WO2013117154A1 - 穿越监控网络中隔离设备的方法和设备 - Google Patents

穿越监控网络中隔离设备的方法和设备 Download PDF

Info

Publication number
WO2013117154A1
WO2013117154A1 PCT/CN2013/071395 CN2013071395W WO2013117154A1 WO 2013117154 A1 WO2013117154 A1 WO 2013117154A1 CN 2013071395 W CN2013071395 W CN 2013071395W WO 2013117154 A1 WO2013117154 A1 WO 2013117154A1
Authority
WO
WIPO (PCT)
Prior art keywords
monitoring
tunnel
address
packet
end device
Prior art date
Application number
PCT/CN2013/071395
Other languages
English (en)
French (fr)
Inventor
周迪
余剑声
王连朝
Original Assignee
浙江宇视科技有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from CN201210030678.5A external-priority patent/CN102571524B/zh
Priority claimed from CN201210030308.1A external-priority patent/CN102546350B/zh
Priority claimed from CN201210180552.6A external-priority patent/CN102710644B/zh
Application filed by 浙江宇视科技有限公司 filed Critical 浙江宇视科技有限公司
Priority to US14/377,814 priority Critical patent/US9215215B2/en
Publication of WO2013117154A1 publication Critical patent/WO2013117154A1/zh

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/029Firewall traversal, e.g. tunnelling or, creating pinholes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/02Protocols based on web technology, e.g. hypertext transfer protocol [HTTP]
    • H04L67/025Protocols based on web technology, e.g. hypertext transfer protocol [HTTP] for remote control or remote monitoring of applications
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04NPICTORIAL COMMUNICATION, e.g. TELEVISION
    • H04N7/00Television systems
    • H04N7/18Closed-circuit television [CCTV] systems, i.e. systems in which the video signal is not broadcast

Definitions

  • the present invention relates to the field of video surveillance, and in particular, to a method and a node for traversing and assisting to traverse a network isolation device in an IP monitoring system.
  • BACKGROUND OF THE INVENTION Video surveillance based on IP networks has gradually developed into a mainstream solution for the security industry, and has been successfully applied to large projects such as security projects, highways, public security networks, and parks.
  • the standardization and openness of IP also makes it easy to integrate individual network islands and make network scale expansion easier.
  • devices such as NAT, firewall, and security isolation gatekeepers are widely used in large networks.
  • the source IP address or destination IP address of the IP packet changes after the IP packet passes through the NAT device.
  • the internal signaling address and destination IP address are also included in a service signaling.
  • the external address is not uniform, which often causes troubles in the video surveillance business process.
  • the device on the NAT external network first initiates a TCP/UDP connection to the internal network, it must first configure the address/port mapping of the internal server for those devices on the internal network on the NAT device, which obviously wastes a lot of public information. The network address is often not allowed.
  • the control server can determine that the two devices in the interaction are in the intranet of the NAT, the device on the intranet can be notified to initiate the connection to the external device. But this requires that each session connection implements two or more than two processes, for one that contains multiple session behaviors. This combination of business processes can become very complicated. Moreover, some standard services do not allow the parties to the interaction to reverse the role of the C/S.
  • firewall In the presence of a firewall, the firewall needs to open a considerable number of UDP/TCP ports so that terminals outside the firewall, such as video surveillance clients, can actively access servers within the firewall, such as video management servers (VMs). This brings security risks to the enterprise intranet.
  • VMs video management servers
  • the present invention provides a method for traversing a network isolation device in an IP monitoring system and a monitoring node corresponding to the method.
  • the monitoring node is located on the inner network of the network isolation device, and the monitoring system includes a plurality of monitoring nodes and a tunnel server, where the plurality of monitoring nodes include a monitoring front-end device, a monitoring back-end device, and at least one monitoring server;
  • the at least one monitoring server is a video management server VM, and the monitoring node includes a tunnel processing unit, a signaling processing unit, and a network interface unit; wherein the tunnel processing unit, where:
  • a network interface unit configured to send and receive messages on an IP network
  • a signaling processing unit configured to process monitoring signaling data
  • a tunnel processing unit configured to use a first IP address of the monitoring node to initiate a tunnel connection request to the tunnel server to establish a tunnel connection with the tunnel server; and obtain a second IP address allocated by the tunnel server from the tunnel server after the tunnel connection is established;
  • the tunnel processing unit further decapsulates the tunnel packet received by the network interface unit from the tunnel server to obtain an inner layer IP packet whose content is monitoring signaling data, and submits the monitoring signaling data to the signaling processing unit.
  • the inner IP packet is the outer monitoring section of the network isolation device.
  • the destination address of the tunnel packet is the first IP address, and the source address of the tunnel packet is the IP address of the tunnel server itself.
  • the destination address of the inner layer IP packet is the number. a second IP address, where the source IP address is an IP address of the outer monitoring node;
  • the tunnel processing unit is further configured to encapsulate the monitoring signaling data generated by the monitoring node signaling processing unit into the inner layer IP packet, and then encapsulate the inner layer IP packet into the tunnel packet and send the network signaling to the network interface.
  • the unit is sent by the network interface unit to the tunnel server, and the tunnel server forwards the inner layer IP packet to the monitoring node of the network outside the network isolation device, where the source address of the inner layer IP packet is the second IP address, and the inner layer
  • the destination address of the packet is the IP address of the external network monitoring node.
  • the source address of the tunnel packet is the IP address of the monitoring node itself.
  • the destination address of the tunnel packet is the IP address of the tunnel server itself.
  • FIG. 1 is a schematic diagram of a network of Embodiment 1;
  • FIG. 2 is a schematic diagram of a network in Embodiment 2;
  • FIG. 3 is a schematic diagram of a network of Embodiment 3;
  • FIG. 4 is a schematic diagram of a network of Embodiment 4.
  • Embodiment 4a is another network diagram of Embodiment 4.
  • 5 is a basic hardware architecture of a monitoring node or an L2TP relay device of the present invention.
  • FIG. 6 is a logical structural diagram of a monitoring node or an L2TP relay device of the present invention.
  • FIG. 7 is a network diagram of an IP monitoring system that traverses an isolation device through an L2TP tunnel
  • FIG. 8 is a network diagram of another IP monitoring system that traverses an isolation device through an L2TP tunnel
  • FIG. 9 is a flowchart of a process for saving bandwidth of a wide area network in an embodiment of the present invention.
  • the first monitoring node on the network inside the network isolation device acts as the LAC and uses its first IP address to initiate the tunnel server (such as the LNS server, also known as the L2TP relay).
  • a tunnel connection request to establish an L2TP tunnel connection with the tunnel server is described by taking the L2TP implementation as an example.
  • IETF Internet Engineering Task Force
  • the first monitoring node acquires the second IP address allocated by the L2TP trunk from the L2TP relay.
  • the first monitoring node receives the tunnel packet from the L2TP relay and decapsulates the tunnel packet to obtain an inner layer IP packet whose content is the monitoring signaling data.
  • the inner layer IP packet is sent by the network monitoring node outside the network isolation device.
  • the source address of the tunnel packet is the IP address of the L2TP relay itself.
  • the source address of the tunnel packet is the IP address of the L2TP relay.
  • the destination address of the inner layer IP packet is the second IP address, and the source address is the IP address of the outer network monitoring node; the first monitoring node obtains monitoring signaling data from the inner layer IP packet and performs corresponding signaling.
  • the first monitoring node encapsulates the generated monitoring signaling data into the inner layer IP packet, and then encapsulates the inner layer IP packet into the tunnel packet and sends the packet to the L2TP relay, and the inner layer IP is used by the L2TP relay.
  • the packet is forwarded to the monitoring node of the network outside the network isolation device, where the source IP address of the inner layer packet is the second IP address, and the destination address of the inner layer packet is the IP address of the outer network monitoring node.
  • the source address is the IP address of the first monitoring node itself, and the destination address of the tunnel packet is the IP address of the L2TP relay itself.
  • the first monitoring node may also receive the tunnel packet from the L2TP relay and decapsulate the tunnel packet to obtain an inner layer IP packet whose content is the monitoring service data.
  • the inner layer IP packet is the network monitoring node outside the network isolation device.
  • the monitoring service data packet is sent, the destination address of the tunnel packet is the first IP address, and the source address of the tunnel packet is the IP address of the L2TP relay itself; the inner layer IP packet
  • the destination address of the text is the second IP address, and the source address is the IP address of the outer network monitoring node; or
  • the first monitoring node also encapsulates the generated monitoring service data into the inner layer IP packet, and then encapsulates the inner layer IP packet into the tunnel packet and sends the packet to the L2TP relay, and the L2TP relays the inner layer IP packet.
  • the monitoring node forwarded to the network outside the network isolation device, where the source IP address of the inner layer packet is the second IP address, and the destination address of the inner layer packet is the IP address of the outer network monitoring node, and the source of the tunnel packet The address is the IP address of the first monitoring node.
  • the destination address of the tunnel packet is the IP address of the L2TP trunk itself.
  • the first monitoring node is a VM
  • the VM receives the monitoring signaling data encapsulated in the tunnel packet sent by the L2TP tunnel through the L2TP tunnel, and the monitoring signaling data is sent by the EC or the VC.
  • the L2TP trunk acts as the LNS receiving network isolation device and the L2TP tunnel connection request is sent by the first monitoring node of the LAC as its first IP address.
  • the first monitoring node is assigned a second IP address; the tunneling packet is received from the first monitoring node, and the tunnel packet is decapsulated to obtain an inner layer IP packet, the inner layer IP packet. It is the monitoring signaling data or service data sent by the first monitoring node to the monitoring node outside the network isolation device.
  • the source address of the tunnel packet is the first IP address of the first monitoring node, and the destination address is the IP address of the L2TP relay itself.
  • the destination address of the inner IP packet is the IP address of the monitoring node on the outside of the network isolation device, and the source address is the second IP address.
  • the packet is forwarded to the outside of the network isolation device according to the destination address of the inner IP packet.
  • Monitoring node monitoring signaling data sent by the monitoring node outside the network isolation device or monitoring service data I
  • the P packet is encapsulated and sent to the first monitoring node, where the destination address of the IP packet is the second IP address, the source IP address is the IP address of the outer network monitoring node, and the destination IP address of the encapsulated tunnel packet.
  • the address is the first IP address
  • the source address of the tunnel packet is the IP address of the L2TP relay itself.
  • the second IP address belongs to the IP address planned in the network outside the network isolation device allocated by the L2TP trunk. Or the second IP address belongs to an independently planned IP address of the L2TP relay itself, in the L2TP
  • An L2TP tunnel connection is established between the outer monitoring node and the outer monitoring node.
  • the IP packet sent by the outer monitoring node is an inner layer IP packet encapsulated in the tunnel, and the L2TP relay decapsulates the tunnel packet sent by the outer monitoring node.
  • Layer IP packet the source IP address of the inner layer packet is the IP address allocated by the outer monitoring node through the L2TP relay, and the destination address is the second IP address assigned by the first monitoring node, and the network is isolated from the outer network of the device.
  • the monitoring node includes a VM and an MS.
  • the L2TP relay is an MS outside the network isolation device.
  • Monitoring front-end devices such as IPC (IP Camera) or EC (Encoder), followed by EC as an example.
  • Monitor back-end devices such as VC (Video Cl ient, monitoring client).
  • the VM is a video management server
  • the DM is a data management server
  • the MS is a media exchange server
  • the IPSAN is an IP storage server.
  • the tunnel server uses an LNS as an example. In the present invention, it is also referred to as an L2TP relay because it also needs to perform packet forwarding. jobs.
  • the IP monitoring system includes multiple monitoring nodes.
  • the monitoring node ECU is isolated from the other network by the network isolation device.
  • the network isolation device can be a NAT, a firewall or a gatekeeper.
  • the network where the monitoring node ECU is located in the monitoring system is a network inside the network isolation device, called network A, which is isolated or protected by the network isolation device.
  • the network outside the network isolation device is called network B. Due to the existence of the network isolation device, Network A can access Network B at any time, and Network B cannot access Network A without the special configuration of the isolation device.
  • the IP monitoring system further includes an L2TP relay device 14.
  • the IP address obtained by the monitoring node EC11 from network A ( 10. 10. 10. 0/24 ) is 10. 10. 10. 10.
  • the IP address of the L2TP relay device 14 is 12. 12. 10. 10. This address belongs to the public network address from the perspective of network A, that is, network A can directly access; if the address cannot be directly accessed, it can be in this Configure the corresponding public network address of the static mapping on the isolation device of the network egress.
  • the monitoring node EC11 acts as the LAC, using its own IP address 10. 10. 10. 10 as the LNS
  • the L2TP relay 14 initiates a tunnel connection request to establish an L2TP tunnel connection with the L2TP relay.
  • L2TP After receiving the tunnel connection request, the tunnel connection is established with the monitoring node EC11, and the address in the address pool is allocated to the EC11.
  • the address in the L2TP trunk 14 address pool belongs to the IP address planned by Network B, but it is different from the IP address of the device already existing on Network B.
  • the IP address in the address pool of the L2TP trunk 14 belongs to 12. 12. 11. 0/24, and the IP address assigned to the EC11 is 12. 12. 11. 10.
  • the ECU obtains the IP address assigned by the L2TP trunk 14 12. 12. 11. 10, the IP address can be used when communicating with the monitoring node in network B.
  • the registration message is tunnel encapsulated.
  • the IP address of VM13 is 12. 12. 12. 10, which belongs to the network 12. 12. 12. 0/24.
  • the EC11 encapsulates the monitoring signaling data, that is, the content of the registration packet into the inner layer IP packet, and then encapsulates the inner layer IP packet into the tunnel packet and sends the packet to the L2TP relay 14, wherein the inner layer IP packet
  • the source address is 12. 12. 11. 10, and the destination address is the IP address of VM13 12. 12. 12.
  • the source address of the tunnel message is the IP address of EC11 itself 10. 10. 10. 10, destination address The IP address of the L2TP trunk 14 is 12. 12. 10. 10.
  • the L2TP relay 14 After receiving the tunnel packet sent by the monitoring node EC11, the L2TP relay 14 decapsulates the tunnel packet to obtain an inner layer IP packet. The L2TP relay 14 routes the inner layer IP packet according to its destination IP address according to its saved routing information.
  • the routing information of the L2TP trunk in this example is shown in Table 1:
  • the L2TP relay 14 sends the message from the Interface2 interface according to the destination IP address 12. 12. 12.10.
  • the registration message of the monitoring node EC11 in the network A is finally routed to the VM13 in the network B.
  • the VM 13 processes the registration message:
  • the related information of the EC11 is locally saved.
  • the VM 13 instructs the EC11 to send the monitoring video stream, and the monitoring signaling data is encapsulated into an IP packet that is routed to the L2TP relay 14,
  • the L2TP relay 14 tunnels the IP packet sent by the VM 13 to the EC11.
  • the destination address of the IP packet is the IP address assigned by the EC11. 12. 12. 11.
  • the source address is the IP address of the VM13. 12. 12. 10.
  • the destination IP address of the encapsulated tunnel packet is the IP address of the EC11 itself 10.
  • the tunnel source IP address is the IP address of the L2TP relay 14 12. 12. 10. 10 .
  • the ECU receives the tunnel packet from the L2TP relay and decapsulates the tunnel packet to obtain the inner layer IP packet.
  • the EC11 obtains monitoring signaling data from the inner IP packet and performs corresponding signaling processing.
  • the ECU sends the monitoring service data to the corresponding monitoring node according to the indication of the monitoring signaling.
  • the EC11 sends monitoring service data through the tunnel according to its own routing table or directly sends the monitoring service data without passing through the tunnel.
  • the ECU When the ECU sends the monitoring service data through the tunnel, the EC11 encapsulates the corresponding monitoring service data into the inner IP packet, and then encapsulates the inner IP packet into the tunnel packet and sends it to the L2TP relay 14, where
  • the source IP address of the inner IP packet is the IP address assigned by the ECU. 12. 12. 11. 10,
  • the destination address is the monitoring node receiving the monitoring service data, such as the IP address of the VC or MS.
  • the monitoring node can be in any network. Including, but not limited to, network A or network B, for example, VC12 in the A network and VC15 in the network B in FIG. 1; the source address of the tunnel message is the IP address of the EC11 itself 10. 10. 10. 10. 10
  • the destination address is the IP address of the L2TP relay 14.
  • the L2TP relay 14 receives the tunnel packet from the EC11 and decapsulates the tunnel packet to obtain an inner layer IP packet.
  • the L2TP relay 14 sends the packet according to the destination IP address
  • VC12 on network A requests video traffic on EC11
  • VC12 registers on VM13.
  • the registration process is the same as EC11.
  • the VC12 first establishes an L2TP tunnel with the L2TP relay 14.
  • the on-demand monitoring signaling is first sent to the VM 13 through the L2TP tunnel between the VC12 and the L2TP relay 14, and the monitoring service data sent by the subsequent EC11 passes through the tunnel between the EC11 and the L2TP relay 14.
  • VC15 in network B requests video traffic on EC11
  • VC15 registers on VM13.
  • the on-demand monitoring signaling is directly sent to the VM13.
  • the monitoring service data sent by the subsequent EC11 may directly reach the VC15 without passing through the tunnel between the EC11 and the L2TP relay 14, or may reach the L2TP relay 14 through the tunnel between the EC11 and the L2TP relay 14, and then the L2TP relay 14 Sent to VC15.
  • the MS can act as an L2TP relay 14 if the network B in the IP monitoring system has an MS forwarding device.
  • the VM 13 instructs the ECU to transmit the video service data to the MS acting as the L2TP relay 14, and then the MS forwards the video service data according to the address of the on-demand VC.
  • FIG. 2 differs from FIG. 1 in that the monitoring node VM23 in the network B itself also acts as
  • the LAC initiates a tunnel connection request to the L2TP relay 24 as the LNS to establish an L2TP tunnel connection with the L2TP relay 24, and the network B also includes an MS26.
  • the MS 26 also acts as the LAC to initiate a tunnel connection request and L2TP to the L2TP relay 24 as the LNS.
  • the relay 24 establishes an L2TP tunnel connection.
  • the monitoring node EC21 in the network A acts as the LAC to initiate a tunnel connection request to the L2TP relay 24 as the LNS and establishes an L2TP tunnel connection with the L2TP relay 24.
  • the IP address assigned by the L2TP trunk 24 to the monitoring nodes EC21, VM23, and MS26 can be an IP address in an independent address pool.
  • the IP address in the address pool can be separately planned with an IP address segment, and does not need to occupy the IP of the network B plan.
  • Address such as 14. 14. 14. 0/24, 15. 15. 10. 0/24 and so on.
  • the communication process of the monitoring node in Figure 2 is described by taking 14. 14. 14. 0/24 as an example.
  • the EC 21 functions as the LAC, and initiates a tunnel connection request to the L2TP relay 24 as the LNS with its own IP address 10. 10. 10. 10 to establish an L2TP tunnel connection with the L2TP relay 24.
  • the L2TP relay 24 After receiving the tunnel connection request, the L2TP relay 24 establishes a tunnel connection with the monitoring node EC21, and allocates the address 14. 14. 14. 10 in the address pool to the EC21.
  • the VM 23 initiates a tunnel connection request to the L2TP relay 24 with its own IP address 12.12.12 to establish an L2TP tunnel connection with the L2TP relay 24. After receiving the tunnel connection request, the L2TP relay 24 establishes a tunnel connection with the monitoring node VM23, and assigns the address 14. 14. 14.
  • the MS 26 initiates a tunnel to the L2TP relay 24.
  • the connection request is obtained, and the assigned IP address is obtained. 14. 14. 14. 14
  • the registration message is tunnel encapsulated.
  • the EC21 encapsulates the monitoring signaling data, that is, the content of the registration packet into the inner IP packet, and then encapsulates the inner IP packet into the tunnel packet and sends it to the L2TP relay.
  • 24 L2TP relay 24 from the monitoring node EC21 After receiving the tunnel packet, the tunnel packet is decapsulated to obtain an inner layer IP packet.
  • the L2TP relay 24 routes the inner layer IP packet according to its destination IP address according to its saved routing information.
  • the routing information of the L2TP trunk in this example is shown in Table 2:
  • the L2TP trunk 24 is based on the destination IP address. 14. 14. 14. 12
  • the packet is encapsulated and sent from the L2TP-VT1:2 interface.
  • the L2TP trunk 24 has the source address of 14. 14. 14. 10
  • the inner IP packet whose destination address is 14. 14. 14. 12 is tunnel encapsulated.
  • the source IP address of the tunnel packet is the IP address of the L2TP relay 24 itself. Address 12. 12. 10.
  • the destination IP address of the tunnel message is VM23's own IP address 12. 12. 12. 10.
  • the encapsulated tunnel packet reaches the VM23 through the tunnel between the L2TP relay 24 and the VM23.
  • the VM23 decapsulates the packet to obtain the inner IP packet, and saves the EC registration information locally.
  • the VM23 instructs the EC21 to send the monitoring video data of the monitoring video stream into an IP packet and encapsulates it into a tunnel message and sends it to the L2TP via a tunnel between the VM23 and the L2TP relay 24.
  • the source IP address of the inner layer IP packet of the monitoring signaling data is 14. 14. 14. 12, and the destination IP address is 14. 14. 14. 10 ; the source IP address of the tunnel packet is VM23 itself. IP address 12. 12. 12. 10, the destination IP address of the tunnel packet is 12. 12. 10. 10.
  • the L2TP relay 24 decapsulates the inner layer IP packet, and encapsulates the inner layer packet according to the inner layer destination IP address 14. 14. 14. 14.
  • the tunnel between the EC21 and the EC21 is sent to the EC21.
  • the source IP address of the tunnel is the IP address of the L2TP trunk 24 itself 12. 12. 10.
  • the destination IP address is the IP address of the EC21 itself 10. 10. 10. 10 ⁇ EC21 Receive
  • the tunnel packet is decapsulated and the inner packet IP packet is obtained.
  • the EC21 obtains monitoring signaling data from the inner layer IP packet and performs corresponding signaling processing.
  • the monitoring signaling data instructs the EC 21 to transmit monitoring service data to the MS 26.
  • the VM 23 instructs the MS 26 to receive the monitoring service data transmitted by the EC 21, and further transmits the monitoring service data to the VC.
  • the EC21 sends the monitoring service data to the L2TP relay 24 through the tunnel between the self and the L2TP relay 24.
  • the monitoring service data is encapsulated by the tunnel.
  • the source address of the inner IP packet is the IP address assigned by the EC21. 14.
  • the destination address is the address of the MS26 that receives the monitoring service data. 14. 14. 14.
  • the source address of the encapsulated tunnel message is the IP address of the EC21 itself 10. 10. 10. 10, the destination address is IP address of the L2TP relay 24.
  • the L2TP relay 24 receives the tunnel packet from the EC21 and decapsulates the tunnel packet to obtain the inner layer IP packet, and tunnels the packet according to the inner layer destination IP address, from between the L2TP relay 24 and the MS26.
  • the tunnel is sent to the MS26.
  • the tunnel encapsulation method is the same as the previous one and will not be described again.
  • the MS26 decapsulates the packet to obtain the monitoring service data packet.
  • the MS26 sends the monitoring service data to the corresponding VC according to the indication of VM23 and its own routing table, such as VC25.
  • the VM 23 instructs the EC 21 to transmit the video service data to the MS 26, and the MS 26 forwards the video service data according to the address of the on-demand VC.
  • VC22 in network A requests video traffic on EC21
  • VC22 first registers on VM23. The registration process is the same as the EC21 registration process.
  • An L2TP tunnel is established between the VC 22 and the MS 26 acting as an L2TP relay.
  • the on-demand monitoring signaling is first sent to the VM23 through the L2TP tunnel between the VC22 and the MS26 and the L2TP tunnel between the MS26 and the VM23.
  • the encapsulation mode of the tunnel packet and the registration of the EC21 to the VM23 are performed.
  • the registration message is encapsulated in the same way.
  • the monitoring service data sent by the subsequent EC21 reaches the MS26 through the tunnel between EC21 and MS26. After that, it will be sent to VC22 through the tunnel between VC22 and MS26.
  • the IP monitoring system includes a monitoring node VM31, which is isolated from another network by the network isolation device.
  • the network where VM31 is located is the network inside the network isolation device, which is called network A, and the network outside the network isolation device is called network B. Due to the existence of the network isolation device, Network B cannot access Network A without special configuration.
  • the IP surveillance system also includes an L2TP relay device 33.
  • the IP address of the monitoring node VM31 is 10. 10. 10.
  • the IP address of the L2TP relay device 33 is 12. 12. 10. 10.
  • the monitoring node VM31 needs to communicate with another monitoring node in network B, such as EC36, VC37 o
  • the monitoring node VM31 initiates a tunnel connection request to the L2TP relay 33 to establish an L2TP tunnel connection.
  • the L2TP trunk 33 After receiving the tunnel connection request, the L2TP trunk 33 establishes a tunnel connection with the monitoring node VM31 and allocates the address in the address pool to the VM 31.
  • the address in the L2TP trunk 33 address pool belongs to the IP address planned by network B.
  • the IP address assigned to the VM31 by the L2TP trunk 33 is 12. 12. 11. 10.
  • the IP address will be known by EC36, VC37 in network B to enable them to register with VM31.
  • the EC36 sends a registration message.
  • the destination IP address of the packet is the IP address assigned by VM31. 12. 11. 11. 10, the packet will be routed to the L2TP relay 33, and the L2TP relay 33 tunnels the registration packet.
  • Encapsulation that is, the registration packet is encapsulated into the inner IP packet, and then the inner IP packet is encapsulated into the tunnel packet and sent to the VM31, where the destination address of the inner packet is the IP address of the VM31 12.12 11.
  • the source address is the address of the EC36 itself, such as 12. 12. 12. 16;
  • the source address of the tunnel message is the IP address of the L2TP trunk 33 itself 12. 12. 10.
  • the tunnel destination address is VM31's own IP address 10. 10. 10. 10.
  • the VM31 decapsulates the tunnel packet to obtain an inner layer IP packet.
  • the VM 31 saves the information about the EC36 obtained after decapsulation locally.
  • the process of registering VC37 with VM31 is the same as the process of registering with EC36.
  • the registration message with the destination address of 10. 10. 10. 10 is directly sent to the VM31. Booklet.
  • the monitoring node MS32 in network A establishes an L2TP tunnel connection with the L2TP trunk 33 as the VM31, and obtains the IP address assigned by the L2TP trunk 33.
  • the EC34 and VC35 in Network A do not need to establish an L2TP tunnel separately from the L2TP trunk 33. If MS32 does not exist in network A, EC34 and VC35 establish an L2 tunnel with L2TP trunk 32.
  • the VC37 on-demand monitoring signaling packet is sent to the VM 31 as the EC36 registration message.
  • the indication of the VM31 The EC34 sends the monitoring signaling packet of the monitoring video stream to the EC34 with the IP address of the EC34 10. 10. 10. 8 The IP address is directly sent to the EC34 in the network A.
  • the monitoring signaling message instructs the EC to send monitoring service data to the MS32.
  • the EC34 sends the monitoring service data to the MS32 according to the indication of the monitoring signaling.
  • the VM 31 instructs the MS 32 to send the monitoring service data to the VC 37.
  • the MS32 sends monitoring service data through the tunnel according to its own routing table or directly sends the monitoring service data without passing through the tunnel.
  • the method for sending the monitoring service data through the tunnel (the MS32 has established the L2TP tunnel with the L2TP trunk 33) is the same as that of the first embodiment, and is not described here. If there is no MS32 in the network A, the EC34 sends the monitoring service data through the tunnel according to its own routing table or directly sends the monitoring service data without passing through the tunnel.
  • the VC35 When the VC35 broadcasts video traffic of the EC36, the VC35 sends the video-on-demand message to the destination IP address of the VM31 with its own IP address 10. 10. 10. 6 as the source IP address.
  • the VM 31 After receiving the on-demand message, the VM 31 sends a monitoring signaling message indicating that the EC 36 sends the monitoring video stream to the EC 36.
  • the monitoring signaling data can be sent through the tunnel or not through the tunnel, which is mainly determined by the routing table of the VM.
  • the monitoring signaling message instructs the EC 36 to send monitoring service data to the MS32.
  • the EC36 After receiving the monitoring signaling message, the EC36 routes the corresponding monitoring video data to the L2TP relay 33.
  • the L2TP relay 33 tunnels the monitoring service data packet according to the destination IP address.
  • the encapsulated tunnel message is sent to the MS32 through a tunnel between the L2TP relay 33 and the MS32.
  • the MS32 decapsulates the tunnel packet to obtain an inner layer packet.
  • MS32 sends the message to VC35 according to the instructions of VM31. o If L2TP trunk 33 is used by a router or other network device alone, This association is relatively high, so it can be
  • the monitoring node VM48 in the network B initiates a tunnel connection request to the L2TP trunk 43 to establish an L2TP tunnel connection with the L2TP trunk 43.
  • the network B also includes an MS49, and the MS49 also The L2TP trunk 43 initiates a tunnel connection request to establish an L2TP tunnel connection with the L2TP trunk 43.
  • the monitoring node VM41 in network A also initiates a tunnel connection request to the L2TP trunk 43 and establishes an L2TP tunnel connection with the L2TP trunk 43.
  • the IP address assigned by the L2TP trunk 43 to the monitoring nodes VM41, VM48, and MS49 may be an IP address in an independent address pool, that is, an IP address in the address pool may be separately planned for an IP address segment, and is not required. Occupies the IP address of the network B plan, such as 14. 14. 14. 0/24, 15. 15. 10. 0/24 and so on.
  • Figure 4 is a secondary domain with two administrative domains.
  • VM41, MS42, EC44, and VC45 form a monitoring domain X
  • VM48, MS49, EC46, and VC47 form another monitoring domain Y.
  • the monitoring management domain X is a subordinate domain
  • the superordinate domain is a superordinate domain.
  • the EC44, the VC45, and the MS42 are sent to the VM41.
  • the registration message does not need to go through the tunnel.
  • the IP address of the VM41 is directly transmitted with the IP address 10.10.10, and the VM41 saves the registration information.
  • the EC46, the VC47, and the MS49 are sent to the VM48.
  • the registration message does not need to go through the tunnel, and the IP address of the VM48 is directly transmitted with the IP address 12.1.2.10, and the VM48 stores the registration information.
  • the VM 41 registers with the VM 48, and the VM 41 initiates a tunnel connection request to the L2TP relay 43 with its own IP address 10. 10. 10. 10 to establish an L2TP tunnel connection with the L2TP relay 43.
  • the L2TP trunk 43 After receiving the tunnel connection request, the L2TP trunk 43 establishes a tunnel connection with the monitoring node VM41, and allocates the address 14. 14. 14. 10/24 in the address pool to the VM 41.
  • the VM 48 initiates a tunnel connection request to the L2TP relay 43 with its own IP address 12.12.10 to establish an L2TP tunnel connection with the L2TP relay 43.
  • the L2TP trunk 43 After receiving the tunnel connection request, the L2TP trunk 43 establishes a tunnel connection with the monitoring node VM48, and allocates the address 14. 14. 14. 12/24 in the address pool to the VM 48. Similarly, the MS 42 initiates a tunnel connection request to the L2TP trunk 43 to obtain the assigned IP address. 14. 14. 14. 14 o The MS 39 initiates a tunnel connection request to the L2TP relay 43 to obtain the assigned IP address 14. 14. 14 . 15.
  • VC45 When VC in network A requests video traffic in network B, such as VC45 on-demand EC46 monitoring video data, VC45 directly sends an on-demand request to VM41 in network A, and the request is encapsulated into an inner layer IP packet, and then The inner IP packet is encapsulated into a tunnel packet and sent to the L2TP relay 24, where the source IP address of the inner IP packet is 14. 14. 14. 10, and the IP address assigned to the VM48 is 14 14. 14. 12 ;
  • the source address of the tunnel message is the IP address of the VM41 itself 10. 10. 10. 10, the destination address is the IP address of the L2TP relay 43 12. 12. 10. 10 L2TP relay 43 receiving After the tunnel packet is received, the tunnel packet is decapsulated to obtain an inner layer IP packet.
  • the L2TP relay 44 routes the inner layer IP packet according to its destination IP address according to its saved routing information.
  • the routing information of the L2TP trunk 43 in this example is shown in Table 3:
  • the L2TP relay 24 determines that the registration message needs to be tunnel encapsulated according to the destination IP address 14. 14. 14. 12 and is sent from the L2TP-VT1:2 interface.
  • the L2TP trunk 43 has the source address of 14. 14. 14. 10
  • the inner IP packet whose destination address is 14. 14. 14. 12 is tunnel encapsulated.
  • the source IP address of the tunnel packet is the IP address of the L2TP trunk 43 itself. Address 12. 12. 10.
  • the destination IP address of the tunnel message is VM23's own IP address 12. 12. 12. 10.
  • the encapsulated tunnel packet reaches the VM48 through the tunnel between the L2TP relay 43 and the VM48.
  • the VM48 decapsulates the packet to obtain the inner IP packet.
  • the VM48 notifies the EC46 to send the monitoring video service data to the MS49 MS49, and then tunnels the packet to the L2TP relay 43 through the tunnel between the MS49 and the L2TP relay 43.
  • the L2TP relay 43 decapsulates the tunnel packet. Judging that it needs to be sent through the tunnel again, and then monitoring the The service data is encapsulated by the tunnel and sent to the MS42 through the tunnel between the L2TP trunk 43 and the MS42, and the MS42 is forwarded to the VC45.
  • the process of monitoring service data forwarding through two tunnels is similar to the process of the foregoing monitoring signaling or monitoring data being forwarded through two tunnels.
  • the processing flow of the VC47 on-demand EC44 is similar to the processing flow of the VC45 on-demand EC46, and will not be described here. If the L2TP trunk 43 is used by a router or other network device alone, the cost will be relatively high. Therefore, in the fourth embodiment, MS49 acts as an L2TP trunk, which is a better implementation method, as shown in Fig. 4a.
  • the video surveillance service processing process refers to the previous article.
  • the foregoing four embodiments all use video live on-demand as an example to illustrate an IP surveillance system with network isolation devices, and how the monitoring nodes on both sides of the network isolation device communicate.
  • Monitoring service data storage that is, the IP monitoring system includes a DM and a storage device.
  • the monitoring nodes on both sides of the network isolation device can perform the required communication by referring to the video live on-demand process.
  • FIG. 5 is a general basic hardware architecture of the above various nodes or devices, and each device slightly differs in service hardware.
  • L2TP relay may not need business hardware.
  • MS may have business hardware.
  • VM may not have business hardware.
  • Figure 6 is a general logical block diagram of each of the above nodes or devices, which is typically implemented by means of a computer program.
  • the logical structure of each device may be slightly different. For example, if the device where the L2TP trunk is located does not involve service processing, there may be no service and signaling processing unit.
  • the VM belongs to the management server, which usually does not include a business processing unit.
  • the general logical structure shown in Figure 6 includes: a tunnel processing unit, a signaling processing unit, a service processing unit, and a network interface unit.
  • the tunnel processing unit includes a connection processing subunit and a message processing subunit.
  • the signaling processing unit and the service processing unit are respectively configured to process signaling data and service data.
  • the network interface unit is responsible for sending and receiving messages.
  • the connection processing subunit is mainly used to handle the maintenance of establishing L2TP tunnel connections and tunnel connections.
  • the main user of the packet processing sub-unit encapsulates and decapsulates the packet.
  • a monitoring node traversing a network isolation device in an IP monitoring system of the present invention includes a tunnel processing unit, a signaling processing unit, and a network interface unit; wherein the tunnel The unit includes a connection processing subunit and a message processing subunit: a network interface unit, for
  • the relay establishes an L2TP tunnel connection. After the L2TP tunnel connection is established, the L2TP relay obtains the second IP address from the L2TP relay.
  • the packet processing subunit is configured to perform the tunnel packet received by the network interface unit from the L2TP relay.
  • the inner layer IP packet whose content is the monitoring signaling data, and submitting the monitoring signaling data to the signaling processing unit; wherein the inner layer IP packet is a packet sent by the monitoring node outside the network isolation device,
  • the destination address of the tunnel packet is the first IP address
  • the source address of the tunnel packet is the IP address of the L2TP relay itself.
  • the destination IP address of the inner IP packet is the second IP address
  • the source IP address is the outer address.
  • the message processing subunit is further configured to encapsulate the monitoring signaling data generated by the monitoring node signaling processing unit into the inner layer IP packet And then the inner layer IP packet is encapsulated into a tunnel message and sent to the network interface unit, and sent by the network interface unit to the L2TP relay, and the L2TP relay forwards the inner layer IP packet to the monitoring node of the network outside the network isolation device.
  • the source address of the inner layer IP packet is the second IP address
  • the destination address of the inner layer packet is the IP address of the outer network monitoring node.
  • the source address of the tunnel packet is the IP address of the first monitoring node itself.
  • the destination address of the tunnel packet is the IP address of the L2TP relay itself.
  • the monitoring node further includes a service processing unit for processing monitoring service data.
  • the packet processing sub-unit is further configured to decapsulate the tunnel packet received by the network interface unit from the L2TP relay to obtain an inner layer IP packet whose content is the monitoring service data, and submit the monitoring service data to the service processing unit.
  • the inner IP packet is a packet sent by the monitoring node of the network isolation device.
  • the destination address of the tunnel packet is the first IP address, and the source address of the tunnel packet is the IP address of the L2TP relay itself.
  • the destination IP address of the inner layer IP packet is the second IP address, and the source IP address is the IP address of the outer monitoring node; or the packet processing subunit is further configured to encapsulate the monitoring service data generated by the monitoring node service processing unit.
  • the inner IP packet is encapsulated into a tunnel packet and sent to the network interface unit, and sent by the network interface unit.
  • the L2TP relay sends the inner IP packet to the monitoring node on the network outside the network isolation device.
  • the source IP address of the inner IP packet is the second IP address
  • the destination address of the inner packet is The outer network monitors the IP address of the node.
  • the source address of the tunnel packet is the IP address of the first monitoring node.
  • the destination address of the tunnel packet is the IP address of the L2TP relay itself.
  • the invention also provides an L2TP relay device for assisting a monitoring node to traverse a network isolation device in an IP monitoring system, the relay device comprising: a network interface unit, configured to send and receive messages through an IP network; and a connection processing subunit, configured to receive network isolation
  • the L2TP tunnel connection request sent by the first monitoring node of the LAC as the first IP address of the device; after the tunnel connection with the first monitoring node, the second IP address is assigned to the first monitoring node; the message processing subunit And receiving the tunnel packet from the first monitoring node, and decapsulating the tunnel packet to obtain an inner layer IP packet, and forwarding the packet to the monitoring node outside the network isolation device according to the destination address of the inner layer IP packet.
  • the inner IP packet is the monitoring signaling data or the monitoring data sent by the first monitoring node to the monitoring node outside the network isolation device.
  • the source address of the tunnel packet is the first IP address of the first monitoring node, and the destination address is The IP address of the L2TP relay itself.
  • the destination address of the inner IP packet is the monitoring section of the network isolation device.
  • the IP address, the source address is the second IP address; the packet processing sub-unit further encapsulates the IP packet sent by the monitoring node outside the network isolation device for monitoring signaling data or service data.
  • the source address of the tunnel packet is the IP address of the L2TP trunk itself.
  • the monitoring system includes isolation devices, EC, VC, VM, DM, MS, and L2TP relay.
  • the EC and the VC in the branch network are located inside the own network egress isolation device, that is, the side that is isolated or protected, also referred to as the intranet side.
  • the monitoring server is naturally located outside the isolation device, which is also called the external network side, with respect to the above-mentioned isolation device. Please refer to FIG. 6 and FIG. 8.
  • the intranet tunnel IP address assigned by the intranet monitoring node is the external network IP address.
  • the IP address of the VC in the intranet is 10. 10. 10. 10. It acts as the LAC to initiate a dial-up connection to the L2TP server of the external network.
  • the L2TP tunnel is started to obtain the inner IP address of the tunnel.
  • the IP address of the LNS and the intranet connection interface on the external network is 12. 12. 10. 10.
  • This address is a public network address from the perspective of the intranet, that is, the intranet can be directly accessed; The address cannot be directly accessed. You can configure the corresponding public network address of the static mapping on the isolated device on the egress of the network. In tunnel mode, it is the tunnel outer IP address.
  • the IP address of the interface that the LNS connects to other devices on the external network is 12. 12. 12. 9. It should be noted that the public network address and the private network address are relative, depending on the network planning, for example, the public network IP address on the Internet can also be planned to be reused as a private network address.
  • the tunnel mode can effectively solve the problem of the isolation device, it may cause the problem of excessive bandwidth consumption of the WAN. If the two monitoring nodes can directly perform the non-tunnel mode communication, if the tunnel mode bypasses the WAN, it is obviously a pair. Waste of WAN bandwidth. Please refer to FIG. 6 and FIG. 9. The following describes how the implementation of the WAN bandwidth saving is implemented. In the following description, the service processing related to the signaling of the control plane is performed by the signaling processing unit of each monitoring node, and the packet that the signaling processing unit interacts with the external is called a signaling message.
  • the data processing (such as monitoring video stream) processing is performed by the service processing unit, and the service processing unit interacts with the external packet, which is called a data packet; the tunnel packet processing and reception is processed by the tunnel processing unit and then through the network.
  • the interface unit sends it to the IP network. If the communication process does not need to go through the tunnel processing unit (ie, the non-tunnel mode), the service processing unit or the signaling processing unit may find that the current message needs to be submitted to the network interface unit according to the internal routing table.
  • the distinction between the two concepts of the signaling packet or the data packet is mainly based on the content carried by the packet.
  • the former mainly carries the signaling service
  • the latter mainly carries the data service. Please refer to FIG. 6 and FIG. 9.
  • the processing flow of this embodiment includes the following steps.
  • Step 201 The VC and the EC register in the tunnel through the tunnel, and the registration packet can carry the inner layer IP address, the own IP address, and the device identifier of the tunnel in the registration message (signaling). a payload of a message) to notify the VM;
  • Step 202 After receiving the registration message from the tunnel, the VM records the inner layer IP address, the own IP address, and the device identifier of the VC and the EC locally;
  • the EC and the VC need to initiate registration with the VM through signaling packets after going online.
  • Registered messages can be sent to the VM through the tunnel.
  • the registration message carries the internal IP address of the tunnel in addition to the IP address of the monitoring node itself, and may carry its own identifier (such as a MAC address or a CPU serial number) in some implementation manners.
  • the VM saves the IP address and identifier carried in the registration node registration message and uses it in subsequent service processes.
  • Step 203 The VC sends a request for monitoring the video stream of the on-demand EC to the VM.
  • Step 204 The VM responds to the on-demand request of the VC by using the signaling message, and notifies the EC to send the monitoring video stream to the VC through the signaling message, and the VM carries the inner layer of the tunnel in the signaling message sent to the EC and the VC. IP address, the peer monitoring node's own IP address, and a unique authentication identifier;
  • Step 205 After receiving the signaling message of the VM, the EC or the VC obtains the tunnel inner layer IP address of the peer monitoring node, the peer monitoring node's own IP address, and the unique authentication identifier from the signaling packet and protects Step 206: The EC sends a probe packet to the VC in the non-tunnel mode, where the probe packet carries the unique authentication identifier.
  • Step 207 The VC sends a probe packet to the EC in the non-tunnel mode, where the probe packet carries the unique authentication identifier.
  • Step 208 The EC or the VC receives the probe packet sent by the peer monitoring node, and checks whether the unique authentication identifier carried in the probe packet is the same as the unique authentication identifier saved by itself, and if yes, sends the probe packet to the peer monitoring node. Probe the response packet, otherwise discard the probe packet.
  • Step 209 If the EC receives the probe response message sent by the VC in the non-tunnel mode within a predetermined time, notify the service processing unit to send the video stream to the VC in the non-tunnel mode; if the EC does not receive the message within the predetermined time If the probe response packet sent by the VC receives the probe packet sent by the VC, The video stream is sent in the non-tunnel mode on the TCP or UDP connection carrying the VC probe packet. If the EC does not receive the probe response packet sent by the VC or the probe packet sent by the VC within the predetermined time, The notification service processing unit sends the video stream through the tunnel mode.
  • EC and VC are peer monitoring nodes.
  • the VM allocates a unique authentication identifier for the upcoming live service.
  • the authentication identifier may be randomly generated by the VM according to a predetermined algorithm, or may be generated by the VM according to the identifiers of two monitoring nodes that are conducting live services, such as simply two
  • the MAC addresses of the monitoring nodes are concatenated to form a 96-bit identifier.
  • the participant of the live service EC or the signaling processing unit of the VC saves the unique authentication identifier locally.
  • the unique authentication identifier is used by the monitoring node to confirm whether the monitoring node that sends the probe packet is the peer monitoring node of the live service after receiving the probe packet.
  • both the EC and the VC establish a tunnel connection with the tunnel server, so communication through the tunnel mode is certainly no problem.
  • EC and VC may also be able to communicate in a non-tunnel mode. If non-tunnel mode communication is possible, the non-tunnel mode should be used first, which avoids the problem that tunnel mode may consume WAN bandwidth. Therefore, before sending the video stream to the VC, the EC can send a probe packet to the VC through the non-tunnel mode to confirm whether the two parties can communicate in the non-tunnel mode. Whether EC and VC can communicate in non-tunnel mode depends on the NAT relationship between the two parties. Please refer to Table 4. Table 4 shows the four NAT relationships and the premise of the two parties communicating in non-tunnel mode.
  • the EC or VC When the EC or VC sends a probe packet, it does not know the NAT relationship with the peer monitoring node, and cannot determine the NAT relationship between the two parties. However, for the live service, its natural feature is The EC sends a VC reception, and the VC does not send a video stream to the EC. Therefore, in a basic implementation, only the NAT relationships described in scenarios 1 and 2 are considered. For case 1, both parties are in the same NAT device, so the VC can certainly receive the probe packet sent by the EC.
  • the intranet device initiates communication first, if the VC is outside the NAT 1
  • the probe packet sent by the EC can be received by the VC. Therefore, in scenarios 1 and 2, the VC only needs to confirm whether the unique authentication identifier carried in the packet is consistent with the locally stored unique authentication identifier, and if so, the probe response message is sent to the EC. In cases 1 and 2, the EC is obviously able to receive the probe response message.
  • the EC can start a timer when sending a probe packet.
  • the acknowledgment can communicate with the VC in the non-tunnel mode. In this case, the service processing unit can be notified.
  • the non-tunnel mode sends a video stream to the VC. If the probe response packet sent by the VC is not received before the timer expires, this indicates that the EC directly transmits the video stream through the non-tunnel mode and cannot be received by the VC.
  • the signaling processing unit of the EC can notify the service processing unit to pass the tunnel mode.
  • the VC sends a video stream.
  • the fact that the EC does not receive the probe response message after receiving the probe message does not mean that the two parties have no chance to communicate in the non-tunnel mode.
  • the EC sends a probe packet and is discarded by the NAT device 1 so that it cannot reach the VC (because it does not conform to the NAT working principle, the internal first is initiated).
  • the VC and the EC can send the probe to the other party through the non-tunnel mode.
  • the EC cannot receive the probe response packet of the VC within the predetermined time (the timer timeout period)
  • it will receive the probe packet sent by the VC, and the EC can notify the service processing unit to borrow the VC.
  • Send a video stream by sending a TCP or UDP connection where the probe packet is located. Borrowing the TCP or UDP connection to send the video stream is a clever use of the working principle of NAT.
  • the working principle of NAT is that the internal node needs to initiate communication first, and then form an address translation flow table on the NAT device.
  • the exemplary format of the flow table is Refer to Table 5.
  • the IP addresses of the EC and the VC are IP1 and IP2 respectively.
  • the VC sends a probe packet to the EC
  • an entry as shown in Table 2 is formed on the NAT device. From the perspective of the EC, it is a NAT device that establishes a UDP session.
  • the destination address and destination port can only be filled in by IP address and port 3001 to be forwarded by the NAT device to the VC. If the destination port or destination address is filled in when the EC sends a packet, the packet will be discarded by the NAT device.
  • the EC can only send a video stream to the VC by borrowing the TCP or UDP connection where the VC sends the probe message.
  • the probe response message may not be sent (corresponding to case 3).
  • both the EC and the VC send a probe packet to the peer, and neither party can receive it.
  • the EC-initiated timer obviously times out. At this time, the EC can notify the service processing unit to send the video stream through the tunnel mode.
  • the present embodiment solves the NAT relationship problem in different scenarios in two ways.
  • EC1's own IP address is 192. 168. 1.
  • VC1's own IP address is 192. 168. 1.
  • VC2's own IP address is also 192. 168. 1. 3.
  • VC1 and EC1 belong to the case 4 described in Table 1, and the two parties are certainly unable to communicate in the non-tunnel mode.
  • EC1 When EC1 sends a probe packet to VC1, the intermediate network device forwards the packet according to the destination address of the packet (192.168.1.3), and the packet is actually forwarded to VC2. Assume that VC2 is in the video stream of EC1, it will respond to the probe response message. After receiving the probe response message, EC1 will consider itself and VC1 to communicate in tunnel mode, and then send the video stream through non-tunnel mode. VC2 can correctly receive the video stream, but VC1 does not actually receive the video stream sent by EC1. The foregoing unique authentication identifier can effectively avoid such a situation, because the message sent by EC1 is carried in the message.
  • the unique authentication identifier, VC2 receives the authentication identifier and is inconsistent with the authentication identifier saved by itself. Because VC2 also requests the EC1 request, the VC2 receives the authentication identifier sent by the VM and VC1 receives it. Different, therefore, VC2 does not send a probe response message to EC1, then EC1 will naturally send the video stream through tunnel mode after the timer expires.
  • the above describes a method for realizing wide area network bandwidth saving in a live service process between a monitoring node EC and a VC in a monitoring network.
  • a voice intercom service between the EC and the VC.
  • the processing process is basically similar. The only difference is: Since the voice service sends data packets in both directions, the VC and the EC are peers. Therefore, it is more flexible in transmitting the probe packet and responding to the probe response packet, and any party can initiate the voice intercom first.
  • the VC can also enable the timer.
  • the EC does not receive the probe response packet within the predetermined time but receives the EC probe packet, it can also borrow the TCP or UDP connection of the EC probe packet through the non-tunnel.
  • the mode sends a voice stream to the EC.
  • the monitoring network in addition to the video stream and the voice stream that can be sent between the EC and the VC, in the multi-domain monitoring network, there is also a demand for interactive video stream and voice stream between the MSs of the two domains.
  • the VC1 on-demand EC1 video stream may need to be forwarded to the MS2 of the domain through MS1 in the domain of EC1, and finally forwarded to VC1 through MS2.
  • the video stream or the voice stream can be forwarded between the two MSs.
  • the difference is: The two MSs learn the IP address of the other party and the inner layer IP of the tunnel through the interaction of the two domain VMs at the signaling level. Address and device ID.
  • the DMs Data Management Servers
  • the services carried are different. The former is the playback service, and the latter is Live business or voice intercom business.
  • the two monitoring nodes when the two monitoring nodes do not know whether the two parties can communicate in the non-tunnel mode, they can determine whether the non-tunnel mode can pass through the method described in this embodiment before performing data packet interaction. Communicate.
  • This embodiment can further realize bandwidth saving (such as WAN bandwidth saving) on the basis of solving the problem caused by the isolation mode in the tunnel mode, and avoid the processing pressure of the area where the tunnel service segment is located (for example, monitoring the upper domain).
  • the present invention also provides another embodiment to solve the problem of wide area network bandwidth consumption. Please refer to the map 6, the following describes how the implementation of the WAN bandwidth savings.
  • Step 301 The VC and the EC are registered on the VM through the L2TP tunnel.
  • the VC and the EC are registered with the inner IP address of the tunnel allocated by the LNS, and then the source IP address of the local device is carried into the payload of the registration packet.
  • the VM In order to notify the VM;
  • the source IP address of the EC client in the internal network is 10. 1. 1. 2 (optional), and the IP address of the L2TP tunnel inner layer is 192. 168. 1. 2 ; VC is the client in the intranet.
  • the source IP address is 10. 1. 1. 3 (optional), and the IP address of the L2TP tunnel is 192. 168. 1. 3.
  • Step 302 After receiving the registration message from the tunnel, the VM records the address information carried by the device in the registration message.
  • Step 303 The VC broadcasts the monitored video stream of the EC through the tunnel: At this time, the VC still sends an on-demand request to the VM according to the foregoing tunnel mode;
  • Step 304 The VM notifies the EC to send a monitoring video stream.
  • Step 305 After the service transmission channel is established through the tunnel between the EC and the VC, the VM actively sends a non-tunnel mode attempt instruction to the EC and the VC device, and the instruction is carried in the keep-alive message of the monitoring terminal node and the VM. In the message.
  • the establishment of the service transmission channel in the tunnel mode can ensure the smoothness of the service.
  • the EC and the VC can establish a service transmission channel according to the tunnel mode, which helps to ensure the experience of the VC end user.
  • Step 306 The EC first initiates a non-tunnel mode communication to the other party after receiving the non-tunnel mode attempt command of the VM.
  • the present invention refers to the VC and EC that are in the non-tunnel mode attempt instruction as T-VC and T-EC, respectively.
  • the T-EC and the T-VC can send packets through the private protocol for non-tunnel mode communication; for example, the T-EC starts to try to use the internal IP address of the T-VC to send a specific packet to the T-VC for the destination address; It can also be initiated by the VC side first.
  • Step 307 If the VC receives the message sent by the EC, the VC reports the received result to the VM; the VC can report by using the SIP message.
  • the VM After receiving the report sent by the VC (which can be carried by the SIP message), the VM determines whether the T-EC and the T-VC can perform the non-tunnel mode according to the report of the VC, if the EC and the VC are notified to switch from the tunnel mode to the non-tunnel mode ( It is usually called intranet communication mode or private network communication mode, which mainly switches the destination IP address of the service flow to the VC's intranet IP address. Otherwise, it returns without processing, and T-EC and T-VC continue to maintain the tunnel mode.
  • the VM can determine whether the two parties can perform the non-tunnel mode according to the actual situation, and the two bases can be combined or implemented separately.
  • the inner layer IP address of the VC that sends the report must be the same as ⁇ -vc.
  • the VM checks whether the VC inner layer IP address of the transmission report is the same as the T-VC stored by itself, and if so, determines that it is non-tunnel mode, otherwise it determines that the non-tunnel mode is not possible.
  • the report sent by the VM to the VC can only indicate that the communication message sent by the EC through the intranet is received by the VC of the same address.
  • the T-EC is communicating with the T-VC with the address of 10. 1. 1. 3 through the tunnel. If the T-VC is indeed on the same intranet as the EC, the T-VC will receive the non-tunnel of such an EC. The mode message is then reported to the VM.
  • T-VC and EC are in different intranets, and there is exactly one VC2 address in the intranet where T-EC is located. 10. 1. 1. 3, VC2 will also receive EC information, which will also be sent to VM. Reporting, if the VM does not judge at this time, it may cause an error. The VM checks whether the inner layer IP address of the VC that sends the report is the same as the tunnel inner IP address of the T-VC that is saved by itself. If yes, the report is indeed sent by the T-VC. Otherwise, the VC that sends the report is other. The VC in the network is just the same as the intranet IP addresses of both parties.
  • the most commonly used mechanism uses Ping and other inspection techniques.
  • the present invention considers that an IP address may be duplicated in different intranets, and the VM is introduced to judge the error caused by the repetition of the IP address. This is also The reason why the present invention is not simply to use a more common technique such as Ping to check whether the EC and VC can perform the non-tunnel mode is the root cause.
  • the inner tunnel IP address of the EC in the VC report is the same as the T-EC.
  • the VM can also check whether the EC in the VC report is a T-EC that is communicating with the T-VC, and if so, it is determined to be in a non-tunnel mode, otherwise it is determined that the non-tunnel mode cannot be performed.
  • T-EC1/T-VC1 and T-EC2/T-VC2 in the same time period, and the instruction of non-tunnel mode attempt is currently being executed.
  • VM can also check the address of the EC in the report of T-VC1.
  • T-VC1 is not If a non-tunnel mode message is received from T-EC1, T-VC1 and T-EC1 are in the same intranet, and the non-tunnel mode cannot be performed. T-EC1/T-VC1 continues to maintain the tunnel mode. Similarly, if the tunnel inner IP address of the EC carried in the report is the same as the tunnel inner IP address of the T-EC2, the VM notifies T-EC 1 and T_VC 1 to switch to the non-tunnel mode.
  • Step 309 After receiving the instruction that the VM switches to the non-tunnel mode, the EC switches from the tunnel mode to the intranet IP communication mode, and modifies the destination IP address of the service flow (that is, the monitoring video stream) to modify the internal network IP address of the VC. Send it out.
  • the destination IP address of the service flow that is, the monitoring video stream
  • the signaling processing unit also controls the service processing unit to switch the flow of the service flow from the tunnel processing unit, so that the service flow is no longer processed by the tunnel. Switching traffic from the tunnel to the intranet can greatly save the valuable bandwidth of the WAN, and make rational use of existing non-tunnel mode resources, especially for large-scale monitoring networks.

Landscapes

  • Engineering & Computer Science (AREA)
  • Signal Processing (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Multimedia (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

本发明提供一种IP监控系统中监控节点穿越网络隔离设备的方法,该方法包括:使用监控节点自身的第一IP地址向隧道服务器发起隧道连接请求以与隧道服务器建立隧道连接;并在隧道连接建立后从隧道服务器获取隧道服务器分配的第二IP地址;将从隧道服务器接收的隧道报文进行解封装获得内容为监控信令数据的内层IP报文,并处理该监控信令数据;将本监控节点生成的监控信令数据封装到内层IP报文中,然后将所述内层IP报文封装到隧道报文中发送给隧道服务器,由隧道服务器将内层IP报文转发到网络隔离设备外侧网络的监控节点。本发明能够有效地协助监控系统中的监控节点穿越网络隔离设备,解决隔离设备所引发的各种业务问题。

Description

穿越监控网络中隔离设备的方法和设备 技术领域 本发明涉及视频监控领域, 尤其涉及 IP监控系统中穿越、 协助穿越网 络隔离设备的方法和节点。 背景技术 基于 IP 网络的视频监控已经逐渐发展成为安防业的主流方案, 成功应 用于平安工程、 高速公路、 公安网、 园区等大型项目。 IP 的标准性和开放 性也使得各个网络孤岛的整合变得容易, 使网络规模的扩展变得轻松。 考虑 到 IPv4 地址资源紧张和现有各区域网络地址段相互重叠的现实, 以及各种 网络安全的需要, NAT、 防火墙、 安全隔离网闸等设备被大量的应用于大型 网络中。 这就使得基于 IP 的视频监控系统的信令和业务流程变得非常复 杂, 甚至导致某些业务在某些特定的组网中无法开展。 下面简单阐述下在视 频监控网络存在 NAT、 防火墙、 安全隔离网闸时, 视频监控网络通信变得复 杂困难的缘由。
在存在 NAT设备的时候, 由于 IP报文穿过 NAT设备之后其源 IP地址或 目的 IP地址会发生改变, 而一个业务信令内部通常也包含有源 IP地址和目 的 IP地址, 由此造成内、 外部地址的不统一, 这在很多时候会对视频监控业 务流程造成困扰。 另外, 如果 NAT 外网存在设备要首先发起通向内网的 TCP/UDP连接, 就必须先在 NAT设备上为内网的那些设备分别配置内部服务 器的地址 /端口映射,这样显然会浪费大量公网地址,很多时候也是不允许的。 当然, 在控制服务器可以判断出交互的两台设备谁处于 NAT内网谁处于外网 时, 可以通知内网的设备主动向外网设备发起连接。 但是这要求每个会话连 接都实现两种或甚至两种以上的处理流程, 对于一个包含了多个会话行为的 业务流程这种组合会变得非常复杂。 况且某些标准业务也不允许交互的双方 颠倒 C/S的角色。
在存在防火墙时, 需要防火墙开放相当数量的 UDP/TCP端口以便防火墙 外的终端, 如视频监控客户端, 能主动访问防火墙内的服务器, 如视频管理 服务器 ( VM) 。 这样就给企业内网带来了安全隐患。
在存在安全隔离网闸时,大量以 IP代理方式实现的网闸(即来自外部的 流量先发送到网闸的一个代理 IP , 网闸修改目的 IP后再往内网转发) , 通 常会要求网闸协助对业务信令的内部信息做出相应的修改, 因为其中可能包 含有 IP地址信息。于是监控系统厂家每开发一个新特性可能都会要求网闸公 司配合做出相应的特性开发。 发明内容 本发明提供了一种 IP 监控系统中穿越网络隔离设备的方法以及该方法 对应的监控节点。 其中该监控节点位于网络隔离设备内侧网络, 所述监控系 统中包括多个监控节点以及隧道服务器, 所述多个监控节点包括监控前端设 备、 监控后端设备以及至少一种监控服务器; 其中所述至少一种监控服务器 为视频管理服务器 VM, 该监控节点包括隧道处理单元、 信令处理单元以及 网络接口单元; 其中所述隧道处理单元, 其中:
网络接口单元, 用于在 IP网络上收发报文;
信令处理单元, 用于处理监控信令数据;
隧道处理单元, 用于使用监控节点自身的第一 IP 地址向隧道服务器发 起隧道连接请求以与隧道服务器建立隧道连接; 并在隧道连接建立后从隧道 服务器获取隧道服务器分配的第二 IP地址;
该隧道处理单元进一歩用于将网络接口单元从隧道服务器接收的隧道报 文进行解封装获得内容为监控信令数据的内层 IP 报文, 并将该监控信令数 据提交给信令处理单元; 其中所述内层 IP 报文是网络隔离设备外侧监控节 点发送的报文, 所述隧道报文的目的地址为所述第一 IP 地址, 隧道报文的 源地址为隧道服务器自身的 IP地址; 所述内层 IP报文的目的地址为所述第 二 IP地址, 源 IP地址为所述外侧监控节点的 IP地址;
其中该隧道处理单元进一歩用于将监控节点信令处理单元生成的监控信 令数据封装到内层 IP报文中, 然后将所述内层 IP报文封装到隧道报文中发 送给网络接口单元, 由网络接口单元发送给隧道服务器, 并由隧道服务器将 内层 IP报文转发到网络隔离设备外侧网络的监控节点, 其中该内层 IP报文 的源地址为第二 IP 地址, 内层报文的目的地址为所述外侧网络监控节点的 IP地址, 该隧道报文的源地址为该监控节点自身的 IP地址, 该隧道报文的 目的地址为隧道服务器自身的 IP地址。
与现有技术相比, 本发明的方案解决了当前 IP监控系统业务端口过多、 NAT 转换或网闸穿越时内部消息转换的困扰, 从而使监控系统内部的应用开 发更加简单, 而制造网闸的厂商也不必针对性的为监控系统这种业务做出特 定的开发, 对客户的防火墙来说需要开放的端口或地址映射也更少。 附图说明 图 1为实施例一的网络示意图;
图 2为实施例二的网络示意图;
图 2a为实施例二的另一网络示意图
图 3为实施例三的网络示意图;
图 4为实施例四的网络示意图;
图 4a为实施例四的另一网络示意图;
图 5是本发明监控节点或者 L2TP中继设备的基本硬件架构;
图 6是本发明监控节点或者 L2TP中继设备的逻辑结构图。
图 7为一种通过 L2TP隧道穿越隔离设备的 IP监控系统组网图; 图 8为另一种通过 L2TP隧道穿越隔离设备的 IP监控系统组网图; 图 9是本发明一种实施方式中节约广域网带宽的处理流程图。 具体实施方式
IP 监控系统中监控节点穿越网络隔离设备时, 位于网络隔离设备内侧 网络的第一监控节点作为 LAC, 使用自身的第一 IP地址向隧道服务器(比如 LNS服务端, 也称为 L2TP中继)发起隧道连接请求以与隧道服务器建立 L2TP 隧道连接。 本发明以 L2TP 实现为例进行说明, 本领域普通技术人员可以参 考互联网工程任务组(IETF)发布的相关 RFC, 比如 PPTP、 GRE以及 MPLS VPN 等隧道技术来相应实施本发明。
在 L2TP隧道连接建立后, 该第一监控节点从 L2TP中继获取 L2TP中继分 配的第二 IP地址。 第一监控节点从 L2TP中继接收隧道报文并将隧道报文进 行解封装获得内容为监控信令数据的内层 IP报文, 该内层 IP报文是网络隔 离设备外侧网络监控节点发送的监控信令报文, 该隧道报文的目的地址为该 第一 IP地址, 隧道报文的源地址为 L2TP中继自身的 IP地址。 该内层 IP报 文的目的地址为该第二 IP地址, 源地址为该外侧网络监控节点的 IP地址; 第一监控节点从内层 IP 报文中获得监控信令数据并进行相应的信令处理; 第一监控节点将生成的监控信令数据封装到内层 IP 报文中, 然后将该内层 IP报文封装到隧道报文中发送给 L2TP中继, 由 L2TP中继将内层 IP报文转 发到网络隔离设备外侧网络的监控节点, 其中该内层 IP 报文的源地址为第 二 IP地址, 内层报文的目的地址为该外侧网络监控节点的 IP地址, 该隧道 报文的源地址为第一监控节点自身的 IP 地址, 该隧道报文的目的地址为 L2TP中继自身的 IP地址。
该第一监控节点还可以从 L2TP 中继接收隧道报文并将隧道报文进行解 封装获得内容为监控业务数据的内层 IP报文, 该内层 IP报文是网络隔离设 备外侧网络监控节点发送的监控业务数据报文, 该隧道报文的目的地址为该 第一 IP地址, 隧道报文的源地址为 L2TP中继自身的 IP地址; 该内层 IP报 文的目的地址为该第二 IP地址, 源地址为该外侧网络监控节点的 IP地址; 或者
第一监控节点还将生成的监控业务数据封装到内层 IP 报文中, 然后将 该内层 IP报文封装到隧道报文中发送给 L2TP中继, 由 L2TP中继将内层 IP 报文转发到网络隔离设备外侧网络的监控节点, 其中该内层 IP 报文的源地 址为第二 IP地址, 内层报文的目的地址为该外侧网络监控节点的 IP地址, 该隧道报文的源地址为第一监控节点自身的 IP 地址, 该隧道报文的目的地 址为 L2TP中继自身的 IP地址。 当该第一监控节点为 VM时, VM接收 L2TP中 继通过 L2TP 隧道发送的封装在隧道报文中的监控信令数据, 该监控信令数 据是由 EC或者 VC发送的。
IP监控系统中 L2TP中继协助监控节点穿越网络隔离设备时, L2TP中继 作为 LNS接收网络隔离设备内侧网络作为 LAC的第一监控节点以自身第一 IP 地址发出的 L2TP 隧道连接请求; 在与第一监控节点建立隧道连接后, 为第 一监控节点分配第二 IP 地址; 从第一监控节点接收隧道报文并将该隧道报 文进行解封装获得内层 IP报文, 该内层 IP报文是第一监控节点发送给网络 隔离设备外侧监控节点的监控信令数据或者业务数据, 隧道报文的源地址为 第一监控节点的第一 IP地址, 目的地址为该 L2TP中继自身的 IP地址, 该内 层 IP报文的目的地址为网络隔离设备外侧监控节点的 IP地址, 源地址为该 第二 IP地址; 根据内层 IP报文的目的地址, 将该报文转发给网络隔离设备 外侧的监控节点; 将网络隔离设备外侧的监控节点发出的监控信令数据或者 监控业务数据的 IP报文进行隧道封装后发送给该第一监控节点, 其中该 IP 报文的目的地址为第二 IP地址, 源 IP地址为外侧网络监控节点的 IP地址, 封装后的隧道报文的目的 IP 地址为该第一 IP 地址, 隧道报文的源地址为 L2TP中继自身的 IP地址。
第二 IP地址属于 L2TP 中继分配的网络隔离设备外侧网络中规划的 IP 地址。 或者第二 IP地址属于 L2TP中继自身独立规划的 IP地址, 该 L2TP中 继与外侧监控节点建立有 L2TP隧道连接; 其中该外侧监控节点发出的 IP报 文是封装在该隧道中的内层 IP报文, L2TP中继将外侧监控节点发出的隧道 报文解封装获得内层 IP报文, 该内层报文的源 IP地址是该外侧监控节点通 过 L2TP中继分配的 IP地址, 目的地址是第一监控节点分配到的第二 IP地 址, 该网络隔离设备外侧网络的监控节点包括 VM和 MS。 在优选方式中, 该 L2TP中继为该网络隔离设备外侧的 MS。
下面结合附图及具体实施例对本发明再作进一歩详细的说明。 实施例中 涉及到的各种节点或者设备定义如下: 监控前端设备: 比如 IPC( IP Camera) 或者 EC ( Encoder ) , 后续以 EC 为例。 监控后端设备: 比如 VC ( Video Cl ient , 监控客户端) 。 VM 为视频管理服务器, DM 为数据管理服务器, MS 为媒体交换服务器, IPSAN为 IP存储服务器, 隧道服务器以 LNS为例, 本发 明中也称其为 L2TP中继, 因为其还需要执行报文转发工作。
实施例一
请参考图 1, 该 IP监控系统包含多个监控节点。 监控节点 ECU因网络 隔离设备而与另一网络隔离。 网络隔离设备可以是 NAT , 防火墙或者网闸 等。 本实施例中, 该监控系统中的监控节点 ECU 所在的网络为网络隔离设 备内侧的网络, 称为网络 A, 其被网络隔离设备隔离或者说被其所保护。 网 络隔离设备外侧网络称为网络 B。 由于网络隔离设备的存在, 导致网络 A可 以随时访问网络 B, 而网络 B在隔离设备没有特殊配置的前提下是无法访问 网络 A的。 在本实施方式中, 该 IP监控系统还包括 L2TP中继设备 14。 监控 节点 EC11从网络 A ( 10. 10. 10. 0/24 ) 中获得的 IP地址是 10. 10. 10. 10, 。 L2TP中继设备 14的 IP地址为 12. 12. 10. 10, 这个地址从网络 A的角度来看 属于公网地址, 即网络 A可以直接访问; 如果该地址不能被直接访问到, 可 以在本网络出口的隔离设备上配置静态映射的对应公网地址。
监控节点 EC11作为 LAC, 使用自身 IP地址 10. 10. 10. 10向作为 LNS的
L2TP中继 14发起隧道连接请求以与 L2TP中继建立 L2TP隧道连接。 L2TP中 继 14收到该隧道连接请求后, 与监控节点 EC11建立隧道连接, 并将地址池 中的地址分配给 EC11。 L2TP 中继 14地址池中的地址属于网络 B规划的 IP 地址, 但是和网络 B已经存在的设备的 IP地址不同。 L2TP中继 14的地址池 中的 IP地址属于 12. 12. 11. 0/24, 其分配给 EC11的 IP地址为 12. 12. 11. 10。
ECU获得 L2TP中继 14分配的 IP地址 12. 12. 11. 10后, 可以在与网络 B中 的监控节点进行通信的时候使用该 IP地址。 比如说: EC11 向网络 B中的视 频管理服务器 VM13 进行注册的时候, 将对注册报文进行隧道封装。 这里 VM13的 IP地址为 12. 12. 12. 10, 其属于网络 12. 12. 12. 0/24。 EC11将监控信 令数据, 即注册报文的内容封装到内层 IP报文中, 然后将该内层 IP报文封 装到隧道报文中发送给 L2TP 中继 14, 其中该内层 IP 报文的源地址为 12. 12. 11. 10, 目的地址为 VM13的 IP地址 12. 12. 12. 10 ; 该隧道报文的源地 址为 EC11 自身的 IP地址 10. 10. 10. 10, 目的地址为 L2TP中继 14的 IP地址 12. 12. 10. 10。 L2TP中继 14从监控节点 EC11接收到其发送的隧道报文后将 该隧道报文进行解封装获得内层 IP报文。 L2TP中继 14根据自身的保存的路 由信息将该内层 IP报文根据其目的 IP地址进行路由。 本例中 L2TP中继的路 由信息如表 1所示:
Figure imgf000009_0001
表 1
L2TP中继 14根据目的 IP地址 12. 12. 12. 10将报文从 Interface2接口 发送出去。 网络 A中的监控节点 EC11的注册报文最终被路由到了网络 B中的 VM13 o VM13收到该注册报文后对该注册报文进行处理: 将 EC11 的相关信息 在本地进行保存。 当有 VC需要点播 ECU 上的视频流量的时候, VM13指示 EC11发送监控视频流的监控信令数据封装成 IP报文被路由到 L2TP中继 14, L2TP中继 14将 VM13发送的该 IP报文进行隧道封装后发送给 EC11 , 该 IP 报文的目的地址为 EC11分配到的 IP地址 12. 12. 11. 10, 源地址为 VM13的 IP 地址 12. 12. 12. 10, 封装后的隧道报文的目的 IP地址为 EC11自身的 IP地址 10. 10. 10. 10, 隧道源 IP地址为 L2TP中继 14的 IP地址 12. 12. 10. 10。 ECU 从 L2TP中继接收隧道报文并将隧道报文进行解封装获得内层 IP报文。 EC11 从内层 IP报文中获得监控信令数据并进行相应的信令处理。 ECU根据监控 信令的指示将监控业务数据发给相应的监控节点。 EC11 根据自身的路由 表, 通过隧道发送监控业务数据或者不经过隧道直接发送该监控业务数据。 ECU 通过隧道发送监控业务数据时, EC11 将生成的相应的监控业务数据封 装到内层 IP报文中, 然后将该内层 IP报文封装到隧道报文中发送给 L2TP 中继 14, 其中该内层 IP 报文的源地址为 ECU 分配到的 IP 地址 12. 12. 11. 10, 目的地址为接收监控业务数据的监控节点, 如 VC或者 MS 的 IP地址, 该监控节点可以在任意网络中, 包括但不限于网络 A或者网络 B, 比如说图 1中位于 A网络中的 VC12和位于网络 B中的 VC15 ; 该隧道报文的 源地址为 EC11 自身的 IP地址 10. 10. 10. 10, 目的地址为 L2TP中继 14的 IP 地址。 L2TP中继 14从 EC11接收到隧道报文并将该隧道报文进行解封装获得 内层 IP报文。 L2TP中继 14 根据该内层 IP报文的目的 IP地址将报文发送 出去。
网络 A中的 VC12点播 EC11上的视频流量的时, VC12在 VM13上进行注 册。 该注册的过程和 EC11相同。 VC12先和 L2TP中继 14之间建立 L2TP隧 道。 后续 VC12点播 EC11 的视频流量时, 先将点播的监控信令通过 VC12和 L2TP中继 14之间的 L2TP隧道发送到 VM13 , 后续 EC11发送的监控业务数据 通过 EC11和 L2TP中继 14之间的隧道到达 L2TP中继 14之后, 将再通过 VC12 和 L2TP中继 14之间的隧道发送到 VC12。
网络 B中的 VC15点播 EC11上的视频流量的时, VC15在 VM13上进行注 册。 VC15点播 EC11的视频流量时, 先将点播的监控信令直接发送到 VM13, 后续 EC11发送的监控业务数据可以不经过 EC11和 L2TP中继 14之间的隧道 直接到达 VC15 , 也可以通过 EC11和 L2TP中继 14之间的隧道到达 L2TP中继 14之后, 由 L2TP中继 14再发送到 VC15。
考虑到如果 L2TP中继 14使用额外的路由器或者其他网络设备实现, 实 现成本会比较高。 因此在优选的方式中, 如果 IP 监控系统中的网络 B存在 MS转发设备的话, MS可以充当 L2TP中继 14。 视频流量点播时, VM13指示 ECU将视频业务数据发送到充当 L2TP中继 14的 MS , 再由 MS根据点播 VC 的地址进行视频业务数据的转发。
实施例二
请参考图 2, 其与图 1的区别在于网络 B中的监控节点 VM23自身也作为
LAC向作为 LNS的 L2TP中继 24发起隧道连接请求与 L2TP中继 24建立 L2TP 隧道连接; 而网络 B中还包括一个 MS26, MS26也作为 LAC向作为 LNS的 L2TP 中继 24发起隧道连接请求与 L2TP中继 24建立 L2TP隧道连接。 网络 A中的 监控节点 EC21作为 LAC向作为 LNS的 L2TP中继 24发起隧道连接请求与 L2TP 中继 24建立 L2TP隧道连接。 L2TP中继 24给监控节点 EC21、 VM23、 MS26分 配的 IP地址可以是独立地址池中的 IP地址, 即该地址池中的 IP地址可以单 独规划一个 IP 地址段, 不需要占用网络 B 规划的 IP 地址, 比如 14. 14. 14. 0/24、 15. 15. 10. 0/24等等。 以 14. 14. 14. 0/24为例描述图 2中监 控节点的通信过程。
EC21作为 LAC, 以自身 IP地址 10. 10. 10. 10向作为 LNS的 L2TP中继 24 发起隧道连接请求以与 L2TP中继 24建立 L2TP隧道连接。 L2TP中继 24收到 该隧道连接请求后, 与监控节点 EC21 建立隧道连接, 并将地址池中的地址 14. 14. 14. 10分配给 EC21。 同样的, VM23以自身的 IP地址 12. 12. 12. 10向 L2TP中继 24发起隧道连接请求以与 L2TP中继 24建立 L2TP隧道连接。 L2TP 中继 24收到该隧道连接请求后, 与监控节点 VM23建立隧道连接, 并将地址 池中的地址 14. 14. 14. 12分配给 VM23。 同样地, MS26向 L2TP中继 24发起隧 道连接请求, 获得分配到的 IP地址 14. 14. 14. 14 EC21 向 VM23进行注册 时, 将对注册报文进行隧道封装。 EC21 将监控信令数据, 即注册报文的内 容封装到内层 IP 报文中, 然后将该内层 IP 报文封装到隧道报文中发送给 L2TP中继 24 L2TP中继 24从监控节点 EC21接收到其发送的隧道报文后将 该隧道报文进行解封装获得内层 IP报文。 L2TP中继 24根据自身的保存的路 由信息将该内层 IP报文根据其目的 IP地址进行路由。 本例中 L2TP中继的路 由信息如表 2所示:
Figure imgf000012_0001
表 2
L2TP中继 24根据目的 IP地址 14. 14. 14. 12判断该注册报文需要进行隧 道封装, 从 L2TP— VT1 : 2接口发送。 L2TP中继 24将源地址为 14. 14. 14. 10 目的地址为 14. 14. 14. 12的内层 IP报文进行隧道封装, 隧道报文的源 IP地 址为 L2TP中继 24自身的 IP地址 12. 12. 10. 10, 隧道报文的目的 IP地址为 VM23 自身的 IP地址 12. 12. 12. 10。 封装完成的隧道报文经过 L2TP 中继 24 和 VM23之间的隧道到达了 VM23 , VM23将该报文进行解封装得到了内层 IP 报文, 将 EC的注册信息在本地进行保存。
当 VC点播 EC21上的视频流量的时候, VM23指示 EC21发送监控视频流 的监控信令数据封装成 IP报文并进一歩封装成隧道报文经由 VM23和 L2TP 中继 24之间的隧道被发送到 L2TP中继 24, 该监控信令数据的内层 IP报文 的源 IP地址为 14. 14. 14. 12, 目的 IP地址为 14. 14. 14. 10 ; 隧道报文的源 IP地址为 VM23 自身的 IP地址 12. 12. 12. 10, 隧道报文的目的 IP地址为 12. 12. 10. 10。 L2TP中继 24接收到该隧道报文后进行解封装得到内层 IP报 文, 根据内层目的 IP地址 14. 14. 14. 10将内层报文进一歩进行隧道封装, 经 由 L2TP中继 24和 EC21之间的隧道发送到 EC21 , 隧道源 IP地址为 L2TP中 继 24 自身的 IP地址 12. 12. 10. 10, 目的 IP地址为 EC21 自身的 IP地址 10. 10. 10. 10 ο EC21 接收隧道报文并将隧道报文进行解封装获得内层 IP 报 文。 EC21从内层 IP报文中获得监控信令数据并进行相应的信令处理。 该监 控信令数据指示 EC21将监控业务数据发送到 MS26。
类似地, VM23指示 MS26接收 EC21发送的监控业务数据, 并进一歩将该 监控业务数据发送给 VC。 EC21通过自身与 L2TP中继 24之间的隧道将监控业 务数据发送给 L2TP中继 24, 该监控业务数据进行隧道封装, 其中该内层 IP 报文的源地址为 EC21分配到的 IP地址 14. 14. 14. 10, 目的地址为接收监控 业务数据的 MS26的地址 14. 14. 14. 14, 封装的隧道报文的源地址为 EC21 自 身的 IP地址 10. 10. 10. 10, 目的地址为 L2TP中继 24的 IP地址。 L2TP中继 24从 EC21接收到隧道报文并将该隧道报文进行解封装获得内层 IP报文, 根 据内层目的 IP地址对报文进行隧道封装, 从 L2TP中继 24和 MS26之间的隧 道发送到 MS26。 隧道封装方式同前, 不再赘述。 MS26 收到隧道报文后进行 解封装得到监控业务数据报文, MS26将监控业务数据根据 VM23的指示结合 自身的路由表发送给对应的 VC, 比如 VC25。
如图 2a所示。 视频流量点播时, VM23指示 EC21将视频业务数据发送到 MS26, 再由 MS26根据点播 VC的地址进行视频业务数据的转发。 如网络 A中 的 VC22点播 EC21上的视频流量的时, VC22首先在 VM23上进行注册。 该注 册的过程和 EC21的注册过程相同。 VC22和充当 L2TP中继的 MS26之间建立 L2TP隧道。 后续 VC22 点播 EC21 的视频流量时, 先将点播的监控信令通过 VC22和 MS26之间的 L2TP隧道以及 MS26和 VM23之间的 L2TP隧道发送到 VM23 , 隧道报文的封装方式和 EC21向 VM23进行注册的注册报文的封装方式 相同。 后续 EC21发送的监控业务数据通过 EC21和 MS26之间的隧道到达 MS26 之后, 将再通过 VC22和 MS26之间的隧道发送到 VC22。
实施例三
请参考图 3, 该 IP监控系统包括监控节点 VM31 , 该监控节点 VM31因网 络隔离设备与另一网络隔离。 VM31 所在的网络为网络隔离设备内侧的网 络, 称为网络 A, 而网络隔离设备外侧网络称为网络 B。 由于网络隔离设备 的存在, 导致网络 B在没有特殊配置的前提下无法访问网络 A。 该 IP监控系 统还包含一 L2TP 中继设备 33。 监控节点 VM31 自身的 IP 地址是 10. 10. 10. 10, L2TP中继设备 33的一 IP地址为 12. 12. 10. 10。 监控节点 VM31 需要和网络 B中的另一监控节点进行通信, 如 EC36, VC37 o
监控节点 VM31向 L2TP中继 33发起隧道连接请求以建立 L2TP隧道连接。
L2TP中继 33收到该隧道连接请求后, 与监控节点 VM31建立隧道连接, 并将 地址池中的地址分配给 VM31。 L2TP中继 33地址池中的地址属于网络 B规划 的 IP地址。 L2TP中继 33分配给 VM31的 IP地址为 12. 12. 11. 10。 VM31获得 L2TP中继 33分配的 IP地址后, 该 IP地址将被网络 B中的 EC36, VC37知晓 以使他们能向 VM31进行注册。
以 EC36为例, 阐述其向 VM31进行注册的过程。 EC36发送注册报文, 该 报文的目的 IP地址为 VM31分配到的 IP地址 12. 12. 11. 10, 该报文将被路由 到 L2TP中继 33, L2TP中继 33对注册报文进行隧道封装, 即注册报文封装到 内层 IP报文中, 然后将该内层 IP报文封装到隧道报文中发送给 VM31 , 其中 该内层报文的目的地址为 VM31的 IP地址 12. 12. 11. 10, 源地址为 EC36自身 的地址, 如 12. 12. 12. 16; 该隧道报文的源地址为 L2TP中继 33自身的 IP地 址 12. 12. 10. 10, 隧道目的地址为 VM31 自身的 IP地址 10. 10. 10. 10。 VM31 从隧道接收到该隧道报文后将该隧道报文进行解封装获得内层 IP 报文。 VM31将解封装后得到的 EC36的相关信息在本地进行保存。 VC37向 VM31注册 的过程同 EC36注册的过程。 网络 A中的 EC34或者 VC35向网络 A中的 VM31 进行注册时, 直接发送目的地址为 10. 10. 10. 10 的注册报文向 VM31进行注 册。
网络 A中的监控节点 MS32如同 VM31—样与 L2TP中继 33建立 L2TP隧道 连接, 获得 L2TP中继 33分配的 IP地址。 网络 A中的 EC34和 VC35无需与 L2TP中继 33单独建立 L2TP隧道。 如果网络 A中不存在 MS32 , EC34和 VC35 与 L2TP中继 32建立 L2隧道。
当网络 B中的 VC37点播网络 A中的 EC34上的视频流量的时候, VC37的 点播的监控信令报文如同 EC36的注册报文一样被发送到 VM31。 VM31的指示 EC34发送监控视频流的监控信令报文以 EC34的 IP地址 10. 10. 10. 8为目的 IP地址直接在网络 A中发送给 EC34。 该监控信令报文指示 EC将监控业务数 据发送给 MS32。 EC34根据监控信令的指示将监控业务数据发给 MS32。 VM31 指示 MS32将该监控业务数据发送给 VC37。 MS32根据自身的路由表, 通过隧 道发送监控业务数据或者不经过隧道直接发送该监控业务数据。 MS32 通过 隧道发送监控业务数据 (之前 MS32已经和 L2TP中继 33建立了 L2TP隧道) 的方法和实施例一相同, 这里不再赘述。 如果网络 A 中没有 MS32 , 则 EC34 根据自身的路由表, 通过隧道发送监控业务数据或者不经过隧道直接发送该 监控业务数据。
当 VC35 点播 EC36 的视频监控流量时, VC35 在内网以自身 IP 地址 10. 10. 10. 6为源 IP向 VM31的目的 IP地址 10. 10. 10. 10发送视频点播报文,
VM31收到该点播报文后, 向 EC36发送指示 EC36发送监控视频流的监控信令 报文, 该监控信令数据可以通过隧道发送或者不通过隧道发送, 这主要由 VM 的路由表决定。 该监控信令报文指示 EC36 发送监控业务数据给 MS32。 EC36收到监控信令报文后, 将相应的监控视频数据先路由到 L2TP中继 33, L2TP中继 33根据目的 IP地址对该监控业务数据报文进行隧道封装。 封装后 的隧道报文通过 L2TP中继 33和 MS32之间的隧道发送给 MS32。 MS32对该隧 道报文进行解封装得到内层报文。 MS32 按照 VM31 的指示将报文发送给 VC35 o 如果 L2TP中继 33单独由一个路由器或者其他网络设备充当的话, 成 本会比较高, 所以可以由 MS充当 L2TP中继 33。
实施例四
请参考图 4, 其和图 3 的区别在于网络 B 中的监控节点 VM48 自身向 L2TP中继 43发起隧道连接请求与 L2TP中继 43建立 L2TP隧道连接; 网络 B 中还包括一个 MS49, MS49也向 L2TP中继 43发起隧道连接请求与 L2TP中继 43建立 L2TP隧道连接。 网络 A中的监控节点 VM41也向 L2TP中继 43发起隧 道连接请求与 L2TP中继 43建立 L2TP隧道连接。 在这种情况下, L2TP中继 43给监控节点 VM41、 VM48和 MS49分配的 IP地址可以是独立地址池中的 IP 地址, 即该地址池中的 IP地址可以单独规划一个 IP地址段, 不需要占用网 络 B规划的 IP地址, 比如 14. 14. 14. 0/24、 15. 15. 10. 0/24等等。
图 4 是一个二级域, 包括两个管理域。 其中 VM41、 MS42、 EC44、 VC45 组成一个监控域 X, VM48、 MS49、 EC46、 VC47组成另一个监控域 Y。 其中监 控管理域 X是下级域, Υ是上级域, Υ管理 X。 EC44、 VC45和 MS42 向 VM41 进行, 该注册报文不需要经过隧道, 直接以 VM41 的 IP10. 10. 10. 10为目的 IP地址进行发送, VM41保存注册信息。 EC46、 VC47和 MS49向 VM48进行, 该注册报文不需要经过隧道, 直接以 VM48的 IP地址 12. 12. 12. 10为目的 IP 地址进行发送, VM48保存注册信息。 VM41向 VM48进行注册, VM41以自身 IP 地址 10. 10. 10. 10向 L2TP中继 43发起隧道连接请求以与 L2TP中继 43建立 L2TP隧道连接。 L2TP中继 43收到该隧道连接请求后, 与监控节点 VM41建立 隧道连接, 并将地址池中的地址 14. 14. 14. 10/24分配给 VM41。 VM48以自身 的 IP地址 12. 12. 12. 10向 L2TP中继 43发起隧道连接请求以与 L2TP中继 43 建立 L2TP隧道连接。 L2TP中继 43收到该隧道连接请求后, 与监控节点 VM48 建立隧道连接, 并将地址池中的地址 14. 14. 14. 12/24 分配给 VM48。 同样 地, MS42 向 L2TP 中继 43 发起隧道连接请求, 获得分配到的 IP 地址 14. 14. 14. 14 o MS39向 L2TP中继 43发起隧道连接请求, 获得分配到的 IP地 址 14. 14. 14. 15。 当网络 A中的 VC点播网络 B中的视频流量时, 比如 VC45点播 EC46的监 控视频数据, VC45在网络 A中直接将点播请求发送给 VM41 VM41将该请求 封装到内层 IP报文中, 然后将该内层 IP报文封装到隧道报文中发送给 L2TP 中继 24, 其中该内层 IP报文的源地址为 14. 14. 14. 10, 目的地址为 VM48分 配到的 IP地址为 14. 14. 14. 12 ; 该隧道报文的源地址为 VM41自身的 IP地址 10. 10. 10. 10, 目的地址为 L2TP中继 43的 IP地址 12. 12. 10. 10 L2TP中继 43接收到该隧道报文后将该隧道报文进行解封装获得内层 IP报文。 L2TP中 继 44根据自身的保存的路由信息将该内层 IP报文根据其目的 IP地址进行路 由。 本例中 L2TP中继 43的路由信息如表 3所示:
Figure imgf000017_0001
表 3
L2TP中继 24根据目的 IP地址 14. 14. 14. 12判断该注册报文需要进行隧 道封装, 从 L2TP— VT1 : 2接口发送。 L2TP中继 43将源地址为 14. 14. 14. 10 目的地址为 14. 14. 14. 12的内层 IP报文进行隧道封装, 隧道报文的源 IP地 址为 L2TP中继 43 自身的 IP地址 12. 12. 10. 10, 隧道报文的目的 IP地址为 VM23 自身的 IP地址 12. 12. 12. 10。 封装完成的隧道报文经过 L2TP 中继 43 和 VM48之间的隧道到达了 VM48 , VM48将该报文进行解封装得到了内层 IP 报文。 VM48通知 EC46将监控视频业务数据发送到 MS49 MS49再将该报文进 行隧道封装经过 MS49和 L2TP中继 43之间的隧道发送到 L2TP中继 43 L2TP 中继 43 将该隧道报文进行解封装, 判断需要再经过隧道发送, 再对该监控 业务数据进行隧道封装, 经过 L2TP中继 43和 MS42之间的隧道发送到 MS42 , MS42 再转发给 VC45。 这里监控业务数据经过两个隧道封装转发的过程与前 述监控信令或者监控数据经过两个隧道封装转发的过程类似。
VC47点播 EC44的处理流程与 VC45点播 EC46的处理流程类似, 在此不 再赘述。 如果 L2TP中继 43单独由一个路由器或者其他网络设备充当的话, 成本会比较高, 所以实施例四中 MS49 充当 L2TP 中继是一种更优的实施方 式, 如图 4a所示。 视频监控业务处理过程参考前文。
前述 4个实施方式均是以视频实况点播为例来说明具有网络隔离设备的 IP 监控系统, 网络隔离设备两侧的监控节点是如何通信的。 监控业务数据 存储, 即 IP监控系统进一歩包含 DM、 存储设备的情况, 网络隔离设备两侧 的监控节点可以参照上述视频实况点播的流程进行需要的通信。
请参考图 5以及图 6, 图 5是以上各种节点或者设备一种通用的基本硬 件架构, 各个设备在业务硬件上略有差异。 比如说 L2TP 中继有可能不需要 业务硬件, 当然如果使用 MS来充当 L2TP中继, 其可能存在业务硬件, 同样 VM可能没有业务硬件。 图 6是以上各个节点或者设备的通用逻辑结构图, 其 通常是借助计算机程序来实现。 同样地, 各个设备的逻辑结构可能略有差 异, 比如 L2TP 中继所在设备如果不涉及业务处理, 那就可能没有业务及信 令处理单元。 而 VM属于管理服务器, 其通常不包括业务处理单元。
图 6显示的通用逻辑结构包括: 隧道处理单元、 信令处理单元、 业务处 理单元以及网络接口单元。 其中隧道处理单元包括连接处理子单元以及报文 处理子单元。 其中信令处理单元以及业务处理单元分别用于处理信令数据以 及业务数据。 网络接口单元负责收发报文。 连接处理子单元主要用于处理建 立 L2TP 隧道连接以及隧道连接的维护。 报文处理子单元主要用户进行报文 的封装以及解封装。
请参考图 6, 本发明 IP监控系统中穿越网络隔离设备的监控节点, 该监 控节点包括隧道处理单元、 信令处理单元以及网络接口单元; 其中该隧道处 理单元包括连接处理子单元以及报文处理子单元: 网络接口单元, 用于在
IP 网络上收发报文; 信令处理单元, 用于处理监控信令数据; 连接处理子 单元, 用于使用监控节点自身的第一 IP地址向作为 LNS的 L2TP中继发起隧 道连接请求以与 L2TP中继建立 L2TP隧道连接; 并在 L2TP隧道连接建立后从 L2TP中继获取 L2TP中继分配第二 IP地址; 报文处理子单元, 用于将网络接 口单元从 L2TP 中继接收的隧道报文进行解封装获得内容为监控信令数据的 内层 IP报文, 并将该监控信令数据提交给信令处理单元; 其中该内层 IP报 文是网络隔离设备外侧监控节点发送的报文, 该隧道报文的目的地址为该第 一 IP地址, 隧道报文的源地址为 L2TP中继自身的 IP地址; 该内层 IP报文 的目的地址为该第二 IP地址, 源 IP地址为该外侧监控节点的 IP地址; 该报 文处理子单元进一歩用于, 将监控节点信令处理单元生成的监控信令数据封 装到内层 IP报文中, 然后将该内层 IP报文封装到隧道报文中发送给网络接 口单元, 由网络接口单元发送给 L2TP中继, L2TP中继将内层 IP报文转发到 网络隔离设备外侧网络的监控节点, 其中该内层 IP报文的源地址为第二 IP 地址, 内层报文的目的地址为该外侧网络监控节点的 IP 地址, 该隧道报文 的源地址为第一监控节点自身的 IP地址, 该隧道报文的目的地址为 L2TP中 继自身的 IP地址。
该监控节点还包括业务处理单元, 该业务处理单元用于处理监控业务数 据。 该报文处理子单元, 还用于将网络接口单元从 L2TP 中继接收的隧道报 文进行解封装获得内容为监控业务数据的内层 IP 报文, 并将该监控业务数 据提交给业务处理单元; 其中该内层 IP 报文是网络隔离设备外侧监控节点 发送的报文, 该隧道报文的目的地址为该第一 IP 地址, 隧道报文的源地址 为 L2TP中继自身的 IP地址; 该内层 IP报文的目的地址为该第二 IP地址, 源 IP地址为该外侧监控节点的 IP地址; 或者该报文处理子单元还用于, 将 监控节点业务处理单元生成的监控业务数据封装到内层 IP 报文中, 然后将 该内层 IP 报文封装到隧道报文中发送给网络接口单元, 由网络接口单元发 送给 L2TP中继, L2TP中继将内层 IP报文转发到网络隔离设备外侧网络的监 控节点, 其中该内层 IP报文的源地址为第二 IP地址, 内层报文的目的地址 为该外侧网络监控节点的 IP 地址, 该隧道报文的源地址为第一监控节点自 身的 IP地址, 该隧道报文的目的地址为 L2TP中继自身的 IP地址。
本发明还提供 IP监控系统中协助监控节点穿越网络隔离设备的 L2TP中 继设备, 该中继设备包括: 网络接口单元, 用于通过 IP 网络收发报文; 连 接处理子单元, 用于接收网络隔离设备内侧的作为 LAC的第一监控节点以自 身第一 IP地址发出的 L2TP隧道连接请求; 在与第一监控节点建立隧道连接 后, 为第一监控节点分配第二 IP 地址; 报文处理子单元, 用于从第一监控 节点接收隧道报文并将该隧道报文进行解封装获得内层 IP 报文, 根据内层 IP 报文的目的地址将该报文转发给网络隔离设备外侧的监控节点; 该内层 IP 报文是第一监控节点发送给网络隔离设备外侧的监控节点的监控信令数 据或者监控数据, 隧道报文的源地址为第一监控节点的第一 IP 地址, 目的 地址为该 L2TP中继自身的 IP地址, 该内层 IP报文的目的地址为网络隔离设 备外侧监控节点的 IP地址, 源地址为该第二 IP地址; 该报文处理子单元, 进一歩用于将网络隔离设备外侧的监控节点发出的内容为监控信令数据或者 业务数据的 IP报文进行隧道封装后发送给该第一监控节点, 其中该 IP报文 的目的地址为第二 IP 地址, 源地址为网络隔离设备外侧监控节点的 IP 地 址, 封装后的隧道报文的目的 IP地址为该第一 IP地址, 隧道报文源地址为 L2TP中继自身的 IP地址。
以上提供了一种通过隧道来穿越隔离设备的通信模式 (以下简称隧道模 式) 。 然而在隧道模式下仍然有一些可以优化的地方。 请参考图 7, 监控系 统包括了隔离设备、 EC、 VC、 VM、 DM、 MS以及 L2TP中继。 在图 7中, 分支 网络中的 EC与 VC位于自身网络出口隔离设备的内侧, 即被隔离或者说被保 护的一侧, 也称为内网侧。 而监控服务器相对于上述隔离设备来说自然是位 于隔离设备的外侧, 也称为外网侧。 请参考图 6以及图 8, 此时, 内网监控节点(以 VC作为 LAC客户端为例) 被分配到的隧道内层 IP 地址是外网 IP 地址。 VC 在内网中的 IP 地址为 10. 10. 10. 10, 其作为 LAC向外网的 L2TP服务端发起拨号连接启动 L2TP隧道 获取隧道内层 IP 地址。 位于外网的 LNS 与内网连接接口的 IP 地址为 12. 12. 10. 10, 这个地址从内网的角度来看是一个公网地址, 也就是说是内 网可以直接访问的; 如果该地址不能被直接访问到, 可以在本网络出口的隔 离设备上配置静态映射的对应公网地址。 在隧道模式中, 它是隧道外层 IP 地址。 LNS与外网其他设备连接的接口 IP地址为 12. 12. 12. 9。 需要说明的 是, 公网地址及私网地址是相对而言的, 其取决于网络的规划, 比如互联网 上的公网 IP地址也可以被规划起来作为私网地址重复使用。
隧道模式虽然可以有效解决隔离设备的问题, 然而可能引发广域网带宽 消耗过多的问题, 如果两个监控节点本来可以直接进行非隧道模式通信的 话, 如果再通过隧道模式绕道广域网, 显然是一种对广域网带宽的浪费。 请 参考图 6及图 9, 以下介绍本实施方式如何实现广域网带宽节约的。 在以下 描述中, 与控制层面相关信令的业务处理由各个监控节点的信令处理单元执 行, 信令处理单元与外部交互的报文称为信令报文。 涉及到数据业务 (比如 监控视频流) 处理的由业务处理单元执行, 业务处理单元与外部交互的报文 称为数据报文; 涉及到隧道报文收发的则由隧道处理单元处理然后再经过网 络接口单元发送到 IP网络上去。 如果通信过程不需要经过隧道处理单元(即 非隧道模式) , 则业务处理单元或者信令处理单元可以根据内部的路由表发 现当前报文需要提交给网络接口单元。 其中所述信令报文或者数据报文这两 个概念的区分, 主要是从报文承载的内容来看的, 前者主要是承载信令业 务, 后者主要承载数据业务。 请参考图 6 以及图 9, 本实施方式的处理流程 包括以下歩骤。
歩骤 201, VC和 EC通过隧道在 VM上进行注册, 注册报文可以将自身的 隧道内层 IP地址、 自身 IP地址以及自身的设备标识携带在注册报文 (信令 报文的一种) 的载荷中以通知 VM;
歩骤 202 : VM从隧道上接收到注册报文后, 将所述 VC和 EC的隧道内层 IP地址、 自身 IP地址以及设备标识记录在本地;
在正常的监控业务过程中, EC 以及 VC在上线以后都需要通过信令报文 向 VM发起注册。 注册报文可以通过隧道发送到 VM。 在本发明中, 注册报文 除了携带监控节点自身的 IP地址, 还需要携带隧道内层 IP地址, 在一些实 施方式中还可以进一歩携带自身的标识 (比如 MAC地址或 CPU序列号等) 。
VM将监控节点注册报文中携带的 IP地址与标识保存起来, 在后续的业务流 程中使用。
歩骤 203 : VC向 VM发送点播 EC的监控视频流的请求。
歩骤 204: VM通过信令报文响应 VC的点播请求, 并相应地通过信令报文 通知 EC向 VC发送监控视频流, VM在发送给 EC以及 VC的信令报文中携带隧 道内层 IP地址、 对端监控节点自身 IP地址以及唯一鉴权标识;
歩骤 205 : EC或 VC收到 VM的信令报文后, 从信令报文中获取对端监控 节点的隧道内层 IP地址、 对端监控节点自身 IP地址以及唯一鉴权标识并保 歩骤 206: EC在非隧道模式下向 VC发送探测报文, 其中该探测报文携带 有所述唯一鉴权标识。
歩骤 207: VC在非隧道模式下向 EC发送探测报文, 其中该探测报文携带 有所述唯一鉴权标识。
歩骤 208: EC或 VC接收到对端监控节点发送的探测报文, 并检查探测报 文携带的唯一鉴权标识是否与自身保存的唯一鉴权标识相同, 如果是则向对 端监控节点发送探测响应报文, 否则丢弃该探测报文。
歩骤 209 : 如果 EC在预定时间内收到 VC在非隧道模式下发送的探测响 应报文, 则通知业务处理单元在非隧道模式下向 VC发送视频流; 如果 EC在 预定时间内没有收到 VC发送的探测回应报文但收到 VC发送的探测报文, 则 在承载 VC探测报文的 TCP或 UDP连接上在非隧道模式下发送视频流; 如果 EC在预定时间内既没有收到 VC发送的探测响应报文也没有收到 VC发送的探 测报文, 则通知业务处理单元通过隧道模式发送视频流。
在一次视频流点播 (也称为实况业务) 过程中, EC与 VC互为对端监控 节点。 VM 为即将进行实况业务分配一个唯一的鉴权标识, 鉴权标识可以由 VM根据预定算法随机生成, 也可以由 VM根据两个正在进行实况业务的监控 节点的标识生成, 比如简单地将两个监控节点的 MAC地址串接起来形成一个 96位的标识。 而实况业务的参与者 EC或者 VC的信令处理单元会将所述唯一 鉴权标识保存在本地。 该唯一鉴权标识对于监控节点来说, 其主要作用是在 收到探测报文后确认发送该探测报文的监控节点是不是本次实况业务的对端 监控节点。
在一次实况业务中, EC与 VC都与隧道服务端建立了隧道连接, 因此通 过隧道模式通信肯定是没有问题的。 但是 EC与 VC还有可能可以通过非隧道 模式进行通信。 如果能够进行非隧道模式通信, 则应该优先使用非隧道模 式, 这样可以避免采用隧道模式可能消耗广域网带宽的问题。 因此 EC 在向 VC发送视频流之前, 可以先在通过非隧道模式向 VC发送探测报文来确认双 方是否可以在非隧道模式下通信。 EC与 VC能否进行非隧道模式通信取决与 双方的 NAT关系。 请参考表 4, 表 4中示出四种 NAT关系以及双方在非隧道 模式通信的前提。
Figure imgf000023_0001
表 4
在 EC或者 VC发送探测报文时, 并不知道与对端监控节点之间的 NAT关 系, 也无法确定双方的 NAT关系, 但是对于实况业务而言, 其天然的特点是 EC发送 VC接收, VC并不会向 EC发送视频流。 因此在一种基本的实施方式 中, 仅仅考虑情形 1和 2描述的 NAT关系。 对于情形 1, 双方都在同一个 NAT 设备的内部, 因此 VC肯定可以收到 EC发送的探测报文, 对于情形 2, 根据 NAT设备工作原理一内网设备先发起通信, 如果 VC在 NAT 1外部公网上 (相 遇于 NAT设备 1而言的公网), 那么 EC发送的探测报文肯定可以被 VC收到。 因此在情形 1和 2中, VC只需要确认报文携带的唯一鉴权标识与本地保存的 唯一鉴权标识是否一致, 如果一直就向 EC发送探测回应报文。 在情形 1和 2 中 EC显然能够收到该探测回应报文。 EC可以在发送探测报文时先启动一个 定时器, 如果 EC 能够在定时器超时之前收到探测回应报文, 则确认可以与 该 VC 在非隧道模式下通信, 此时可以通知业务处理单元通过非隧道模式向 VC发送视频流。 如果定时器超时之前没有收到 VC发送的探测回应报文, 这 说明 EC直接通过非隧道模式发送视频流是无法被 VC接收到的, EC的信令处 理单元可以通知业务处理单元通过隧道模式向 VC发送视频流。
在一种优化的实施方式中, EC发送探测报文之后没有收到 VC的探测回 应报文并不代表双方完全没有机会在非隧道模式下通信。 在情形 3中 EC发送 探测报文之后会被 NAT设备 1丢弃导致其无法到达 VC (因为不符合 NAT工作 原理一内部先发起) , 此时 VC可以与 EC均通过非隧道模式向对方发送探测 报文; 此时虽然 EC在预定的时间内 (定时器超时时间) 无法收到 VC的探测 回应报文, 但是会收到 VC发送的探测报文, 此时 EC就可以通知业务处理单 元, 借用 VC发送探测报文所在的 TCP或 UDP连接来发送视频流。 借用所述 TCP或 UDP连接来发送视频流是巧妙利用了 NAT的工作原理, NAT的工作原理 是需要内部节点先发起通信, 然后在 NAT设备上形成地址转换流表, 流表的 示例性格式请参考表 5。
Figure imgf000024_0001
表 5 假设在情形 3中 EC及 VC自身 IP地址分别为 IP1及 IP2, VC向 EC发送 探测报文后, NAT设备上会形成如表 2所示的表项。 从 EC的角度说, 与其建 立 UDP会话的是 NAT设备, EC发送报文时, 目的地址及目的端口只有填写 IP3及端口 3001才能被 NAT设备通过地址转换后发送给 VC。 如果 EC发送报 文时随便填写目的端口或者目的地址, 那么报文将会被 NAT设备所丢弃。 因 此, 对于 EC而言, 其只有借用 VC发送探测报文所在的 TCP或 UDP连接才能 向 VC发送视频流。 需要说明的是, 在歩骤 108中, 对于 VC来说, 其收到对 端监控节点发送的探测报文并确定唯一鉴权标识与本地保存的一致时必须要 回应探测响应报文。 对于 EC 来说则可以不发送探测回应报文 (对应于情形 3 ) , EC收到 VC的探测报文并通过唯一鉴权标识确定了 VC就是当前实况业 务的对端监控节点时, 采用借用 TCP或 UDP连接的方式 EC肯定可以通过非隧 道模式向 VC发送视频流。 显然, 对于情形 4而言, EC和 VC均向对端发送探 测报文, 双方都无法接收到, EC启动的定时器显然会超时, 此时 EC可以通 知业务处理单元通过隧道模式发送视频流。
在以上的描述中, 本实施方式通过两种方式来解决不同场景下的 NAT关 系问题。 然而仍然需要考虑同一个 IP地址可能因为 NAT设备的合理规划而被 重复使用的问题。 比如在监控网络中, EC1自身 IP地址为 192. 168. 1. 2, VC1 自身 IP地址为 192. 168. 1. 3, VC2自身 IP地址也是 192. 168. 1. 3。 假设 EC1 与 VC2位于 NAT设备 1的内部, 而 VC1位于 NAT设备 2的内部, 此时 VC1与 EC1属于表 1所描述的情况 4, 双方肯定无法在非隧道模式下进行通信的。 当 EC1 向 VC1 发送探测报文时, 中间的网络设备会根据报文的目的地址 ( 192. 168. 1. 3 )进行转发, 报文实际上会被转发到 VC2。 假设 VC2在正在点 播 EC1 的视频流, 其会回应探测响应报文, EC1 收到后探测响应报文后, 会 认为自身与 VC1能够在隧道模式下通信, 于是通过非隧道模式发送视频流, 此时 VC2能够正确接收视频流, 但 VC1事实上没有收到 EC1发送的视频流。 前述唯一鉴权标识可以有效避免这样的情况, 由于 EC1发送的报文中携带了 唯一鉴权标识, VC2 收到以后发现该鉴权标识与自身保存的鉴权标识不一 致, 因为即便 VC2也点播了 EC1 的请求, 但 VC2收到 VM下发的鉴权标识与 VC1收到的是不同的, 因此 VC2并不会向 EC1发送探测响应报文, 那么 EC1 在定时器超时后自然会通过隧道模式来发送视频流。
以上描述了监控网络中监控节点 EC以及 VC之间在实况业务过程中实现 广域网带宽节约的方法。 然而对于监控网络来说, EC与 VC之间还可以存在 语音对讲业务, 处理过程基本类似, 唯一不同的是: 由于语音业务是双向发 送数据报文的, VC与 EC是对等的。 因此在发送探测报文以及回应探测回应 报文的处理上, 将更加灵活, 任何一方都可以先发起语音对讲。 比如说: VC 也可以启用定时器, 比如在预定时间内没有收到 EC 的探测回应报文但收到 EC的探测报文时也可以借用 EC这个探测报文所在的 TCP或 UDP连接通过非 隧道模式向 EC发送语音流。 此外, 在监控网络中, 除了 EC与 VC之间可以发 送视频流与语音流之外, 在多域的监控网络中, 两个域的 MS 之间也有交互 视频流与语音流的需求。 比如 VC1点播 EC1的视频流可能是需要经过 EC1所 在域的 MS1转发到达本域的 MS2 , 最终通过 MS2转发到 VC1。 此时两个 MS之 间转发视频流或语音流也可以采用上述方式, 不同的是: 两个 MS 是通过两 个域 VM在信令层面的交互来得知对方的自身 IP地址、 隧道内层 IP地址以及 设备标识。 同样的道理, 在视频流回放业务中, 不同域的 DM (数据管理服务 器)之间也可以向两个 MS那样去处理, 不同之处仅仅在于承载的业务不同, 前者是回放业务, 后者是实况业务或者语音对讲业务。 总之在监控网络中, 两个监控节点之间在不知道双方是否能够进行非隧道模式互通的时候, 均可 以在进行数据报文交互前依照本实施方式描述的方法来确定是否可以通过非 隧道模式进行通信。 本实施方式能够在隧道模式解决隔离设备引发问题的基 础上进一歩实现对带宽的节约 (比如广域网带宽的节约) , 避免隧道服务段 所在区域 (比如监控上级域) 的处理压力。
本发明还提供另一种实施方式来解决广域网带宽消耗的问题。 请参考图 6, 以下介绍本实施方式如何实现广域网带宽节约的。
歩骤 301, VC和 EC都通过 L2TP隧道在 VM上进行注册, VC和 EC除了使 用 LNS分配的隧道内层 IP地址进行注册之外, 再将本地设备的源 IP地址携 带入注册报文的载荷中以通知 VM;
如 EC客户端在内网中的源 IP地址为 10. 1. 1. 2 (可选项), 申请的 L2TP 隧道内层 IP 地址为 192. 168. 1. 2 ; VC 在内网中的客户端源 IP 地址为 10. 1. 1. 3 (可选项) , 申请的 L2TP隧道内层 IP地址为 192. 168. 1. 3。
歩骤 302 : VM从隧道上接收到注册消息后, 将设备在注册报文中携带的 地址信息记录下来;
歩骤 303 : VC通过隧道点播 EC的监控视频流: 此时 VC仍然按照前述隧 道模式向 VM发出点播请求;
歩骤 304: VM通知 EC进行发送监控视频流;
歩骤 305 : 在 EC和 VC之间通过隧道把业务传输通道建立起来之后, VM 主动向 EC和 VC设备发送非隧道模式尝试指令, 这个指令携带在监控终端节 点与 VM的保活消息中保活消息中。
需要说明的是, 在隧道模式下先把业务传输通道建立起来可以保证业务 的流畅性, 开始时 EC和 VC按照隧道模式肯定能够建立业务传输通道, 有 助于保证 VC端用户的体验。
歩骤 306: EC接收到 VM的非隧道模式尝试指令后首先向对方发起非隧道 模式通信; 本发明将正在非隧道模式尝试指令的 VC及 EC分别称为 T-VC及 T - EC。
T-EC和 T-VC可以通过私有协议发送报文来进行非隧道模式通信; 比如 T-EC开始尝试使用 T-VC的内网 IP地址为目的地址发送特定的报文给 T-VC; 当然也可以由 VC侧先发起。
歩骤 307 : 若 VC若收到 EC发出的消息, 则将收到的结果报告给 VM; VC 可以采用 SIP消息进行报告。 歩骤 308 : 接收 VC发送的携带有非隧道模式尝试报告, 根据报告报文的 地址信息以及自身保存的地址信息判断 EC与 VC之间是否能够通过内网进行 通信, 如果是则向 EC发送通信模式切换指令以指示 EC从 L2TP隧道模式切 换到非隧道模式。
VM收到 VC发送的报告 (可以通过 SIP消息携带)后, 根据 VC的报告判 断 T-EC与 T-VC是否能够进行非隧道模式, 如果是通知 EC和 VC从隧道模式 切换到非隧道模式 (通常称为内网通信模式或者私网通信模式, 主要是将业 务流的目的 IP地址切换到 VC的内网 IP地址) ; 否则返回不做处理, T-EC 与 T-VC继续保持隧道模式。 本发明歩骤 107中 VM判定双方能否进行非隧道 模式的依据可以根据实际情况包括两个两种依据, 这两个依据可以组合实施 也可以单独实施。
依据 1 : 发送报告的 VC的隧道内层 IP地址必须与 τ-vc是相同的。
VM检查发送报告的 VC隧道内层 IP地址与自身保存的 T-VC的是否相同, 如果是则判定为可以非隧道模式, 否则判定为无法非隧道模式。 考虑到 IP 地址可能在不同的内网中被重复使用, VM收到 VC发送的报告只能说明 EC通 过内网发送的通信报文被同样地址的 VC 收到了。 假设 T-EC 正在和地址为 10. 1. 1. 3的 T-VC通过隧道进行业务通信, 如果 T-VC确实和 EC处于相同的 内网, T-VC会收到这样的 EC的非隧道模式消息然后上报 VM。 但是假设 T-VC 和 EC 处于不同的内网, 而 T-EC 所在内网中刚好有一个 VC2 的地址也是 10. 1. 1. 3, VC2也会收到 EC的信息, 其也会向 VM上报, 此时如果 VM不进行 判断, 则可能导致出错。 VM检查发送该报告的 VC的隧道内层 IP地址与自身 保存的 T-VC 的隧道内层 IP地址是否相同, 如果是则说明报告确实是 T-VC 发送的, 否则说明发送报告的 VC是其他网络中的 VC, 只是双方的内网 IP地 址碰巧相同而已。 确定两个 IP地址已知的节点能够进行 IP通信时, 最常用 的机制的使用 Ping等检查技术。 但本发明考虑到 IP地址在不同内网中可能 出现重复的情况引入 VM进行判断避免了 IP地址重复导致的错误。 这也就是 为什么本发明不是简单采用较为常见的诸如 Ping等技术来检查 EC和 VC是否 可以进行非隧道模式的根本原因。
依据 2 : VC的报告中的 EC的隧道内层 IP地址与 T-EC是相同的。
如果 VC确实是 T-VC, 可以在很大程度上避免误判。 然而为更加严谨起 见, VM还可以检查 VC报告中的 EC是否为与 T-VC正在进行业务通信的 T-EC, 如果是则判定为可以非隧道模式, 否则判定为无法进行非隧道模式。 考虑在 同一时间段内可能有 T-EC1/T-VC1以及 T-EC2/T-VC2的组合当前都在执行非 隧道模式尝试的指令, 为了进一歩提高严谨性, 当 VC 被确定为 T-VC1 , VM 还可以进一歩检查 T-VC1的报告中的 EC的地址, 如果报告中携带的 EC的隧 道内层 IP地址与 T-EC2 的隧道内层 IP地址一样, 则说明 T-VC1 并不是从 T-EC1收到非隧道模式消息的, T-VC1与 T-EC1并在同一个内网中, 无法进行 非隧道模式, T-EC1/T-VC1继续保持隧道模式。 同样如果报告中携带的 EC的 隧道内层 IP地址与 T-EC2的隧道内层 IP地址一样, 则 VM通知 T-EC 1及 T_VC 1 切换到非隧道模式。
歩骤 309: EC收到 VM切换到非隧道模式的指令后, 从隧道模式切换到内 网 IP通信模式, 并将发送业务流 (即监控视频流) 的目的 IP地址修改 VC 的内网 IP地址发送出去。
请结合图 6, 从隧道模式切换到内网 IP通信模式, 也信令处理单元就是 控制业务处理单元将业务流的流向从隧道处理单元切换出来, 使得业务流不 再经过隧道处理。 业务流从隧道切换到内网, 可以很大程度上节约广域网的 宝贵带宽, 合理有效地利用了既有的非隧道模式资源, 尤其是大型的监控网 络其意义更为重大。
以上所述仅为本发明的较佳实施例而已, 并不用以限制本发明, 凡在本 发明的精神和原则之内, 所做的任何修改、 等同替换、 改进等, 均应包含在 本发明保护的范围之内。

Claims

权利要求书
1. 一种 IP监控系统中穿越网络隔离设备的监控节点, 其中该监控节点 位于网络隔离设备内侧网络, 所述监控系统中包括多个监控节点以及隧道服 务器, 所述多个监控节点包括监控前端设备、 监控后端设备以及至少一种监 控服务器; 其中所述至少一种监控服务器为视频管理服务器 VM, 该监控节 点包括隧道处理单元、 信令处理单元以及网络接口单元; 其中:
网络接口单元, 用于在 IP网络上收发报文;
信令处理单元, 用于处理监控信令数据;
隧道处理单元, 用于使用监控节点自身的第一 IP 地址向隧道服务器发 起隧道连接请求以与隧道服务器建立隧道连接; 并在隧道连接建立后从隧道 服务器获取隧道服务器分配的第二 IP地址;
该隧道处理单元进一歩用于将网络接口单元从隧道服务器接收的隧道报 文进行解封装获得内容为监控信令数据的内层 IP 报文, 并将该监控信令数 据提交给信令处理单元; 其中所述内层 IP 报文是网络隔离设备外侧监控节 点发送的报文, 所述隧道报文的目的地址为所述第一 IP 地址, 隧道报文的 源地址为隧道服务器自身的 IP地址; 所述内层 IP报文的目的地址为所述第 二 IP地址, 源 IP地址为所述外侧监控节点的 IP地址;
其中该隧道处理单元进一歩用于将监控节点信令处理单元生成的监控信 令数据封装到内层 IP报文中, 然后将所述内层 IP报文封装到隧道报文中发 送给网络接口单元, 由网络接口单元发送给隧道服务器, 并由隧道服务器将 内层 IP报文转发到网络隔离设备外侧网络的监控节点, 其中该内层 IP报文 的源地址为第二 IP 地址, 内层报文的目的地址为所述外侧网络监控节点的 IP地址, 该隧道报文的源地址为该监控节点自身的 IP地址, 该隧道报文的 目的地址为隧道服务器自身的 IP地址。
2. 如权利要求 1 所述的监控节点, 其特征在于, 所述监控节点还包括 业务处理单元, 该业务处理单元用于处理监控业务数据; 所述隧道处理单元还用于将网络接口单元从隧道服务器接收的隧道报文 进行解封装获得内容为监控业务数据的内层 IP 报文, 并将该监控业务数据 提交给业务处理单元; 其中所述内层 IP 报文是网络隔离设备外侧监控节点 发送的报文, 所述隧道报文的目的地址为所述第一 IP 地址, 隧道报文的源 地址为隧道服务器自身的 IP地址; 所述内层 IP报文的目的地址为所述第二 IP地址, 源 IP地址为所述外侧监控节点的 IP地址; 或者
所述隧道处理单元还用于将监控节点业务处理单元生成的监控业务数据 封装到内层 IP报文中, 然后将所述内层 IP报文封装到隧道报文中发送给网 络接口单元, 由网络接口单元发送给隧道服务器, 隧道服务器将内层 IP 报 文转发到网络隔离设备外侧网络的监控节点, 其中该内层 IP 报文的源地址 为第二 IP地址, 内层报文的目的地址为所述外侧网络监控节点的 IP地址, 该隧道报文的源地址为该监控节点自身的 IP 地址, 该隧道报文的目的地址 为隧道服务器自身的 IP地址。
3. 如权利要求 2 所述的监控节点, 其特征在于, 其中该信令处理单 元, 进一歩用于在与对端监控节点进行数据报文通信前, 获取并保存管理服 务器为本节点以及对端监控节点分配的唯一鉴权标识; 并在非隧道模式下向 对端监控节点发送探测报文, 其中该探测报文携带所述唯一鉴权标识; 并在 接收到对端的探测回应报文时通知业务处理单元通过非隧道模式向对端监控 节点发送数据报文。
4. 如权利要求 3 所述的监控节点, 其特征在于, 其中所述信令处理单 元进一歩用于在接收到对端监控节点发送的探测报文时, 检查该探测报文携 带的鉴权标识与自身保存的鉴权标识是否相同, 如果是则通知业务处理单元 使用承载该探测报文的 TCP或 UDP连接通过非隧道模式向对端监控节点发送 数据报文, 否则丢弃该探测报文。
5. 如权利要求 4 所述的监控节点, 其特征在于, 其中所述信令处理单 元进一歩用于在发出探测报文后未能在预定的时间内接收到对端监控节点发 送的尝试回应报文或探测报文时, 通知业务处理单元以隧道模式与对端监控 节点交互数据报文。
6. 如权利要求 4 所述的监控节点, 其特征在于, 所述信令处理单元进 一歩用于检查到该探测报文携带的鉴权标识与自身保存的鉴权标识相同时, 向对端监控节点发送探测回应报文。
7. 如权利要求 1 所述的监控节点, 其特征在于, 所述监控节点为视频 管理服务器 VM, 所述信令处理单元进一歩用于保存监控前端设备及监控后 端设备注册报文中的监控前端设备及监控后端设备的地址信息, 并根据监控 后端设备的点播请求指示相应地监控前端设备发送监控视频流;
该信令处理单元进一歩用于在监控前端设备和监控后端设备之间通过隧 道建立监控视频流传输通道之后向监控前端设备及监控后端设备发出与对端 进行非隧道模式尝试的指令; 并根据监控后端设备发送的非隧道模式尝试报 告报文的地址信息以及自身保存的地址信息判断监控前端设备与监控后端设 备之间是否能够通过内网进行通信, 如果是则发送通信模式切换指令, 指示 监控前端设备从隧道模式切换到非隧道模式非隧道模式。
8. 如权利要求 7 所述的监控节点, 其特征在于, 其中所述地址信息包 括隧道内层 IP 地址; 其中信令处理单元判定监控前端设备与监控后端设备 能够进行非隧道模式的依据包括:
发送报告的监控后端设备的隧道内层 IP地址与 VM保存的其隧道内层 IP 地址信是相同的; 和 /或
监控后端设备发送的报告中的监控前端设备的隧道内层 IP地址与 VM保 存的其隧道内层 IP地址信是相同的。
9. 如权利要求 1 所述的监控节点, 所述监控节点为监控前端设备, 其 特征在于, 所述信令处理单元进一歩用于: 在与监控后端设备通过隧道建立 监控视频流传输通道之后, 接收 VM发送的非隧道模式尝试指令; 并根据 VM 发送的携带非隧道模式尝试指令的信令报文, 尝试与监控后端设备进行非隧 道模式; 其中该信令处理单元进一歩用于在非隧道模式尝试成功的情况下, 根据 VM 的发出的携带通信模式切换指令的信令报文, 将自身与监控后端设 备之间的通信模式从隧道模式切换到非隧道模式非隧道模式。
10. 如权利要求 1所述的监控节点, 所述监控节点为监控后端设备, 其 特征在于, 所述信令处理单元进一歩用于: 在与监控前端设备通过隧道建立 监控视频流传输通道之后, 接收 VM 发送的非隧道模式尝试指令; 并在接收 到所述监控前端设备通过内网发送的报文时向 VM 发送报告; 所述信令处理 单元, 进一歩用于在非隧道模式尝试成功的情况下, 将自身与监控前端设备 之间的通信模式从隧道模式切换到非隧道模式非隧道模式。
11. 一种 IP 监控系统中监控节点穿越网络隔离设备的方法, 其中该监 控节点位于网络隔离设备内侧网络, 所述监控系统中包括多个监控节点以及 隧道服务器, 所述多个监控节点包括监控前端设备、 监控后端设备以及至少 一种监控服务器; 其中所述至少一种监控服务器为视频管理服务器 VM, 该 方法包括:
歩骤 A、 使用监控节点自身的第一 IP地址向隧道服务器发起隧道连接请 求以与隧道服务器建立隧道连接; 并在隧道连接建立后从隧道服务器获取隧 道服务器分配的第二 IP地址;
歩骤 B、 将从隧道服务器接收的隧道报文进行解封装获得内容为监控信 令数据的内层 IP报文, 并处理该监控信令数据; 其中所述内层 IP报文是网 络隔离设备外侧监控节点发送的报文, 所述隧道报文的目的地址为所述第一 IP地址, 隧道报文的源地址为隧道服务器自身的 IP地址; 所述内层 IP报文 的目的地址为所述第二 IP地址, 源 IP地址为所述外侧监控节点的 IP地址; 歩骤 C、 将本监控节点生成的监控信令数据封装到内层 IP报文中, 然后 将所述内层 IP 报文封装到隧道报文中发送给隧道服务器, 由隧道服务器将 内层 IP报文转发到网络隔离设备外侧网络的监控节点, 其中该内层 IP报文 的源地址为第二 IP 地址, 内层报文的目的地址为所述外侧网络监控节点的 IP地址, 该隧道报文的源地址为该监控节点自身的 IP地址, 该隧道报文的 目的地址为隧道服务器自身的 IP地址。
12. 如权利要求 11所述的方法, 其特征在于, 还包括:
歩骤 D、 将从隧道服务器接收的隧道报文进行解封装获得内容为监控业 务数据的内层 IP报文, 并处理该监控业务数据; 其中所述内层 IP报文是网 络隔离设备外侧监控节点发送的报文, 所述隧道报文的目的地址为所述第一 IP地址, 隧道报文的源地址为隧道服务器自身的 IP地址; 所述内层 IP报文 的目的地址为所述第二 IP地址, 源 IP地址为所述外侧监控节点的 IP地址; 或者
歩骤 E、 将监控节点生成的监控业务数据封装到内层 IP报文中, 然后将 所述内层 IP 报文封装到隧道报文中发送给隧道服务器, 由隧道服务器将内 层 IP报文转发到网络隔离设备外侧网络的监控节点, 其中该内层 IP报文的 源地址为第二 IP地址, 内层报文的目的地址为所述外侧网络监控节点的 IP 地址, 该隧道报文的源地址为该监控节点自身的 IP 地址, 该隧道报文的目 的地址为隧道服务器自身的 IP地址。
13. 如权利要求 12所述的方法, 其特征在于, 还包括:
歩骤 F、 在与对端监控节点进行数据报文通信前, 获取并保存管理服务 器为本节点以及对端监控节点分配的唯一鉴权标识; 并在非隧道模式下向对 端监控节点发送探测报文, 其中该探测报文携带所述唯一鉴权标识; 并在接 收到对端的探测回应报文时通过非隧道模式向对端监控节点发送数据报文。
14. 如权利要求 13所述的方法, 其特征在于, 还包括:
歩骤 G、 在接收到对端监控节点发送的探测报文时, 检查该探测报文携 带的鉴权标识与自身保存的鉴权标识是否相同, 如果是则使用承载该探测报 文的 TCP或 UDP连接通过非隧道模式向对端监控节点发送数据报文, 否则丢 弃该探测报文。
15. 如权利要求 14 所述的方法, 其特征在于, 所述歩骤 F 进一歩包 括:
在发出探测报文后未能在预定的时间内接收到对端监控节点发送的尝试 回应报文或探测报文时, 以隧道模式与对端监控节点交互数据报文。
16. 如权利要求 14 所述的方法, 其特征在于, 所述歩骤 F 进一歩包 括: 在检查到该探测报文携带的鉴权标识与自身保存的鉴权标识相同时, 向 对端监控节点发送探测回应报文。
17. 如权利要求 11 所述的方法, 其特征在于, 所述监控节点为视频管 理服务器 VM, 该方法进一歩包括:
歩骤 H、 保存监控前端设备及监控后端设备注册报文中的监控前端设备 及监控后端设备的地址信息, 并根据监控后端设备的点播请求指示相应地监 控前端设备发送监控视频流;
歩骤 I、 在监控前端设备和监控后端设备之间的通过隧道建立监控视频 流传输通道之后向监控前端设备及监控后端设备发出与对端进行非隧道模式 尝试的指令; 并根据监控后端设备发送的非隧道模式尝试报告报文的地址信 息以及自身保存的地址信息判断监控前端设备与监控后端设备之间是否能够 通过内网进行通信, 如果是则发送通信模式切换指令, 指示监控前端设备从 隧道模式切换到非隧道模式非隧道模式。
18. 如权利要求 17 所述的方法, 其特征在于, 其中所述地址信息包括 隧道内层 IP 地址; 其中判定监控前端设备与监控后端设备能够进行非隧道 模式的依据包括:
发送报告的监控后端设备的隧道内层 IP地址与 VM保存的其隧道内层 IP 地址信是相同的; 和 /或
监控后端设备发送的报告中的监控前端设备的隧道内层 IP地址与 VM保 存的其隧道内层 IP地址信是相同的。
19. 如权利要求 11 所述的方法, 所述监控节点为监控前端设备, 其特 征在于, 该方法还包括: 歩骤 J、 在与监控后端设备通过隧道建立监控视频流传输通道之后, 接 收 VM发送的非隧道模式尝试指令; 并根据 VM发送的携带非隧道模式尝试指 令的信令报文, 尝试与监控后端设备进行非隧道模式; 并在非隧道模式尝试 成功的情况下, 根据 VM 的发出的携带通信模式切换指令的信令报文, 将自 身与监控后端设备之间的通信模式从隧道模式切换到非隧道模式非隧道模 式。
20. 如权利要求 11 所述的方法, 所述监控节点为监控后端设备, 其特 征在于, 所述信令处理单元进一歩用于: 在与监控前端设备通过隧道建立监 控视频流传输通道之后, 接收 VM 发送的非隧道模式尝试指令; 并在接收到 所述监控前端设备通过内网发送的报文时向 VM 发送报告; 并在非隧道模式 尝试成功的情况下, 将自身与监控前端设备之间的通信模式从隧道模式切换 到非隧道模式非隧道模式。
21. 一种 IP 监控系统中穿越网络隔离设备的方法, 应用于作为监控服 务器的监控节点上, 所述监控系统中包括多个监控节点以及隧道服务器, 该 方法包括:
歩骤 1、 使用监控服务器自身的第一 IP地址向隧道服务器发起隧道连接 请求以与隧道服务器建立隧道连接; 并在隧道连接建立后从隧道服务器获取 隧道服务器分配的第二 IP地址;
歩骤 2、 在非隧道模式下使用所述第一 IP地址接收网络隔离设备内侧的 监控节点发送的监控信令数据,
歩骤 3、 将该监控信令数据封装在内层 IP报文中; 并将该内层 IP报文 封装在隧道报文中, 将该监控信令数据通过隧道模式经由隧道服务器发送给 网络隔离设备外侧的监控节点; 其中该内层 IP报文的源地址为所述第二 IP 地址。
22. 如权利要求 21所述的方法, 还包括:
歩骤 4、 在隧道模式下接收隧道服务器的隧道报文, 对该隧道报文进行 解封装以获得内容为监控信令数据的内层 IP 报文, 其中该监控信令数据来 自网络隔离设备外侧的监控节点, 该解封装获得的内层 IP报文的目的 IP地 址为所述第二 IP地址;
歩骤 3、 从该解封装获得的内层 IP报文中获取该监控信令数据, 使用第 一 IP地址作为源 IP地址, 通过非隧道模式将该监控信令数据发送给网络隔 离设备内侧的监控节点。
23. 如权利要求 21 所述的方法, 所述多个监控节点包括监控前端设备 以及监控后端设备, 该方法还包括:
歩骤 5、 通过发送监控信令报文响应监控后端设备的点播请求, 并相应 地通过信令报文通知监控后端设备向该监控前端设备发送监控视频流, 其中 所述发送给监控前端设备的信令报文中携带有该监控后端设备在非隧道模式 下使用的 IP 地址以及唯一鉴权标识; 所述发送给监控后端设备的信令报文 中携带有该监控前端设备在非隧道模式下使用的 IP 地址以及相同的唯一鉴 权标识。
24. 如权利要求 21 所述的方法, 所述多个监控节点包括监控前端设备 以及监控后端设备, 该方法还包括:
歩骤 6、 在监控前端设备和监控后端设备之间通过在隧道模式下建立业 务传输通道后, 向监控前端设备和监控后端发送非隧道模式尝试指令;
歩骤 7、 接收监控后端设备发送的非隧道模式尝试报告, 根据报告报文 的地址信息以及自身保存的地址信息判断监控前端设备与监控后端设备之间 是否能够在非隧道模式下通信, 如果是则向监控后端设备发送通信模式切换 指令以指示监控后端设备从隧道模式切换到非隧道模式。
25. 如权利要求 24所述的方法, 其中所述地址信息包括隧道内层 IP地 址; 判断监控前端设备与监控后端设备能够进行非隧道模式通信的依据包 括:
发送报告的监控后端设备的隧道内层 IP地址与 VM保存的其隧道内层 IP 地址信是相同的; 和 /或
监控后端设备发送的报告中的监控前端设备的隧道内层 IP地址与 VM保 存的其隧道内层 IP地址信是相同的。
26. 一种 IP 监控系统中穿越网络隔离设备的方法, 应用于作为监控服 务器的监控节点上, 所述监控系统中包括多个监控节点以及隧道服务器, 该 方法包括:
歩骤 1、 使用监控服务器自身的第一 IP地址向隧道服务器发起隧道连接 请求以与隧道服务器建立隧道连接; 并在隧道连接建立后从隧道服务器获取 隧道服务器分配的第二 IP地址;
歩骤 2、 在非隧道模式下使用所述第一 IP地址接收网络隔离设备内侧的 监控节点发送的监控业务数据,
歩骤 3、 将该监控业务数据封装在内层 IP报文中; 并将该内层 IP报文 封装在隧道报文中, 将该监控业务数据通过隧道模式经由隧道服务器发送给 网络隔离设备外侧的监控节点; 其中该内层 IP报文的源地址为所述第二 IP 地址。
27. 如权利要求 26所述的方法, 还包括:
歩骤 4、 在隧道模式下接收隧道服务器的隧道报文, 对该隧道报文进行 解封装以获得内容为监控业务数据的内层 IP 报文, 其中该监控业务数据来 自网络隔离设备外侧的监控节点, 该解封装获得的内层 IP报文的目的 IP地 址为所述第二 IP地址;
歩骤 3、 从该解封装获得的内层 IP报文中获取该监控业务数据, 使用第 一 IP地址作为源 IP地址, 通过非隧道模式将该监控业务数据发送给网络隔 离设备内侧的监控节点。
PCT/CN2013/071395 2012-02-10 2013-02-05 穿越监控网络中隔离设备的方法和设备 WO2013117154A1 (zh)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US14/377,814 US9215215B2 (en) 2012-02-10 2013-02-05 Method and device for passing through isolation device in surveillance network

Applications Claiming Priority (6)

Application Number Priority Date Filing Date Title
CN201210030308.1 2012-02-10
CN201210030678.5A CN102571524B (zh) 2012-02-10 2012-02-10 Ip监控系统中穿越、协助穿越网络隔离设备的方法和节点
CN201210030678.5 2012-02-10
CN201210030308.1A CN102546350B (zh) 2012-02-10 2012-02-10 一种ip监控系统中节约广域网带宽的方法及装置
CN201210180552.6 2012-05-30
CN201210180552.6A CN102710644B (zh) 2012-05-30 2012-05-30 一种ip监控系统中节约带宽的方法及装置

Publications (1)

Publication Number Publication Date
WO2013117154A1 true WO2013117154A1 (zh) 2013-08-15

Family

ID=48946911

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2013/071395 WO2013117154A1 (zh) 2012-02-10 2013-02-05 穿越监控网络中隔离设备的方法和设备

Country Status (2)

Country Link
US (1) US9215215B2 (zh)
WO (1) WO2013117154A1 (zh)

Families Citing this family (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN111343070B (zh) * 2020-03-03 2021-07-09 深圳市吉祥腾达科技有限公司 sdwan网络通信控制方法
CN112039920B (zh) * 2020-09-14 2022-02-22 迈普通信技术股份有限公司 通信方法、装置、电子设备及存储介质
CN116599773B (zh) * 2023-07-14 2023-09-19 杭州海康威视数字技术股份有限公司 自适应设备安全风险评估方法、装置、设备及系统

Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101159657A (zh) * 2007-10-16 2008-04-09 华为技术有限公司 一种实现私网穿越的方法、设备及服务器
CN101170687A (zh) * 2007-11-28 2008-04-30 武汉烽火网络有限责任公司 基于视频监控的前端录像点播穿越nat的方法
CN101465844A (zh) * 2007-12-18 2009-06-24 华为技术有限公司 一种防火墙穿越方法、系统和设备
CN102546350A (zh) * 2012-02-10 2012-07-04 浙江宇视科技有限公司 一种ip监控系统中节约广域网带宽的方法及装置
CN102571524A (zh) * 2012-02-10 2012-07-11 浙江宇视科技有限公司 Ip监控系统中穿越、协助穿越网络隔离设备的方法和节点
CN102710644A (zh) * 2012-05-30 2012-10-03 浙江宇视科技有限公司 一种ip监控系统中节约带宽的方法及装置

Family Cites Families (3)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7089303B2 (en) * 2000-05-31 2006-08-08 Invicta Networks, Inc. Systems and methods for distributed network protection
DE10329877A1 (de) 2003-07-02 2005-01-27 Siemens Ag Verfahren zum Betrieb eines Sprach-Endgerätes an einer abgesetzten Nebenstellenanlage, Kommunikationsanordnung und Sprach-Endgerät
CN102111311A (zh) 2011-03-18 2011-06-29 杭州华三通信技术有限公司 通过二层隧道协议访问监控私网的方法及服务器

Patent Citations (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN101159657A (zh) * 2007-10-16 2008-04-09 华为技术有限公司 一种实现私网穿越的方法、设备及服务器
CN101170687A (zh) * 2007-11-28 2008-04-30 武汉烽火网络有限责任公司 基于视频监控的前端录像点播穿越nat的方法
CN101465844A (zh) * 2007-12-18 2009-06-24 华为技术有限公司 一种防火墙穿越方法、系统和设备
CN102546350A (zh) * 2012-02-10 2012-07-04 浙江宇视科技有限公司 一种ip监控系统中节约广域网带宽的方法及装置
CN102571524A (zh) * 2012-02-10 2012-07-11 浙江宇视科技有限公司 Ip监控系统中穿越、协助穿越网络隔离设备的方法和节点
CN102710644A (zh) * 2012-05-30 2012-10-03 浙江宇视科技有限公司 一种ip监控系统中节约带宽的方法及装置

Also Published As

Publication number Publication date
US9215215B2 (en) 2015-12-15
US20150222597A1 (en) 2015-08-06

Similar Documents

Publication Publication Date Title
US10148456B2 (en) Connecting multiple customer sites over a wide area network using an overlay network
US7366894B1 (en) Method and apparatus for dynamically securing voice and other delay-sensitive network traffic
US8861345B2 (en) Border gateway protocol extension for the host joining/leaving a virtual private network
US7561586B2 (en) Method and apparatus for providing network VPN services on demand
US9629037B2 (en) Handover of a mobile device in an information centric network
CN102546657B (zh) Ip监控系统中穿越、协助穿越网络隔离设备的方法和节点
US20130185440A1 (en) Ice Based Nat Traversal
WO2010127610A1 (zh) 一种虚拟专用网节点信息的处理方法、设备及系统
WO2013182059A1 (zh) 多协议标签交换流量工程隧道建立方法及设备
WO2007036160A1 (fr) Appareil, systeme et procede assurant la communication entre un client et un serveur
WO2007079643A1 (fr) Procédé et système de reproduction utilisant un contrôleur de session en périphérie
WO2007109963A1 (fr) Passerelle de réseau privé virtuel et système de réseau ipv6 et système de réalisation de réseau privé virtuel mobile dans un réseau hybride et procédé correspondant
WO2006089481A1 (fr) Méthode de contrôle de communication de pénétration directe dont deux parties sont dans différents nat et dispositif correspondant
US20080159313A1 (en) Interworking policy and charging control and network address translator
WO2007112691A1 (fr) Système, procédé et dispositif réseau permettant à un client de réseau privé virtuel (vpn) d'accéder à un réseau public
CN102571524A (zh) Ip监控系统中穿越、协助穿越网络隔离设备的方法和节点
WO2011038637A1 (zh) 端到端呼叫的实现方法、端到端呼叫终端及系统
WO2015096302A1 (zh) 基于sip媒体能力重协商的nat穿越方法、代理服务器和系统
WO2015123988A1 (zh) 拥塞控制方法、装置及设备
US11973851B2 (en) Supporting multiple border gateway protocol (BGP) sessions using multiple QUIC streams
WO2011147341A1 (zh) 一种分配mpls标签的方法和网络装置
WO2013117154A1 (zh) 穿越监控网络中隔离设备的方法和设备
WO2008028383A1 (fr) Procédé d'identification de protocole de couche 3 dans une interconnexion à supports hétérogènes dans un réseau privé virtuel de protocole l2 et appareil et système correspondants
WO2016066027A1 (zh) 一种媒体传输方法和设备
WO2008084306A2 (en) Interworking of policy and charging control and network address translator

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 13746025

Country of ref document: EP

Kind code of ref document: A1

WWE Wipo information: entry into national phase

Ref document number: 14377814

Country of ref document: US

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 13746025

Country of ref document: EP

Kind code of ref document: A1

32PN Ep: public notification in the ep bulletin as address of the adressee cannot be established

Free format text: NOTING OF LOSS OF RIGHTS PURSUANT TO RULE 112(1) EPC OF 050315

122 Ep: pct application non-entry in european phase

Ref document number: 13746025

Country of ref document: EP

Kind code of ref document: A1