Patent Application
20080298354
The present invention relates generally to computer-based methods and apparatuses, including computer program products, for packet signaling content control on a network.
In general, traditional telephone networks, such as the publicly-switched telephone network (PSTN), employ circuitry and switches to connect telephone users across the network to facilitate communication. An increasing alternative to traditional phone networks uses packetized data to transmit content of telephone communications (e.g., voice or videoconferencing data) through a packet-based network such as an internet protocol (IP) and/or session initiation protocol (SIP) network. Such a configuration is commonly referred to as a voice over internet protocol (VOIP) network and can support voice, data, and video content.
The increased use of packet networks across the globe has been accompanied by an increase in attacks to those networks and an increase in the number of malformed packets being sent among the networks. An attack on a network and the increased malformed packets can cause devastating damage not only to the flow of data on the network, but to a company's reputation for allowing the flow of data to be impeded and ultimately to a company's bottom line finances.
One approach to packet signaling content control on a network is a method. The method includes receiving a packet from a first network group. A first set of information is removed from a first set of packet description information associated with the packet based on a first set of filters associated with the first network group to form a second set of packet description information. A second set of information is removed from the second set of packet description information of the packet based on a second set of filters associated with a second network group to form a third set of packet description information. The third set of packet description information and a payload associated with the packet is transmitted to the second network group.
Another approach to packet signaling content control on a network is a computer program product. The computer program product is tangibly embodied in an information carrier. The computer program product includes instructions being operable to cause a data processing apparatus to receive a packet from a first network group. A first set of information is removed from a first set of headers associated with the packet based on a first set of filters associated with the first network group to form a second set of headers. A second set of information is removed from the second set of headers of the packet based on a second set of filters associated with a second network group to form a third set of headers. The third set of headers and a payload associated with the packet is transmitted to the second network group.
Another approach to packet signaling content control on a network is a system. The system includes a network border server, a first filter module, and a second filter module. The network border server is configured to receive a packet from a first network group. The first filter module is configured to remove a first set of information from a first set of headers associated with the packet based on a first set of filters associated with the first network group to form a second set of headers. The second filter module is configured to remove a second set of information from the second set of headers based on a second set of filters associated with a second network group to form a third set of headers. The network border server is further configured to transmit the third set of headers and a payload associated with the packet to the second network group.
Another approach to packet signaling content control on a network is a system. The system includes a means for receiving a packet from a first network group, a means for removing a first set of information from a first set of headers associated with the packet based on a first set of filters associated with the first network group to form a second set of headers, a means for removing a second set of information from the second set of headers based on a second set of filters associated with a second network group to form a third set of headers, and a means for transmitting the third set of headers and a payload associated with the packet to the second network group.
In other examples, any of the aspects above can include one or more of the following features. The packet includes a session initiation protocol (SIP) packet and the first set of information and the second set of information include optional information associated with the SIP packet. In some examples, the removing the first set of information occurs at an application layer. In other examples, the removing the second set of information occurs at an application layer.
In some examples, the packet includes a voice communication packet, an Internet Protocol (IP) packet, a SIP packet, a SIP signaling packet, session description protocol (SDP) packet, domain name system (DNS) packet, and/or hypertext transfer protocol (HTTP) packet.
In other examples, the packet includes or is associated with voice information, multimedia information, and/or text information. The first set of packet description information is identical to the second set of packet description information or the second set of packet description information is identical to the third set of packet description information, but not both. The first set of information, the second set of information, or both are not replaced in the third set of packet description information.
In some examples, the first set of filters includes an ingress filter that indicates whether information associated with the packet should be received from the first network group and the second set of filters includes an egress filter that indicates whether information associated with the packet should be transmitted to the second network group.
In other examples, the first network group includes one or more external networks and the second network group includes one or more internal networks. The first set of filters includes an ingress filter that indicates whether information associated with the packet should be received from the one or more external networks and the second set of filters includes an egress filter that indicates whether information associated with the packet should be transmitted to the one or more internal networks.
In some examples, the first network group includes one or more internal networks and the second network group includes one or more external networks. The first set of filters includes an egress filter that indicates whether information associated with the packet should be transmitted from the one or more internal networks and the second set of filters includes an ingress filter that indicates whether information associated with the packet should be sent to the one or more external networks.
In other examples, the packet description information includes one or more headers associated with the packet. The first set of filters, the second set of filters, or both includes one or more filters for one or more optional fields associated with the one or more headers. The first set of information includes a header associated with the packet, an optional field associated with the packet, metadata associated with the packet, request information associated with the packet, and/or response information associated with the packet. The second set of information includes a header associated with the packet, an optional field associated with the packet, metadata associated with the packet, request information associated with the packet, and/or response information associated with the packet.
In some examples, the first network group comprises one or more networks logically grouped together and/or the second network group comprises one or more networks logically grouped together. The one or more networks includes a packet based network, an internet protocol (IP) network, a public switched telephone network (PSTN), a wireless network, and/or a wired network.
In other examples, the network border server includes or is associated with a telephony gateway. The telephony gateway is in communication with a PSTN network and an IP network.
Any of the approaches/aspects/techniques described above can include one or more of the following advantages. An advantage to the packet signaling content control on the network is that packet signaling control can be differentiated between various packet sources (e.g., network groups). Another advantage is that the content of packets can be tailored according to the exact mix of information that needs to be passed across networks. An additional advantage is that the content of packets can be controlled based on per-network agreements. Another advantage is that each filter can be set according to the network group that is associated with the filter.
Another advantage is that unknown packet description information can be removed from the packets to protect the networks from malicious network activity. An additional advantage is that filters can be placed on untrusted networks (e.g., public networks) to remove potentially harmful network activity while still allowing the packet description information from trusted networks (e.g., private networks). Another advantage is that the ingress filter can be configured to protect against security risks from the external network group (e.g., incorrect Timestamp) while the egress filter can be configured to protect against security risks to the internal network group (e.g., charge information).
Other aspects and advantages of the present invention will become apparent from the following detailed description, taken in conjunction with the accompanying drawings, illustrating the principles of the invention by way of example only.
The foregoing and other objects, features, and advantages of the present invention, as well as the invention itself, will be more fully understood from the following description of various embodiments, when read together with the accompanying drawings.
In general overview, packet signaling is content controlled on a network. The content control includes two sets of filters—an ingress filter set and an egress filter set. For packets coming into an internal network, the packets (e.g., SIP packets) are filtered by an ingress filter associated with the external network and which determines whether to discard sets of information from the packet description information (e.g., a header, an optional header). The packet is also filtered by an egress filter associated with the internal network and which determines whether to discard sets of information from the packet description information. The packet is transmitted to the internal network. For packets leaving the internal network, the filtering occurs in the opposite direction (e.g., egress filter associated with the internal network and then ingress filter associated with the external network).
Each of the ingress filter modules (e.g., 132a) and egress filter modules (e.g., 134a) is associated with a network group (e.g., 122a, 122b, 122c, 142a, 142b). A network group (e.g., 122a) can include, for example, one or more external networks (e.g., 120a), one or more internal networks (e.g., 140a), one or more logical sets of networks (e.g., a logical set of a demilitarized zone networks from ten company sites across the globe), one or more physical sets of networks (e.g., the ten subnets in one building), and/or any other grouping of networks. The logical sets of networks include, for example, one or more networks that are logically grouped together (e.g., public access networks associated with a company, limited access networks associated with a company). For example, the network group 122c includes external network C 120c and external network D 120d which is associated with the ingress filter module C 132c.
The network group can be, for example, an IP trunk group with an associated SIP service group level. The SIP service group level can be, for example, associated with a network service agreement, a use's subscription agreement, and/or any other type of service level agreements. In other examples, the network group is an IP trunk group. The IP trunk group is further described in U.S. patent application Ser. No. 11/238,663, Attorney Docket No. SNS-003A, entitled “Defining Logical Trunk Groups in a Packet-Based Network,” filed on Sep. 29, 2005, the disclosure of which is hereby incorporated herein by reference. An advantage is that the filter modules can be utilized and adapted for a wide variety of network configurations (e.g., local area networks (LAN), metropolitan area networks (MAN), wide area network (WAN), packet telephone networks).
In some examples, each ingress filter module (e.g., 132a) and each egress filter module (e.g., 134a) includes filters which filter packet description information for packets sent to and/or from an associated network group. In other examples, each egress filter module (e.g., 142a) includes one or more filters which filter packet description information, or portions thereof, from packets sent to and/or from the network group associated with the ingress filter module (e.g., 132a). Packet description information can include, for example, a header associated with the packet (e.g., To field), an optional header associated with the packet (e.g., Route field), metadata associated with the packet (e.g., packet size), request information associated with the packet (e.g., INVITE), and/or response information associated with the packet (e.g., 200 OK).
The optional header associated with the packet can be, for example, any header that is not required for the transmission of the packet from the source of the packet (e.g., cell phone) to the destination of the packet (e.g., voice mail server). An advantage is that the filters can be customized according to the specific requirements and/or needs associated with the filter module and associated network group. Another advantage is that headers that could cause more harm to a network then benefit can be removed before the packet is allowed onto the network. Another advantage is that headers that are not needed for communication between the transmitting network group and receiving network group can be removed. For example, the optional header P-Charging-Vector for a SIP packet can be removed at an egress filter if the network group associated with the egress filter does not want to receive or send the header P-Charging-Vector.
The ingress and egress filters can be configured, for example, based on network agreements. For example, internal network A 140a has a network agreement with external network A 120a to accept P-Charging-Vector information so that users can be charged for network access. The ingress filter associated with ingress filter module A 132a will allow the P-Charging-Vector information to be sent to the egress filter module A 134a. The egress filter associated with egress filter module A 134a will allow P-Charging-Vector information since the internal network A 140a has a network agreement to accept such information. However, that may not be the situation for all of the networks. For example, a packet is sent from external network A 120a to the internal network B 140b which does not have a network agreement to accept P-Charging-Vector information. The P-Charging-Vector information is send to the egress filter module B 134b from the ingress filter module A 132a. The egress filter associated with the egress filter module B 134b is configured to not allow P-Charging-Vector information. Thus, the P-Charging-Vector information is removed from the packet description information by the egress filter module B 134b and the packet is transmitted to the internal network B 140b without the P-Charging-Vector information.
In some examples, the packet includes voice information (e.g., speech, digitally recorded speech), multimedia information (e.g., movies, animations), text information (e.g., books, text message) and/or any other information associated with a telecommunication network. The packet can be, for example, associated with voice information, multimedia information, text information and/or any other information associated with a telecommunication network. The packet can be, for example, a packet to initiate a voice communication, a text communication, and/or a multimedia communication.
In some examples, the network border server 130 includes a telephony gateway. The network border server 130 can be, for example, associated with a telephony gateway. The telephony gateway can be, for example, in communication with a PSTN and an IP network.
Although
In some examples, the application server 245 includes a voicemail server, a text message server, a reservation server, a global positioning system (GPS) server, and/or any other server which provides services to users on a telecommunications network. Another advantage is that the user 210 can utilize services (e.g., voicemail) on the telecommunications network while the internal service network is being protected from malicious activity and/or malformed packets that could disrupt the service on and/or harm the internal service network.
In other examples, the internal network 240 is a service network for communicating between one or more packet networks 220 and for providing access to application servers 245. The internal network 240 can be, for example, a private packet based network, a public packet based network (e.g., Internet), and/or a virtual private network (VPN) on a public packet based network.
For example, the user 210b utilizes his computing device 215b (e.g., cell phone) to send a SIP request packet (e.g., INVITE) to request a connection between the computing device 215b and the application server B 245b (e.g., voice mail server). The SIP request packet includes a plurality of headers (e.g., From, To, Route, Timestamp). The SIP request packet is transmitted through the packet network A 220a (e.g., Internet, VPN connection over a public network, private packet network). The network border server A 230a receives the SIP request packet. The SIP request packet is sent to the ingress filter module A 232a which is associated with the transmitting network group. The transmitting network group includes the packet network A 220a. The ingress filter module A 232a processes the headers in the SIP request packet to determine whether the headers should be processed. The ingress filter associated with the ingress filter module A 232a is configured not to process Route headers from the transmitting network group (in this example, the packet network A 220a). The Route header is removed from the SIP request packet.
The SIP request packet without the Route header is sent to the egress filter module A 234a which is associated with the receiving network group. The receiving network group includes the internal network 240. The egress filter module A 234a processes the headers in the SIP request packet to determine whether the headers should be transmitted to the receiving network group. The egress filter associated with the egress filter module A 234a is configured not to transmit Timestamp headers to the receiving network group (in this example, the internal network 240). The Timestamp header is removed from the SIP request packet. The SIP request packet without the Route header and Timestamp header is transmitted to the receiving network group (in this example, the internal network 240). The SIP request packet is transmitted to the application server B 245b for processing.
The application server B 245b responds to the SIP request packet from the user's computing device 215b with a SIP response packet (e.g., 200 OK). The SIP response packet includes a plurality of headers (e.g., From, To, Route, Timestamp). The SIP response packet is transmitted through the internal network 240 to the network border server A 230a. The SIP response packet is sent to the egress filter module A 234a which is associated with the transmitting network group. The transmitting network group includes the internal network 240. The egress filter module A 234a processes the headers in the SIP response packet to determine whether the headers should be processed. The egress filter associated with the egress filter module A 234a is configured not to process Timestamp headers from the transmitting network group (in this example, the internal network 240). The Timestamp header is removed from the SIP response packet.
The SIP response packet without the Timestamp header is sent to the ingress filter module A 232a which is associated with the receiving network group. The receiving network group includes the packet network A 220a. The ingress filter module A 232a processes the headers in the SIP response packet to determine whether the headers should be transmitted to the receiving network group. The ingress filter associated with the ingress filter module A 232a is configured not to transmit Route headers to the receiving network group (in this example, the packet network A 220a). The Route header is removed from the SIP response packet. The SIP response packet without the Timestamp header and Route header is transmitted to the receiving network group (in this example, the packet network A 220a). The SIP response packet is transmitted to the user's computing device 215b.
In other examples, the ingress filter module (e.g., 232a) is associated with a single physical network (e.g., LAN, WAN, MAN). The egress filter module (e.g., 234a) also can be associated, for example, with a single physical network (e.g., LAN, WAN, MAN).
The sets of information from the packet description information that should be processed are sent to the egress filter module A 234a. The egress filter module A 234a determines (940) which sets of information from the packet description information to transmit using a egress filter. The egress filter includes filters configured to determine (940) whether sets of information from the packet description information should be transmitted to the internal network 240. The sets of information from the packet description information that should not be transmitted are ignored and discarded (930) (e.g., removed from the packet description information). The sets of information from the packet description information that should be transmitted to the internal network 240 are transmitted (950) to the internal network 240. An advantage is that the ingress filter can be configured to never allow specified sets of information from the packet description information onto and/or from the internal network. Another advantage is that the egress filter can be configured to never accept specified sets of information from the packet description information from and/or to an external network.
For example, the SIP packet 300 of
The sets of information from the packet description information that should be processed are sent to the ingress filter module A 232a. The ingress filter module A 232a determines (1040) which sets of information from the packet description information to transmit using an ingress filter. The ingress filter includes filters configured to determine (1040) whether sets of information from the packet description information should be transmitted to the external packet network A 220a or ignored and discarded (e.g., removed from the packet description information). The sets of information from the packet description information that should not be transmitted are ignored and discarded (1030). The sets of information from the packet description information that should be transmitted to the external packet network A 220a are transmitted (1050) to the external packet network 220a.
For example, the SIP packet 600 of
In some examples, a packet includes packet description information and a payload (e.g., data). The ingress and egress filters remove, for example, one or more sets of information from the packet description information (e.g., Timestamp field). The sets of information from the packet description information that are not removed and the payload are transmitted, for example, to the receiving network group (e.g., internal network, external network, network group, logical network group).
In other examples, the sets of information from the packet description information (e.g., headers) that are removed by the ingress and egress filters are not replaced. For example, the packet is transmitted to the receiving network group with the sets of information from the packet description information that was not removed by the ingress and egress filters and with the payload of the packet.
In some examples, the sets of information from the packet description information that are removed by the ingress filter and/or the egress filter are replaced. The sets of information from the packet description information can be, for example, replaced with filler information (e.g., random 0s and 1s) to provide spacing for the packet. For example, if the packet is associated checksum, then the removed sets of information can be replaced with equivalent filler information from the removed sets of information so that the checksum will not be invalidated by the removal of the sets of information from the packet description information. The sets of information from the packet description information can be, for example, replaced with a standardized part associated with the sets of information removed. For example, if P-Charging-Vector: icid-value=2000; icid-generated-at=10.13.1.28 information is removed, then the information can be replaced with a standard P-Charging-Vector: icid-value=1000; icid-generated-at=10.0.0.0 part. For example, if P-Call-Payment-Type: CreditCard information is removed, then the information can be replaced with a standard P-Call-Payment-Type: NoCharge part. The sets of information from the packet description information can be, for example, replaced by dynamically generated information, information associated with the receiving network group, information associated with the transmitting network group, and/or any other packet description information.
In other examples, a packet includes sets of one or more headers (e.g., Alert-Info) and a payload. The ingress and egress filters remove, for example, sets of one or more headers. The set of headers that are not removed and the payload are transmitted, for example, to the receiving network group (e.g., internal network, external network, network group, logical network group).
In some examples, the packet includes a voice communication packet, an IP packet, a SIP packet, a SIP signaling packet, session description protocol (SDP) packet, domain name system (DNS) packet, hypertext transfer protocol (HTTP) packet, and/or any other telecommunication packet (e.g., media gateway control protocol (MGCP) packet). The SIP packet includes, for example, SIP requests (e.g., INVITE, ACK, NOTIFY) and/or SIP responses (e.g., 200 OK, 500 Server Internal Error). The SIP packet can be associated, for example, with SIP telephony.
In other examples, the sets of information from the packet description information (e.g., headers) that are removed by the ingress and egress filters are removed at any layer of a network protocol (e.g., application layer, transport layer, internet layer, data link layer, physical layer).
In some examples, the sets of information from of the packet description information (e.g., headers) that are removed by the ingress and egress filters are removed at the application layer. The application layer can be, for example, the application layer in a network protocol. The network protocol can be, for example, the Open Systems Interconnection (OSI) network protocol which consists of seven layers. For example, the application layer is the seventh layer in the OSI network protocol and interfaces with the application services in a computing device (e.g., cell phone, network border server).
The network protocol can be, for example, the transmission control protocol/internet protocol (TCP/IP) network protocol which consists of four layers. For example, the application layer is the fourth layer in the TCP/IP network protcol in which higher level protocols operate. The higher level protocols that operate at the application layer include, for example, SIP, dynamic host control protocol (DHCP), DNS, file transfer protocol (FTP), Gopher, HTTP, Internet message access protocol (IMAP), Internet relay chat (IRC), network news transfer protocol (NNTP), simple mail transfer protocol (SMTP), simple network management protocol (SNMP), real-time transport protocol (RTP), and/or any other type of application layer protocol.
Table 1 is an illustration of a set of headers received from external networks and transmitted to an internal network. Table 1 includes an illustration of the filter settings applied to the external networks and the filter settings applied to the internal network.
Table 2 is an illustration of a set of headers received from an internal network and transmitted to external networks. Table 2 includes an illustration of the filter settings applied to the external networks and the filter settings applied to the internal network.
The above-described systems and methods can be implemented in digital electronic circuitry, in computer hardware, firmware, and/or software. The implementation can be as a computer program product (i.e., a computer program tangibly embodied in an information carrier). The implementation can, for example, be in a machine-readable storage device and/or in a propagated signal, for execution by, or to control the operation of, data processing apparatus. The implementation can, for example, be a programmable processor, a computer, and/or multiple computers.
A computer program can be written in any form of programming language, including compiled and/or interpreted languages, and the computer program can be deployed in any form, including as a stand-alone program or as a subroutine, element, and/or other unit suitable for use in a computing environment. A computer program can be deployed to be executed on one computer or on multiple computers at one site.
Method steps can be performed by one or more programmable processors executing a computer program to perform functions of the invention by operating on input data and generating output. Method steps can also be performed by and an apparatus can be implemented as special purpose logic circuitry. The circuitry can, for example, be a FPGA (field programmable gate array) and/or an ASIC (application-specific integrated circuit). Modules, subroutines, and software agents can refer to portions of the computer program, the processor, the special circuitry, software, and/or hardware that implements that functionality.
Processors suitable for the execution of a computer program include, by way of example, both general and special purpose microprocessors, and any one or more processors of any kind of digital computer. Generally, a processor receives instructions and data from a read-only memory or a random access memory or both. The essential elements of a computer are a processor for executing instructions and one or more memory devices for storing instructions and data. Generally, a computer can include, can be operatively coupled to receive data from and/or transfer data to one or more mass storage devices for storing data (e.g., magnetic, magneto-optical disks, or optical disks).
Data transmission and instructions can also occur over a communications network. Information carriers suitable for embodying computer program instructions and data include all forms of non-volatile memory, including by way of example semiconductor memory devices. The information carriers can, for example, be EPROM, EEPROM, flash memory devices, magnetic disks, internal hard disks, removable disks, magneto-optical disks, CD-ROM, and/or DVD-ROM disks. The processor and the memory can be supplemented by, and/or incorporated in special purpose logic circuitry.
The components of the system can be interconnected by any form or medium of digital data communication (e.g., a communication network). Examples of communication networks include a LAN, WAN, the Internet, wired networks, and/or wireless networks.
The networks can be, for example, a wireless network and/or a wired network. The networks can be, for example, a packet-based network and/or a circuit-based network. Packet-based networks can include, for example, the Internet, a carrier internet protocol (IP) network (e.g., LAN, WAN, campus area network (CAN), MAN, home area network (HAN)), a private IP network, an IP private branch exchange (IPBX), a wireless network (e.g., radio access network (RAN), 802.11 network, 802.16 network, general packet radio service (GPRS) network, HiperLAN), and/or other packet-based networks. Circuit-based networks can include, for example, the public switched telephone network (PSTN), a private branch exchange (PBX), a wireless network (e.g., RAN, bluetooth, code-division multiple access (CDMA) network, time division multiple access (TDMA) network, global system for mobile communications (GSM) network), and/or other circuit-based networks.
The computing device can include, for example, a computer, a computer with a browser device, a telephone, an IP phone, a mobile computing device (e.g., cellular phone, personal digital assistant (PDA) device, laptop computer, electronic mail device), and/or other communication devices. The browser device includes, for example, a computer (e.g., desktop computer, laptop computer) with a world wide web browser (e.g., Microsoft® Internet Explorer® available from Microsoft Corporation, Mozilla® Firefox available from Mozilla Corporation). The mobile computing device includes, for example, a Blackberry®.
Comprise, include, and/or plural forms of each are open ended and include the listed parts and can include additional parts that are not listed. And/or is open ended and includes one or more of the listed parts and combinations of the listed parts.
One skilled in the art will realize the invention may be embodied in other specific forms without departing from the spirit or essential characteristics thereof. The foregoing embodiments are therefore to be considered in all respects illustrative rather than limiting of the invention described herein. Scope of the invention is thus indicated by the appended claims, rather than by the foregoing description, and all changes that come within the meaning and range of equivalency of the claims are therefore intended to be embraced therein.
