-Time Transport)
- FIG. 11 is a flowchart of establishing a media channel based on the SRTP protocol in the embodiment of the present invention. As shown in FIG. 11, in the embodiment of the present invention, the process is similar to that shown in FIG. 10, and the difference is that in FIG.
- the first media data packet sent by the UE A and the UE B is an SRTP packet
- the SRTP packet carries a master key allocated by the media relay control server for the UE A or the UE B.
- the media relay device authenticates the master key carried in the first SRTP packet sent by the UE A and the UE B, and performs address-port binding after the authentication is passed.
- the media relay device does not need to perform the authentication process on the subsequent SRTP packet. . Therefore, based on the SRTP protocol
- the current media channel is established, and there is no change to the existing SRTP protocol. It is only necessary to add the master key distribution function on the media relay control server and the first message authentication function on the media relay device.
- the media relay control server when the media relay control server requests the media relay device to reserve resources and forward the media relay information to the user, the media relay control server simultaneously delivers a session allocation for the session.
- the unique identifier of the media relay device is used to verify the session identifier carried in the user packet when the session media forwarding table is established for the user, thereby preventing the media relay device from receiving malicious data on the port reserved for the session.
- the user when receiving the media relay information forwarded by the media relay control server, the user can immediately send a binding request to the allocated media relay device, so as to prevent the media relay device from receiving only the media message of the communication user.
- the limit of media messages can be successfully forwarded.
- modules or steps of the present invention can be implemented by a general-purpose computing device, which can be concentrated on a single computing device or distributed over a network composed of multiple computing devices. Alternatively, they may be implemented by program code executable by the computing device, such that they may be stored in the storage device by the computing device and, in some cases, may be different from the order herein.
- the steps shown or described are performed, or they are separately fabricated into individual integrated circuit modules, or a plurality of modules or steps are fabricated as a single integrated circuit module.
- the invention is not limited to any specific combination of hardware and software.
- the above is only the preferred embodiment of the present invention, and is not intended to limit the present invention, and various modifications and changes can be made to the present invention. Any modifications, equivalent substitutions, improvements, etc. made within the spirit and scope of the present invention are intended to be included within the scope of the present invention.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Multimedia (AREA)
- Business, Economics & Management (AREA)
- General Business, Economics & Management (AREA)
- Computer Security & Cryptography (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
本发明公开了一种基于中继的媒体通道建立方法及系统。其中,该方法包括:在第一用户设备UE与第二UE之间的会话协商过程中,媒体中继控制服务器分配第一业务标识和第二业务标识,并将第一业务标识下发给第一UE,将第二业务标识下发给第二UE,将第一业务标识和第二业务标识下发媒体中继设备;媒体中继设备接收第一UE和第二UE上报的业务标识;媒体中继设备根据媒体中继控制服务器下发的第一业务标识和第二业务标识,验证第一UE和第二UE上报的业务标识,验证通过,建立第一UE与第二UE之间的媒体通道。通过本发明,可以提高网络节点连接的安全性。
Description
基于中继的媒体通道建立方法及系统 技术领域 本发明涉及通信领域, 具体而言,涉及一种基于中继的媒体通道建立方法及系统。 背景技术
P2P (Peer-to-Peer) 技术, 又称对等互联网络技术, 它将网络上的节点平等的互 联起来, 每个主机节点即是客户端又是服务器。 目前, 在 P2P技术中, 对称型网络地 址转换器 (Network Address Translation, 简称为 NAT) 穿越主要采用中继实现, 通过 在互联网上部署中继服务器,在实际会话前获取本次会话的公网地址 -端口(IP-PORT) 对, 并将该公网 IP-PORT对作为会话的用户地址信息。 图 1 为现有技术解决对称 NAT 穿越的网络结构示意图, 其中, 用户设备 (User Equipment, 简称为 UE) 101为用户使用的终端设备; NAT 102, 位于 UE和互联网之 间, 负责屏蔽对该 UE的访问; 媒体中继控制服务器 103, 负责为用户会话分配媒体中 继设备 104, 并控制媒体中继设备 104为用户会话预留资源; 媒体中继设备 104, 负责 为通信用户双方转发通信数据。 其中媒体中继控制服务器 103和媒体中继设备 104— 般位于公共互联网中。
UE A和 UE B之间如果要进行媒体通信, 首先需要进行会话协商, 建立 UE A与 UE B的对等连接, 将双方的公网 IP-PORT对通知给对方。 图 2是基于中继技术解决 NAT穿越, 建立用户节点对等连接的处理流程, 主要包括以下步骤:
5201 ,在会话之前, UE A和 UE B均需在媒体中继控制服务器注册。建立会话时, UE A向媒体中继控制服务器发送会话请求, 该请求中携带 UE A接收 UE B回复信息 的第一目的地址-端口对 A1 ;
5202, 中继服务控制器向媒体中继设备请求为本次会话预留媒体资源。 媒体中继 设备分配的媒体资源包括用于接收 UE A发送的媒体数据报文的第一公网地址 -端口 对、 接收 UE B 发送的媒体数据报文的第二公网地址-端口对, 且建立第一公网地址- 端口对和第二公网地址-端口对之间数据转发的绑定关系;
5203 , 媒体中继设备将预留的媒体资源信息返回媒体中继控制服务器, 同时, 媒 体中继设备开始在预留资源, 即在第一公网地址-端口对和第二公网地址 -端口对地址 上监听数据;
5204,媒体中继控制服务器用第一公网地址-端口对替换会话请求消息中的第一目 的地址-端口对 A1 ;
5205, 媒体中继控制服务器将替换后的会话请求消息转发给 UE B;
5206, UE B接收该会话请求, 从会话请求消息中提取第一公网地址 -端口对作为 UE A的通信地址信息, 并向媒体中继控制服务器返回确认响应消息; 该响应消息中包 含 UE B接收 UE A回复信息的第二目的地址-端口对 B1; S207,媒体中继控制服务器用第二公网地址-端口对替换确认响应消息中的第二目 的地址-端口对 B1 ;
S208, UE A收到会话确认响应消息, 从确认响应消息中提取第二公网地址 -端口 对作为 UE B的通信地址信息;
S209-210, UE A和 UE B之间通过媒体中继设备建立媒体通道进行媒体通信。 图 3为现有技术中 UE A、 UE B及媒体中继设备之间建立媒体通道的流程图, 主 要包括以下步骤:
S301 , UE A收到 UE B的会话确认响应消息后, 向 UE B发送第一个媒体数据报 文, 由于 UE A从确认响应消息中提取第二公网地址 -端口对作为 UE B的通信地址, 因此, UE A的媒体数据报文被发往媒体中继设备的第二公网地址-端口对; S302, 媒体中继设备收到 UE A的第一个媒体数据报文, 建立第一目的地址端口 对 A2 (即 UE A的媒体面地址端口对) 与第二公网地址-端口对的绑定关系; 并缓存 UE A发送的媒体数据报文, 直到收到 UE B的媒体数据报文;
S303 , UE B向 UE A发送第一个媒体数据报文, 该媒体数据报文被发往媒体中继 设备的第一公网地址-端口对; S304, 媒体中继设备收到 UE B的第一个媒体数据报文, 建立第二目的地址端口 对 B2 (即 UE B的媒体面地址端口对) 与第一公网地址-端口对的绑定关系, 并缓存 UE B的媒体数据报文, 直到收到 UE A的媒体数据报文;
S305-306, 媒体中继设备在分别收到 UE A和 UE B的第一媒体数据报文后, 建 立第一目的地址端口对 A2、 第二公网地址-端口对、 第一公网地址-端口对、 第二目的 地址端口对 B2四者之间的关联关系, 并利用该关联关系将第二公网地址 -端口对收到 的数据经第一公网地址-端口对转发给 UE B、 将第一公网地址-端口对收到的数据经第 二公网地址-端口对转发给 UE A;
S307-308, UE A和 UE B之间后继的媒体数据报文通过媒体中继设备按所述关联 关系进行中转。 其中, 上述步骤 S301 302与步骤 S303 304可以同步进行, 但步骤 S301 304必 须完成后才能进行 S305及其后面的其他步骤。 根据上述图 2和图 3所述的流程可知, 在现有技术中, 媒体中继设备在预分配一 对公网地址 -端口对后, 开始监听这两个端口, 当某个公网地址-端口对上收到第一个 媒体数据包时, 将该媒体数据包的源 IP地址-端口与该公共 IP地址 -端口绑定, 并通过 另一个公网地址 -端口对向媒体数据包的最终目的 IP地址 -端口转发。 因此, 当媒体中 继设备在某个公网地址 -端口对上收到的第一个媒体数据包是恶意的,则将导致媒体通 道建立失败。 发明内容 本发明的主要目的在于提供一种基于中继的媒体通道建立, 以至少解决上述由于 媒体中继设备在某个公网地址 -端口对上收到的第一个媒体数据包是恶意的,而导致媒 体通道建立失败问题。 根据本发明的一个方面, 提供了一种基于中继的媒体通道建立方法, 包括: 在第 一用户设备 (UE) 与第二 UE之间的会话协商过程中, 媒体中继控制服务器分配第一 业务标识和第二业务标识,并将第一业务标识下发给第一 UE,将第二业务标识下发给 第二 UE,将第一业务标识和第二业务标识下发媒体中继设备;媒体中继设备接收第一 UE和第二 UE上报的业务标识;媒体中继设备根据媒体中继控制服务器下发的第一业 务标识和第二业务标识, 验证第一 UE和第二 UE上报的业务标识, 验证通过, 建立 第一 UE与第二 UE之间的媒体通道。 所述媒体中继设备接收所述第一 UE和所述第二 UE上报的业务标识包括: 所述 媒体中继设备接收所述第一 UE向所述第二 UE发送的第一个媒体数据报文, 从中获 取所述第一 UE上报的业务标识; 所述媒体中继设备接收所述第二 UE向所述第一 UE 发送的第一个媒体数据报文, 从中获取所述第二 UE上报的业务标识。
所述媒体中继设备接收所述第一 UE和所述第二 UE上报的业务标识包括: 所述 第一 UE在所述会话协商结束后, 在向所述媒体中继设备发送第一个媒体数据报文之 前, 首先向所述媒体中继设备发送第一绑定请求; 所述媒体中继设备接收所述第一绑 定请求, 从中获取所述第一 UE上报的业务标识; 所述第二 UE在所述会话协商结束 后, 在向所述媒体中继设备发送第一个媒体数据报文之前, 首先向所述媒体中继设备 发送第二绑定请求;所述媒体中继设备接收所述第二绑定请求,从中获取所述第二 UE 上报的业务标识。 所述第一业务标识和所述第二业务标识为字符串或序列号, 或者, 所述第一业务 标识和所述第二业务标识为用户名-密码对。 所述第一业务标识和所述第二业务标识为报文的起始序列号的范围; 所述媒体中 继设备分别接收所述第一 UE和所述第二 UE上报的业务标识包括: 所述媒体中继设 备分别接收所述会话协商完成后来自所述第一 UE和所述第二 UE的第一个报文, 获 取该报文的序列号; 所述媒体中继设备验证所述第一 UE和所述第二 UE上报的业务 标识包括: 所述媒体中继设备判断来自所述第一 UE的第一个报文的序列号是否在所 述第一业务标识指示的范围内, 并判断来自所述第二 UE的第一报文的序列号是否在 所述第二业务标识指示的范围内, 如果均是, 则验证通过。 所述第一业务标识与所述第二业务标识相同。 所述第一业务标识与所述第二业务标识不相同。 根据本发明的另一方面, 提供了一种基于中继的媒体通道建立系统, 包括: 媒体 中继控制服务器, 设置为在第一 UE与第二 UE之间的会话协商过程中分配第一业务 标识和第二业务标识,并将第一业务标识下发给第一 UE,将第二业务标识下发给第二 UE, 将第一业务标识和第二业务标识下发媒体中继设备; 媒体中继设备, 设置为接收 第一 UE和第二 UE上报的业务标识, 并根据媒体中继控制服务器下发的第一业务标 识和第二业务标识, 验证第一 UE和第二 UE上报的业务标识, 验证通过, 建立第一 UE与第二 UE之间的媒体通道。 所述媒体中继设备设置为在所述会话协商结束后, 接收所述第一 UE和所述第二 UE发送的第一个媒体数据报文, 从中获取所述第一 UE和所述第二 UE上报的业务标 识。
所述媒体中继设备设置为在所述会话协商结束后, 接收所述第一 UE和所述第二 UE在发送第一个媒体数据报文之前发送的绑定请求,从中获取所述第一 UE和所述第 二 UE上报的业务标识。 通过本发明, 媒体中继控制服务器在请求媒体中继设备预留资源的会话协商过程 中, 同时下发一个为本次会话分配的唯一标识; 媒体中继设备在为用户建立本次会话 媒体通道时验证用户报文中携带的本次会话标识, 从而解决了媒体中继设备在本次会 话预留的端口收到恶意数据包而导致媒体通道建立失败的问题, 避免了恶意攻击, 提 高了网络节点连接的安全性。 附图说明 此处所说明的附图用来提供对本发明的进一步理解, 构成本申请的一部分, 本发 明的示意性实施例及其说明用于解释本发明, 并不构成对本发明的不当限定。 在附图 中: 图 1是对等网节点连接 NAT穿越的网络场景; 图 2是现有技术用户穿越 NAT建立对等连接的流程图; 图 3是现有技术建立媒体流通道的流程图; 图 4是根据本发明实施例一的基于中继的媒体通道建立系统的结构示意图; 图 5是根据本发明实施例二的基于中继的媒体通道建立方法的流程图; 图 6是根据本发明实施例三的 UE穿越对称 NAT建立对等连接的流程图; 图 7是根据本发明实施例三的建立安全媒体流通道的流程图; 图 8是根据本发明实施例四的建立安全媒体流通道的流程图; 图 9是根据本发明实施例五的建立安全媒体流通道的流程图; 图 10是根据本发明实施例六的建立安全媒体流通道的流程图; 图 11是根据本发明实施例七的建立安全媒体流通道的流程图。
具体实施方式 下文中将参考附图并结合实施例来详细说明本发明。 需要说明的是, 在不冲突的 情况下, 本申请中的实施例及实施例中的特征可以相互组合。 实施例一 图 4是根据本发明实施例一的基于中继的媒体通道建立系统的结构示意图, 该系 统主要包括: 媒体中继控制服务器 10和媒体中继设备 20。 其中, 媒体中继控制服务 器 10, 设置为在第一 UE与第二 UE之间的会话协商过程中分配第一业务标识和第二 业务标识, 并将第一业务标识下发给第一 UE, 将第二业务标识下发给第二 UE, 将第 一业务标识和第二业务标识下发媒体中继设备 20; 媒体中继设备 20, 设置为分别接收 第一 UE和第二 UE上报的业务标识, 并根据媒体中继控制服务器 10下发的第一业务 标识和第二业务标识, 验证第一 UE和第二 UE上报的业务标识, 验证通过, 建立第 一 UE与第二 UE之间的媒体通道。 例如,媒体中继服务器 10为第一 UE和第二 UE可以是随机产生的用户名-密码对, 也可以是随机产生的一个具有某种含义的字符串、 序列号等, 例如, 第一 UE和第二 UE发送的报文的起始序列号等。 并且, 媒体中继服务器 10为第一 UE分配的第一业 务标识与为第二 UE分配的第二业务标识可以相同也可以不同。 由于相关技术中媒体中继设备 20在为会话双方建立媒体通道时,当在某个公网地 址 -端口对上收到第一个数据包时, 将该数据包源 IP地址-端口与该公网 IP地址 -端口 绑定,从而使得第三方可以通过恶意扫描该媒体中继设备 20的地址 -端口对进行攻击, 造成媒体通过建立失败。在本发明实施例中,媒体中继服务器 10在会话协商过程中为 会话双方分配业务标识, 在媒体通道建立时, 根据会话双方上报的业务标识根据媒体 通道, 从而避免了恶意数据包带来的安全隐患, 保证了网络节点连接的安全, 提高了 媒体通道建立的成功率。 第一 UE和第二 UE可以在会话协商结束后的第一个媒体数据报文中携带媒体中 继服务器 10分配的业务标识, 也可以在发送第一个媒体数据报文之前,先发送一个绑 定请求, 请求媒体中继设备 20绑定终端通信地址-端口对和分配的相应公网地址-端口 对, 在该绑定请求中携带媒体中继服务器 10 分配的业务标识。 因此, 媒体中继设备 20可以设置为在会话协商结束后, 分别接收第一 UE和第二 UE发送的第一个媒体数 据报文, 从中获取第一 UE和第二 UE上报的业务标识, 并对该业务标识进行验证, 验证通过后, 建立第一 UE与第二 UE之间的媒体通道; 或者, 媒体中继设备 20也可 以设置为在会话协商结束后, 分别接收第一 UE和第二 UE在发送第一个媒体数据报
文之前发送的绑定请求, 从中获取第一 UE和第二 UE上报的业务标识, 这样可以避 免由于会话双方中的某一方长时间不发送媒体数据而导致对端数据无法发送的问题。 实施例二 图 5是根据本发明实施例二的基于中继的媒体通道建立方法的流程图, 该方法可 以通过实施例一的系统实现。 该方法主要包括以下步骤: 步骤 S502, 在第一 UE与第二 UE之间的会话协商过程中, 媒体中继控制服务器 10为本次会话分配的业务标识, 并将该业务标识下发给第一 UE、 第二 UE和媒体中 继设备 20; 其中,媒体中继控制服务器 10第一业务标识和第二业务标识, 并将第一业务标识 下发给第一 UE, 将第二业务标识下发给第二 UE, 将第一业务标识和第二业务标识下 发媒体中继设备 20; 其中, 媒体中继控制服务器 10分配的业务标识, 可以是唯一的用户名 /密码对, 也可以是特殊的字符串或序列号等; 另外, 媒体中继控制服务器 10分配给 UE1/UE2的业务标识, 可以是相同的也可 是不同的; 步骤 S504, 媒体中继设备 20分别接收第一 UE和第二 UE上报的业务标识; 其中, 第一 UE和第二 UE在完成会话协商后, 可以在发送第一个媒体数据报文 时携带媒体中继控制服务器 10下发的业务标识; 例如, 如果媒体中继控制服务器 10 下发给第一 UE和第二 UE的业务标识为用户名-密码对, 则第一 UE和第二 UE分别 在发送给对端用户的第一个媒体数据报文中携带该用户名-密码对。 媒体中继设备 20 在接收到第一 UE发送的第一个媒体数据报文后, 从中获取第一 UE上报的业务标识, 在接收到第二 UE发送的第一个媒体数据报文后, 从中获取第二 UE上报的业务标识。 采用这种方式, UE只需在发送第一个媒体数据报文中携带分配的业务标识,而无需额 外发送消息。 或者, 第一 UE和第二 UE在向媒体中继设备 20发送的第一个媒体数据报文中也 可以不携带业务标识, 而是在会话协商结束后, 在发送第一个媒体数据报文之前, 先 向媒体中继设备 20发送一个特殊的绑定请求, 用于请求媒体中继设备 20绑定终端通 信地址 -端口对和分配的相应公网地址端口对, 在该绑定请求中携带业务标识, 媒体中 继设备 20接收到第一 UE和第二 UE发送的绑定请求后, 分别从中获取第一 UE和第
二 UE上报的业务标识, 然后执行步骤 S506, 从而避免第一 UE与第二 UE之间的媒 体通道只有在会话双方都发送数据后才能建立的问题。 步骤 S506,媒体中继设备 20根据媒体中继控制服务器 10下发的第一业务标识和 第二业务标识, 验证第一 UE和第二 UE上报的业务标识, 验证通过, 建立第一 UE与 第二 UE之间的媒体通道。 例如, 如果媒体中继控制服务器 10为第一 UE和第二 UE分配的用户名-密码对, 则媒体中继设备 20验证第一 UE和第二 UE上报的用户名-密码对与媒体中继控制服务 器 10分配的用户名 -密码对是否匹配, 如果是, 则验证通过, 建立第一 UE与第二 UE 之间的媒体通道, 即建立转发地址绑定。 在本发明实施例中,媒体中继控制服务器 10在会话协商过程中为会话双方的本次 会话分配业务标识, 在建立媒体数据流时, 通过判断会话双方上报的业务标识与媒体 中继控制服务器 10分配的业务标识是否匹配,从而可以有效地避免恶意的端口扫描导 致会话双方的媒体通道建立失败的问题。 并且, 在本发明实施例中, 会话双方可以在 会话协商过程完成后即向媒体中继设备 20发送绑定请求,请求建立地址绑定, 从而可 以避免由于会话双方的一方长时间不发送数据而导致对方数据无法发送的问题。 实施例三 本发明实施例三描述了采用本发明实施例提供的技术方案, UE实施穿越 NAT建 立对等连接的流程。在本发明实施例中, 媒体中继控制服务器 10在处理 UE的会话请 求时, 为该会话发布一对唯一的会话业务标识, 该会话业务标识同时发布给 UE A、 UE B及相应的媒体中继设备 20。 在本发明实施例中, 媒体中继控制服务器 10分配的 唯一的会话业务标识, 可以是随机产生的用户名-密码对, 也可以是随机产生的一个具 有特殊含义的字符串、序列号等; 并且, 发布给 UE A和 UE B的会话业务标识可以相 同也可以不同。 图 6为本发明实施例中 UE A和 UE B穿越对称 NAT建立对等连接的信令流程图, 主要包括以下步骤: 步骤 S601 , 在会话之前, UE A和 UE B均在媒体中继控制服务器注册, 建立会话 时, UE A向媒体中继控制服务器发送会话请求, 该会话请求消息中携带有 UE A接收 UE B回复信息的第一目的地址-端口对 A1;
步骤 S602, 中继服务控制器为本次会话双方分配一对唯一的会话业务标识(分别 为会话业务标识 1和会话业务标识 2), 并向媒体中继设备请求为本次会话预留媒体资 源, 该媒体资源预留请求消息中携带为本次会话双方分配的会话业务标识 1/2; 其中, 媒体中继设备分配的媒体资源包括用于接收 UE A发送的媒体数据报文的 第二公网地址-端口对、接收 UE B发送的媒体数据报文的第一公网地址-端口对, 且建 立第一公网地址 -端口对和第二公网地址-端口对之间数据转发的绑定关系; 步骤 S603 , 媒体中继设备将预留的媒体资源信息返回给媒体中继控制服务器, 同 时, 媒体中继设备开始在预留资源 (即第一公网地址-端口对和第二公网地址-端口对) 上监听数据; 步骤 S604, 媒体中继控制服务器用第一公网地址-端口对替换会话请求消息中的 第一目的地址-端口对 A1,并将分配给 UE B的会话业务标识 2插入到替换后会话请求 消息中; 步骤 S605, 媒体中继控制服务器将替换后的会话请求消息转发给 UE B; 步骤 S606, UE B接收该会话请求, 从该会话请求消息中提取第一公网地址 -端口 对作为 UE A的通信地址信息, 提取并保存会话业务标识 2用于后续媒体通道建立, 并向媒体中继控制服务器返回确认响应消息,该响应消息中包含 UE B接收 UE A回复 信息的第二目的地址-端口对 B1; 步骤 S607, 媒体中继控制服务器用第二公网地址-端口对替换确认响应消息中的 第二目的地址-端口对 B1,并将分配给 UE A的会话业务标识 1插入到替换后确认响应 消息中; 步骤 S608, UE A收到会话确认响应消息, 从确认响应消息中提取第二公网地址- 端口对作为 UE B的通信地址信息, 提取并保存会话业务标识 1用于后继媒体通道建
步骤 S609~S610, 1 和1 8、 媒体中继设备之间使用会话业务标识 1/2建立 安全的媒体通道。 其中, 使用会话业务标识 1/2建立安全的媒体通道(即上述步骤 S609-S610)的流 程如图 7所示, 在图 7中, UE A和 UE B在完成媒体会话协商后, 在发送第一媒体数 据报文时必须携带从会话确认消息 /会话请求消息中提取的会话业务标识 1/2, 媒体中 继设备在监听端口收到 UE A/UE B的第一媒体数据报文时,提取并验证该会话业务标
识是否与收到资源预留请求时的会话业务标识 1/2是否匹配, 从而避免对媒体中继设 备端口的恶意扫描导致的媒体通道建立失败。 如图 7所示, 该媒体通道建立主要包括以下步骤: 步骤 S701, UE A接收到 UE B的会话确认响应消息后, 开始向 UE B发送第一个 媒体数据报文; 由于 UE A从会话确认响应消息中提取第二公网地址 -端口对作为 UE B的通信地 址, 因此 UE A的媒体数据报文被发往媒体中继设备的第二公网地址-端口对; 同时, UE A发送的第一个数据报文必须携带从会话确认响应消息中提取的会话业务标识 1 ; 步骤 S702, 媒体中继设备接收到 UE A的第一个媒体数据报文, 检查到来自该第 一目的地址端口对 A2 (即 UE A媒体面的地址端口对) 没有完整的关联关系, 则从报 文中提取到会话业务标识 1并进行验证, 验证正确后建立第一目的地址端口对 A2与 第二公网地址-端口对的绑定关系, 并缓存 UE A的媒体数据报文, 直到收到 UE B的 媒体数据报文; 步骤 S703, UE B向 UE A发送第一个媒体数据报文, 由于 UE B从会话请求中提 取第一公网地址 -端口对作为 UE A的通信地址, 因此 UE B的媒体数据报文被发往媒 体中继设备的第一公网地址-端口对; 同时, UE B发送的第一个数据报文必须携带从 会话请求消息中提取的会话业务标识 2; 步骤 S704, 媒体中继设备接收到 UE B的第一个媒体数据报文, 检查到来自该第 二目的地址端口对 B2 (即 UE B媒体面的地址端口对) 没有完整的关联关系, 则从该 数据报文中提取到会话业务标识 2并进行验证, 验证正确后建立第二目的地址端口对 B2与第一公网地址-端口对的绑定关系, 并缓存来自 UE B的媒体数据报文,直到收到 UE A的媒体数据报文; 步骤 S705~706, 媒体中继设备在分别接收到 UE A和 UE B的第一媒体数据报文 后, 建立第一目的地址端口对 A2、 第二公网地址-端口对、 第一公网地址-端口对、 第 二目的地址端口对 B2四者之间完整的关联关系, 并利用该关联关系将第二公网地址- 端口对接收到的数据经第一公网地址-端口对转发给 UE B、 将第一公网地址-端口对接 收到的数据经第二公网地址-端口对转发给 UE A; 步骤 S707~708, UE A和 UE B之间后继的媒体数据报文通过媒体中继设备按所 述关联关系进行中转。
其中, 上述步骤 S702、 S704 中, 对于接收到的媒体数据报文, 其第一目的地址 端口 A2对若不存在关联关系, 且提取不到有效的会话业务标识, 则丢弃该报文并继 续监听端口, 从而有效地避免恶意的端口扫描导致 UE A/UE B之间的媒体通道建立不 成功。 实施例四 在本发明实施例中, UE A与 UE B之间的媒体会话协商过程与实施例三相同, 不 同之处在于, 在媒体数据流建立过程中, 即图 7的步骤 S707 508中 UE A和 UE B的 第一个媒体数据报文可以不携带的会话业务标识 1/2信息, 而是在发送媒体数据报文 之前发送的绑定请求中携带。 图 8描述了本发明实施例中 UE A/UE B完成会话协商后建立媒体通道的流程。与 图 7所描述的流程的不同之处在于, UE A/UE B在在收到会话确认响应 /会话请求之后、 发送第一媒体数据报文之前, 向媒体中继设备首先发送一个绑定请求, 并且在该绑定 请求消息携带相应的会话业务标识, 从而进一步避免由于一端长时间不发送数据导致 的对端数据无法发送的问题。 如图 8所示,本发明实施例中 UE A/UE B完成会话协商后建立媒体通道主要包括 以下步骤: 步骤 S801, UE A接收到 UE B的会话确认响应消息后, 立即开始向 UE B发送第 一个绑定请求, 该绑定请求必须携带从会话确认响应消息中提取的会话业务标识 1 ; 由于 UE A从会话确认响应消息中提取第二公网地址 -端口对作为 UE B的通信地 址, 因此 UE A的媒体数据报文被发往媒体中继设备的第二公网地址-端口对; 步骤 S802, 媒体中继设备接收到 UE A的绑定请求, 从报文中提取到会话业务标 识 1并进行验证, 验证正确后建立第一目的地址端口对 A2与第二公网地址-端口对的 绑定关系; 步骤 S803 , 媒体中继设备向 UE A返回绑定成功响应消息; 步骤 S804, UE B接收到 UE A的会话请求消息后, 立即开始向 UE A发送第一个 绑定请求, 该绑定请求必须携带从会话请求消息中提取的会话业务标识 2; 由于 UE B从会话请求消息中提取第一公网地址 -端口对作为 UE A的通信地址, 因此 UE B的媒体数据报文被发往媒体中继设备的第一公网地址-端口对;
步骤 S805, 媒体中继设备接收到 UE B的绑定请求, 从该绑定请求中提取到会话 业务标识 2并进行验证, 验证正确后建立第二目的地址端口对 B2与第一公网地址-端 口对的绑定关系; 步骤 S806, 媒体中继设备向 UE B返回绑定成功响应消息; 步骤 S807~808, 经上述步骤, 媒体中继设备建立了第一目的地址-端口对 A2、 第 二公网地址-端口对、 第一公网地址-端口对、 第二目的地址-端口对 B2之间完整的关 联关系, UE A、 UE B之间的媒体数据报文通过媒体中继设备按该关联关系进行中转。 其中, 上述步骤 S801 803和步骤 S804-806可以同步进行。 实施例五 在本发明实施例中,采用会话初始化协议( Session Initiation Protocol,简称为 SIP) 进行会话协商、 采用实时传输协议 (Real-Time Transport Protocol, 简称为 RTP) 进行 媒体通道建立。 在本发明实施例中,会话双方 UE A和 UE B首先采用图 6所述流程进行媒体协商, 由于消息流程基本相同, 因此在本发明实施例中不再赘述, 其中, 媒体中继控制服务 器在步骤 S605 和步骤 S608 中将会话业务标识 2/1 嵌入在会话描述协议 (Session Description Protocol, 简称为 SDP) 消息体中发布给 UE B/UE A。 图 9描述了本发明实施例中 UE A和 UE B完成媒体会话协商后建立媒体通道的具 体流程, 如图 9所示, 主要包括以下步骤: 步骤 S901, UE A接收到 UE B的会话确认响应消息后, 立即开始向 UE B发送绑 定请求, 该绑定请求必须携带从会话确认响应消息中提取的用户名 1/密码 1 ; 由于 UE A从会话确认响应中提取第二公网地址 -端口对作为 UE B的通信地址, 因此 UE A的绑定请求被发往媒体中继设备的第二公网地址-端口对; 步骤 S902, 媒体中继设备收到 UE A的绑定请求, 从该绑定请求报文中提取到用 户名 1/密码 1并进行验证, 验证正确后建立第一目的地址端口对 A2与第二公网地址- 端口对的绑定关系; 步骤 S903 , 媒体中继设备向 UE A返回绑定成功响应消息;
步骤 S904, UE B接收到 UE A的会话请求消息后, 立即开始向 UE A发送绑定请 求, 该绑定请求必须携带从会话请求消息中提取的用户名 2/密码 2; 由于 UE B从会话请求消息中提取第一公网地址 -端口对作为 UE A的通信地址, 因此 UE B的媒体数据报文被发往媒体中继设备的第一公网地址-端口对; 步骤 S905, 媒体中继设备收到 UE B的绑定请求, 从该绑定请求报文中提取到用 户名 2/密码 2并进行验证, 验证正确后建立第二目的地址端口对 B2与第一公网地址- 端口对的绑定关系; 步骤 S906, 媒体中继设备向 UE B返回绑定成功响应消息; 步骤 S907~908, 经上述步骤, 媒体中继设备建立了第一目的地址-端口对 A2、 第 二公网地址-端口对、 第一公网地址-端口对、 第二目的地址-端口对 B2之间完整的关 联关系, UE A、 UE B之间的媒体数据报文通过媒体中继设备按该关联关系进行中转。 实施例六 本发明实施例描述了基于 RTP协议的媒体通道建立流程, 在本发明实施例中媒体 通道建立使用 RTP报文头的序号来携带会话业务标识。 会话双方 UE A和 UE B首先 基于图 6所述流程进行媒体协商, 由于消息流程基本相同不再进行图示。 其中会话业 务标识 1/2可以在 SIP消息或 SDP消息中发布给 UE A和 UE B,其中的会话业务标识 1/2为一个 RTP报文起始序列号的范围(即 UE A和 UE B发送第一个 RTP报文的序列 号的范围)。 图 10为本发明实施例中 UE A和 UE B之间建立媒体通道的具体里流程图, 主要 包括以下步骤: 步骤 S1001 , UE A接收到 UE B的会话确认响应消息后, 开始向 UE B发送第一 个 RTP报文, 该 RTP报文为媒体数据报文, 由于 UE A从会话确认响应中提取第二目 的地址-端口对 B2对作为 UE B的通信地址,因此 UE A的媒体数据报文被发往媒体中 继设备的第二公网地址-端口对; 其中, UE A发送的第一个 RTP报文的序列号必须在 会话业务标识 1指定的范围内; 步骤 S1002, 媒体中继设备接收到 UE A的第一个 RTP报文, 检查到来自该第一 目的地址端口对 A2没有完整的关联关系, 则从该 RTP报文中提取 RTP序列号并验证 是否在业务标识 1指定的范围内, 验证正确后建立第一目的地址端口对 A2与第二公
网地址-端口对的绑定关系; 并缓存 UE A的媒体数据报文, 直到接收到 UE B的媒体 数据报文; 步骤 S1003 , UE B向 UE A发送第一个 RTP报文, 该 RTP报文为媒体数据报文, 由于 UE B从会话请求中提取第一公网地址 -端口对作为 UE A的通信地址, 因此 UE B 的媒体数据报文被发往媒体中继设备的第一公网地址-端口对; 同时, UE B发送的第 一个 RTP报文其序列号必须在会话业务标识 2指定的范围内; 步骤 S1004, 媒体中继设备接收到 UE B的第一个 RTP报文, 检查到来自该第二 目的地址端口 B2对没有完整的关联关系, 则从 RTP报文中提取 RTP序列号并验证是 否在会话业务标识 2是指定的范围内, 验证正确后建立第二目的地址端口对 B2与第 一公网地址-端口对的绑定关系; 并缓存 UE B的媒体数据报文, 直到接收到 UE A的 媒体数据报文; 步骤 S1005~1006,媒体中继设备在分别接收到 UE A和 UE B的第一 RTP报文后, 建立第一目的地址端口对 A2、 第二公网地址-端口对、 第一公网地址-端口对、 第二目 的地址端口对 B2四者之间完整的关联关系, 并利用该关联关系将第二公网地址 -端口 对接收到的数据经第一公网地址-端口对转发给 UE B、 将第一公网地址-端口对接收到 的数据经第二公网地址-端口对转发给 UE A; 步骤 S1007~1008, UE A和 UE B之间后继的媒体数据报文通过媒体中继设备按 上述关联关系进行中转。 实施例七 在本发明实施例中描述了基于安全实时传输协议 (Secure Real-Time Transport
Protocol, 简称为 SRTP) 实现媒体通道建立的流程, 在本发明实施例中, 会话双发基 于图 6所述流程进行媒体协商时, 媒体中继控制服务器直接生成符合 SRTP要求的主 密钥作为业务标识, 发布给 UE A、 UE B和媒体中继设备。 图 11为本发明实施例中会话双方基于 SRTP协议建立媒体通道的流程图,如图 11 所示, 在本发明实施例中, 与图 10所示的流程相似, 不同之处在于, 在图 11中 UE A 和 UE B发送的第一个媒体数据报文为 SRTP报文,该 SRTP报文中携带为媒体中继控 制服务器为 UE A或 UE B分配的主密钥,在媒体通道建立时,媒体中继设备对 UE A、 UE B发送的第一个 SRTP报文中携带的主密钥进行认证, 认证通过后进行地址 -端口 绑定; 媒体中继设备对后续 SRTP报文不必进行认证流程。 因此, 基于 SRTP协议实
现的媒体通道建立, 不会对现有 SRTP协议存在任何改动, 仅需在媒体中继控制服务 器上增加主密钥分布功能、 在媒体中继设备上增加首报文认证功能。 从以上的描述中, 可以看出, 在本发明实施例中, 媒体中继控制服务器在请求媒 体中继设备预留资源、 向用户转发媒体中继信息时, 同时下发一个为本次会话分配的 唯一标识; 媒体中继设备在为用户建立本次会话媒体转发表时验证用户报文中携带的 本次会话标识, 从而避免了媒体中继设备在本次会话预留的端口收到恶意数据包可能 导致的媒体通道建立失败。 同时, 用户在收到媒体中继控制服务器转发的媒体中继信 息时, 可以立即向分配的媒体中继设备发送一个绑定请求, 从而避免媒体中继设备只 有在收到通信双方用户媒体报文后才能成功转发媒体报文的限制。 显然, 本领域的技术人员应该明白, 上述的本发明的各模块或各步骤可以用通用 的计算装置来实现, 它们可以集中在单个的计算装置上, 或者分布在多个计算装置所 组成的网络上, 可选地, 它们可以用计算装置可执行的程序代码来实现, 从而, 可以 将它们存储在存储装置中由计算装置来执行, 并且在某些情况下, 可以以不同于此处 的顺序执行所示出或描述的步骤, 或者将它们分别制作成各个集成电路模块, 或者将 它们中的多个模块或步骤制作成单个集成电路模块来实现。 这样, 本发明不限制于任 何特定的硬件和软件结合。 以上所述仅为本发明的优选实施例而已, 并不用于限制本发明, 对于本领域的技 术人员来说, 本发明可以有各种更改和变化。 凡在本发明的精神和原则之内, 所作的 任何修改、 等同替换、 改进等, 均应包含在本发明的保护范围之内。
Claims
1. 一种基于中继的媒体通道建立方法, 包括:
在第一用户设备 UE与第二 UE之间的会话协商过程中, 媒体中继控制服 务器分配第一业务标识和第二业务标识, 并将所述第一业务标识下发给所述第 一 UE, 将所述第二业务标识下发给所述第二 UE, 将所述第一业务标识和所述 第二业务标识下发媒体中继设备;
所述媒体中继设备接收所述第一 UE和所述第二 UE上报的业务标识; 所述媒体中继设备根据所述媒体中继控制服务器下发的所述第一业务标识 和所述第二业务标识, 验证所述第一 UE和所述第二 UE上报的业务标识, 验 证通过, 建立所述第一 UE与所述第二 UE之间的媒体通道。
2. 根据权利要求 1所述的方法, 其中, 所述媒体中继设备接收所述第一 UE和所 述第二 UE上报的业务标识包括:
所述媒体中继设备接收所述第一 UE向所述第二 UE发送的第一个媒体数 据报文, 从中获取所述第一 UE上报的业务标识;
所述媒体中继设备接收所述第二 UE向所述第一 UE发送的第一个媒体数 据报文, 从中获取所述第二 UE上报的业务标识。
3. 根据权利要求 1所述的方法, 其中, 所述媒体中继设备接收所述第一 UE和所 述第二 UE上报的业务标识包括:
所述第一 UE在所述会话协商结束后, 在向所述媒体中继设备发送第一个 媒体数据报文之前, 首先向所述媒体中继设备发送第一绑定请求;
所述媒体中继设备接收所述第一绑定请求, 从中获取所述第一 UE上报的 业务标识;
所述第二 UE在所述会话协商结束后, 在向所述媒体中继设备发送第一个 媒体数据报文之前, 首先向所述媒体中继设备发送第二绑定请求;
所述媒体中继设备接收所述第二绑定请求, 从中获取所述第二 UE上报的 业务标识。
4. 根据权利要求 1所述的方法, 其中, 所述第一业务标识和所述第二业务标识为 字符串或序列号, 或者, 所述第一业务标识和所述第二业务标识为用户名 -密码 对。
5. 根据权利要求 1所述的方法, 其中, 所述第一业务标识和所述第二业务标识为 报文的起始序列号的范围;
所述媒体中继设备分别接收所述第一 UE和所述第二 UE上报的业务标识 包括: 所述媒体中继设备分别接收所述会话协商完成后来自所述第一 UE和所 述第二 UE的第一个报文, 获取该报文的序列号;
所述媒体中继设备验证所述第一 UE和所述第二 UE上报的业务标识包括: 所述媒体中继设备判断来自所述第一 UE的第一个报文的序列号是否在所述第 一业务标识指示的范围内, 并判断来自所述第二 UE的第一报文的序列号是否 在所述第二业务标识指示的范围内, 如果均是, 则验证通过。
6. 根据权利要求 4或 5所述的方法, 其中, 所述第一业务标识与所述第二业务标 识相同。
7. 根据权利要求 4或 5所述的方法, 其中, 所述第一业务标识与所述第二业务标 识不相同。
8. 一种基于中继的媒体通道建立系统, 包括:
媒体中继控制服务器, 设置为在第一 UE与第二 UE之间的会话协商过程 中分配第一业务标识和第二业务标识, 并将所述第一业务标识下发给所述第一 UE, 将所述第二业务标识下发给所述第二 UE, 将所述第一业务标识和所述第 二业务标识下发媒体中继设备;
所述媒体中继设备, 设置为接收所述第一 UE和所述第二 UE上报的业务 标识, 并根据所述媒体中继控制服务器下发的所述第一业务标识和所述第二业 务标识, 验证所述第一 UE和所述第二 UE上报的业务标识, 验证通过, 建立 所述第一 UE与所述第二 UE之间的媒体通道。
9. 根据权利要求 8所述的系统, 其中, 所述媒体中继设备设置为在所述会话协商 结束后, 接收所述第一 UE和所述第二 UE发送的第一个媒体数据报文, 从中 获取所述第一 UE和所述第二 UE上报的业务标识。
0. 根据权利要求 9所述的系统, 其中, 所述媒体中继设备设置为在所述会话协商 结束后, 接收所述第一 UE和所述第二 UE在发送第一个媒体数据报文之前发 送的绑定请求, 从中获取所述第一 UE和所述第二 UE上报的业务标识。
Priority Applications (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
EP11816067.0A EP2605471B1 (en) | 2010-08-09 | 2011-07-25 | Relay-based media channel establishing method and the system thereof |
US13/814,909 US9131026B2 (en) | 2010-08-09 | 2011-07-25 | Method and system for establishing media channel based on relay |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
CN201010254720.2 | 2010-08-09 | ||
CN2010102547202A CN101977178A (zh) | 2010-08-09 | 2010-08-09 | 基于中继的媒体通道建立方法及系统 |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2012019508A1 true WO2012019508A1 (zh) | 2012-02-16 |
Family
ID=43577023
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/CN2011/077592 WO2012019508A1 (zh) | 2010-08-09 | 2011-07-25 | 基于中继的媒体通道建立方法及系统 |
Country Status (4)
Country | Link |
---|---|
US (1) | US9131026B2 (zh) |
EP (1) | EP2605471B1 (zh) |
CN (1) | CN101977178A (zh) |
WO (1) | WO2012019508A1 (zh) |
Cited By (5)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO2014167277A1 (en) * | 2013-04-10 | 2014-10-16 | Realvnc Ltd | Methods and apparatus for remote connection |
WO2014167278A1 (en) * | 2013-04-10 | 2014-10-16 | Realvnc Ltd | Methods and apparatus for remote connection |
EP2992470A1 (en) * | 2013-05-01 | 2016-03-09 | Kodiak Networks, Inc. | Voip denial-of-service protection mechanisms from attack |
US10116691B2 (en) | 2004-11-23 | 2018-10-30 | Kodiak Networks, Inc. | VoIP denial-of-service protection mechanisms from attack |
CN111526196A (zh) * | 2020-04-22 | 2020-08-11 | 中电福富信息科技有限公司 | 一种基于开源扫描器管理端口台账的方法及其系统 |
Families Citing this family (25)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN101977178A (zh) * | 2010-08-09 | 2011-02-16 | 中兴通讯股份有限公司 | 基于中继的媒体通道建立方法及系统 |
US10187441B2 (en) | 2011-10-03 | 2019-01-22 | CSC Holdings, LLC | Media relay |
US9237133B2 (en) * | 2012-12-12 | 2016-01-12 | Empire Technology Development Llc. | Detecting matched cloud infrastructure connections for secure off-channel secret generation |
JP6281566B2 (ja) * | 2013-04-05 | 2018-02-21 | ソニー株式会社 | 中継管理装置、中継管理方法、プログラムおよび中継管理システム |
CN104426656B (zh) * | 2013-08-19 | 2019-04-05 | 中兴通讯股份有限公司 | 数据收发方法及系统、消息的处理方法及装置 |
CN104519414B (zh) * | 2013-09-27 | 2018-05-08 | 北京新媒传信科技有限公司 | 一种流媒体传输的方法和系统 |
US9282089B2 (en) * | 2013-12-19 | 2016-03-08 | Cisco Technology, Inc. | Low latency authentication of gated media relay services |
CN103916382B (zh) * | 2013-12-25 | 2018-05-01 | 三亚中兴软件有限责任公司 | 基于sip媒体能力重协商的nat穿越方法、代理服务器和系统 |
JP6287401B2 (ja) * | 2014-03-18 | 2018-03-07 | 富士ゼロックス株式会社 | 中継装置、システム及びプログラム |
US9572119B2 (en) * | 2014-07-10 | 2017-02-14 | Nokia Solutions And Networks Oy | Unique connection identifier |
US10129412B1 (en) * | 2014-09-08 | 2018-11-13 | Whatsapp Inc. | Establishing and maintaining a VOIP call |
CN104821909B (zh) * | 2015-04-22 | 2018-02-06 | 北京云艾科技有限公司 | 端对端的数据传输方法和系统 |
US10021216B2 (en) | 2015-05-25 | 2018-07-10 | Juniper Networks, Inc. | Monitoring services key performance indicators using TWAMP for SDN and NFV architectures |
US10237236B2 (en) * | 2015-06-25 | 2019-03-19 | Microsoft Technology Licensing, Llc | Media Session |
US20160380789A1 (en) * | 2015-06-25 | 2016-12-29 | Microsoft Technology Licensing, Llc | Media Relay Server |
CN105391817A (zh) * | 2015-11-26 | 2016-03-09 | 上海紫越网络科技股份有限公司 | 基于sdp自检测nat穿越系统及方法 |
CN105656899B (zh) * | 2016-01-07 | 2018-10-19 | 北京众享比特科技有限公司 | 一种去中心化登录方法、客户端及系统 |
CN105610999A (zh) * | 2016-03-30 | 2016-05-25 | 上海斐讯数据通信技术有限公司 | 一种通过穿透nat实现p2p通信的方法、设备、服务器及系统 |
US11388203B2 (en) | 2016-08-16 | 2022-07-12 | Avaya Inc. | Systems and methods for media tunneling through edge server |
US10574763B2 (en) | 2016-09-29 | 2020-02-25 | Juniper Networks, Inc. | Session-identifer based TWAMP data session provisioning in computer networks |
US10819524B2 (en) * | 2016-10-19 | 2020-10-27 | Qualcomm Incorporated | Methods for header extension preservation, security, authentication, and protocol translation for RTP over MPRTP |
US10218590B2 (en) * | 2016-12-12 | 2019-02-26 | Juniper Networks, Inc. | Subscriber-aware TWAMP data monitoring in computer networks |
CN108347450B (zh) * | 2017-01-23 | 2021-04-02 | 阿里巴巴集团控股有限公司 | 一种远程登录的方法及设备 |
US10880120B2 (en) * | 2018-07-19 | 2020-12-29 | Avaya Inc. | System and methods for tunneling media through secure channel |
US20220109996A1 (en) * | 2020-10-01 | 2022-04-07 | Qualcomm Incorporated | Secure communication link establishment for a ue-to-ue relay |
Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7257837B2 (en) * | 2003-07-26 | 2007-08-14 | Innomedia Pte | Firewall penetration system and method for real time media communications |
CN101110774A (zh) * | 2007-08-28 | 2008-01-23 | 中兴通讯股份有限公司 | 支持认证鉴权的流媒体系统nat穿越装置及其实现方法 |
CN101483764A (zh) * | 2009-01-19 | 2009-07-15 | 北京中星微电子有限公司 | 网络视频监控系统中监控双方媒体流发送方法 |
CN101977178A (zh) * | 2010-08-09 | 2011-02-16 | 中兴通讯股份有限公司 | 基于中继的媒体通道建立方法及系统 |
Family Cites Families (33)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6889328B1 (en) * | 1999-05-28 | 2005-05-03 | Telefonaktiebolaget Lm Ericsson (Publ) | Method and apparatus for secure communication |
US6975876B1 (en) * | 2000-11-17 | 2005-12-13 | Thomas Cast | System and method for performing throttle control in a SMPP gateway |
US20020143922A1 (en) * | 2001-04-03 | 2002-10-03 | Murata Kikai Kabushiki Kaisha | Relay server and relay system |
US7290141B2 (en) * | 2002-06-27 | 2007-10-30 | Nokia, Inc. | Authentication of remotely originating network messages |
US7707310B2 (en) * | 2002-11-20 | 2010-04-27 | Cisco Technology, Inc. | Mobile IP registration supporting port identification |
US7184531B2 (en) * | 2003-06-05 | 2007-02-27 | Siemens Communications, Inc. | System and method for authorizing a party to join a conference |
US7529824B2 (en) * | 2003-10-14 | 2009-05-05 | International Business Machines Corporation | Method for selecting a service binding protocol in a service-oriented architecture |
US20050165719A1 (en) * | 2004-01-27 | 2005-07-28 | Omenti Research, Llc | Method and system for establishing and maintaining concurrent, coordinated communications on separately managed networks |
US20050182639A1 (en) * | 2004-02-18 | 2005-08-18 | Fujitsu Limited | Dynamic virtual organization manager |
US7706401B2 (en) * | 2004-08-13 | 2010-04-27 | Verizon Business Global Llc | Method and system for providing interdomain traversal in support of packetized voice transmissions |
US20070011731A1 (en) * | 2005-06-30 | 2007-01-11 | Nokia Corporation | Method, system & computer program product for discovering characteristics of middleboxes |
US8184641B2 (en) * | 2005-07-20 | 2012-05-22 | Verizon Business Global Llc | Method and system for providing secure communications between proxy servers in support of interdomain traversal |
US7496057B2 (en) * | 2005-08-10 | 2009-02-24 | Cisco Technology, Inc. | Methods and apparatus for optimizations in 3GPP2 networks using mobile IPv6 |
US7673135B2 (en) * | 2005-12-08 | 2010-03-02 | Microsoft Corporation | Request authentication token |
JP4662078B2 (ja) * | 2006-06-21 | 2011-03-30 | 日本電気株式会社 | 通信システム、通信方法、およびプログラム |
JP5031026B2 (ja) * | 2006-08-24 | 2012-09-19 | パナソニック株式会社 | 通信管理装置及び位置管理装置 |
KR101043709B1 (ko) * | 2006-08-31 | 2011-06-24 | 후지쯔 가부시끼가이샤 | 네트워크 접속 단말 인증 방법, 네트워크 접속 단말 인증 프로그램을 기록한 기록 매체 및 네트워크 접속 단말 인증 장치 |
US20100296481A1 (en) * | 2006-10-20 | 2010-11-25 | Panasonic Corporation | Methods in mixed network- and host-based mobility management |
US7801059B2 (en) * | 2007-04-20 | 2010-09-21 | Panasonic Corporation | IP communication apparatus and NAT type determination method by the same |
US20090094684A1 (en) * | 2007-10-05 | 2009-04-09 | Microsoft Corporation | Relay server authentication service |
US20110099097A1 (en) * | 2008-06-05 | 2011-04-28 | Johan Svedberg | Charging for services in a communication network |
US20090319674A1 (en) * | 2008-06-24 | 2009-12-24 | Microsoft Corporation | Techniques to manage communications between relay servers |
CN101621506A (zh) | 2008-07-01 | 2010-01-06 | 鸿富锦精密工业(深圳)有限公司 | 透过nat实现实时多媒体双向通信的方法 |
US20100054217A1 (en) * | 2008-08-26 | 2010-03-04 | Telefonaktiebolaget Lm Ericsson (Publ) | Registration of multiple care-of-addresses |
EP2160067A1 (en) * | 2008-08-29 | 2010-03-03 | Panasonic Corporation | Detection of the mobility management function used by the network |
US8305980B1 (en) * | 2008-09-12 | 2012-11-06 | Nix John A | Efficient handover of media communications in heterogeneous IP networks using handover procedure rules and media handover relays |
JP5370368B2 (ja) * | 2008-10-07 | 2013-12-18 | 富士通株式会社 | 中継装置、端末装置および通信システム |
US8893248B2 (en) * | 2008-12-12 | 2014-11-18 | Tekelec, Inc. | Methods, systems, and computer readable media for media session policy compliance auditing and enforcement using a media relay and session initiation protocol (SIP) signaling |
TWI410077B (zh) * | 2009-04-14 | 2013-09-21 | Univ Nat Chiao Tung | Method of Wrapping Method and Winding Path in Wireless Network Environment |
US8185660B2 (en) * | 2009-05-12 | 2012-05-22 | Cisco Technology, Inc. | Inter-working between network address type (ANAT) endpoints and interactive connectivity establishment (ICE) endpoints |
WO2010150785A1 (ja) * | 2009-06-26 | 2010-12-29 | シャープ株式会社 | 移動通信システム、加入者情報管理装置、位置管理装置及びホーム基地局 |
WO2011062596A1 (en) * | 2009-11-23 | 2011-05-26 | Hewlett-Packard Development Company, L.P. | Binding resources in a shared computing environment |
US8549614B2 (en) * | 2009-12-04 | 2013-10-01 | Cisco Technology, Inc. | Establishing internet protocol security sessions using the extensible messaging and presence protocol |
-
2010
- 2010-08-09 CN CN2010102547202A patent/CN101977178A/zh active Pending
-
2011
- 2011-07-25 WO PCT/CN2011/077592 patent/WO2012019508A1/zh active Application Filing
- 2011-07-25 EP EP11816067.0A patent/EP2605471B1/en active Active
- 2011-07-25 US US13/814,909 patent/US9131026B2/en active Active
Patent Citations (4)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7257837B2 (en) * | 2003-07-26 | 2007-08-14 | Innomedia Pte | Firewall penetration system and method for real time media communications |
CN101110774A (zh) * | 2007-08-28 | 2008-01-23 | 中兴通讯股份有限公司 | 支持认证鉴权的流媒体系统nat穿越装置及其实现方法 |
CN101483764A (zh) * | 2009-01-19 | 2009-07-15 | 北京中星微电子有限公司 | 网络视频监控系统中监控双方媒体流发送方法 |
CN101977178A (zh) * | 2010-08-09 | 2011-02-16 | 中兴通讯股份有限公司 | 基于中继的媒体通道建立方法及系统 |
Non-Patent Citations (3)
Title |
---|
See also references of EP2605471A4 * |
WANG, NAN ET AL.: "Research and design of NAT Traversal Scheme in P2P SIP System.", COMPUTER TECHNOLOGY AND DEVELOPMENT., vol. 19, no. 10, October 2009 (2009-10-01), pages 66 - 69 * |
WEI, LIFENG ET AL.: "Algorithm Design and Implementation of Traversing NAT for Media Streams.", COMPUTER ENGINEERING., vol. 35, no. 24, December 2009 (2009-12-01), pages 81 - 83 * |
Cited By (9)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US10116691B2 (en) | 2004-11-23 | 2018-10-30 | Kodiak Networks, Inc. | VoIP denial-of-service protection mechanisms from attack |
WO2014167277A1 (en) * | 2013-04-10 | 2014-10-16 | Realvnc Ltd | Methods and apparatus for remote connection |
WO2014167278A1 (en) * | 2013-04-10 | 2014-10-16 | Realvnc Ltd | Methods and apparatus for remote connection |
GB2505267B (en) * | 2013-04-10 | 2015-12-23 | Realvnc Ltd | Methods and apparatus for remote connection |
GB2505268B (en) * | 2013-04-10 | 2017-10-11 | Realvnc Ltd | Methods and apparatus for remote connection |
EP2992470A1 (en) * | 2013-05-01 | 2016-03-09 | Kodiak Networks, Inc. | Voip denial-of-service protection mechanisms from attack |
EP2992470A4 (en) * | 2013-05-01 | 2016-09-28 | Kodiak Networks Inc | VOIP DEFENSE PROTECTION MECHANISMS AGAINST ATTACKS |
CN111526196A (zh) * | 2020-04-22 | 2020-08-11 | 中电福富信息科技有限公司 | 一种基于开源扫描器管理端口台账的方法及其系统 |
CN111526196B (zh) * | 2020-04-22 | 2023-04-07 | 中电福富信息科技有限公司 | 一种基于开源扫描器管理端口台账的方法及其系统 |
Also Published As
Publication number | Publication date |
---|---|
CN101977178A (zh) | 2011-02-16 |
US9131026B2 (en) | 2015-09-08 |
EP2605471A4 (en) | 2014-01-15 |
US20130138822A1 (en) | 2013-05-30 |
EP2605471B1 (en) | 2016-09-14 |
EP2605471A1 (en) | 2013-06-19 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
WO2012019508A1 (zh) | 基于中继的媒体通道建立方法及系统 | |
CN112911027B (zh) | 用于建立媒体会话的方法和装置 | |
JP5043392B2 (ja) | Sip通信セッションをセットアップする方法、並びに、そのシステム及びコンピュータ・プログラム | |
EP2981022B1 (en) | Method and system for transmitting and receiving data, method and device for processing message | |
CN107612931B (zh) | 多点会话方法及多点会话系统 | |
WO2012068922A1 (zh) | Ims多媒体通信方法和系统、终端及ims核心网 | |
US10715968B2 (en) | Scheme for setting up PTT group call in a wireless communication network | |
WO2010063242A1 (zh) | 时钟同步的方法、设备以及网络系统 | |
WO2011006324A1 (zh) | 文件传输方法及终端 | |
JP2017108417A (ja) | ネットワーク通信システムおよび方法 | |
WO2016026154A1 (zh) | 一种多链路的融合方法和服务器、客户端以及系统 | |
WO2007019809A1 (fr) | Procede et systeme d'etablissement d'un canal direct point par point | |
EP2239883B1 (en) | Method, device, system, client node, peer node and convergent point for preventing node from forging identity | |
WO2013053305A1 (zh) | 一种标识网端到端安全建立的方法、网络侧设备及系统 | |
WO2016050133A1 (zh) | 一种认证凭证更替的方法及装置 | |
WO2011120365A1 (zh) | 多穴终端建立连接的方法和系统 | |
WO2011120276A1 (zh) | 一种终端实现连接建立的方法及系统 | |
WO2020029954A1 (zh) | 业务请求、协商、响应方法、装置及网络设备、系统 | |
WO2009043289A1 (fr) | Procédé pour déterminer la relation de trajet de flux multimédia et système de commande d'appel | |
WO2011044810A1 (zh) | 实现多方通信的方法、装置及系统 | |
KR101696472B1 (ko) | 이동 통신 시스템에서 로컬 라우팅 장치 및 방법 | |
CN101222454B (zh) | 一种拒绝非法业务流的方法 | |
Callas et al. | ZRTP: Media path key agreement for unicast secure RTP | |
Matthews et al. | RFC 8656: Traversal Using Relays around NAT (TURN): Relay Extensions to Session Traversal Utilities for NAT (STUN) | |
WO2013060224A1 (zh) | 一种安全连接的方法、系统及网元 |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
121 | Ep: the epo has been informed by wipo that ep was designated in this application |
Ref document number: 11816067 Country of ref document: EP Kind code of ref document: A1 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 13814909 Country of ref document: US |
|
NENP | Non-entry into the national phase |
Ref country code: DE |
|
REEP | Request for entry into the european phase |
Ref document number: 2011816067 Country of ref document: EP |
|
WWE | Wipo information: entry into national phase |
Ref document number: 2011816067 Country of ref document: EP |