The present invention relates to the field of communication and more specifically to facilitating communication between nodes within a private IP network, and between nodes on a private IP network 120 and nodes on an external IP network 125.
Referring to
In addition to exchanging information packets associated with stored data, IP networks also exchange IP packets that carry real-time communication messages such as packetized voice (VoIP), packetized video, or instant messages. The messages are transmitted amongst IP devices on the private network 120 as well as between devices on the private network 120 and IP devices on external networks 125. The IP devices that are used for IP communications can be traditional desktop computers or laptops, or they can be devices such as IP phones or IP video terminals that are specifically design to provide IP communications services. Any such IP device attached to a network, either via a physical or a wireless connection, for purposes of sending or receiving communications services, shall hereinafter be referred to as a communication node (CN 105).
In addition to communication nodes that provide communications for single end-users, there are communication nodes that provide services for multiple users (herein referred to as “communications servers”). These communication servers provide traditional services (e.g. email, VoIP, instant messaging) as well as access to stored media (e.g. voicemail, video mail) or broadcast media (e.g. Internet radio, Internet video). Communication servers that serve multiple users could be, but are not limited to: call servers (e.g. IP-PBXs 190); conferencing bridges; interactive voice response systems (IVRs); or video mail servers.
The private network 120 must therefore provide interconnection amongst authorized users operating nodes or servers on the private network 120 as well as connecting nodes and services on the private network 120 to nodes and services on external networks 125.
Many homes and small office networks are connected to the Internet through DSL or cable modem connections. When a computer or communications device first attaches to the network, either through a direct wired connection or through a wireless connection, it must register with the private network 120 to obtain an internal IP address. Registration may require the presentation of a password or data that authenticates the device's identity and establishes that the device is authorized to attach to the private network 120. Once authenticated for network access, the device obtains an internal IP address. The IP address may be assigned permanently or it may be assigned dynamically by a DHCP server. The device may need to re-register whenever the device is rebooted, a network software application re-started, or the device is re-attached to the network.
To address IP assignment and Internet connection sharing, such networks often use a router 110 (or firewall 115) with network address translation (NAT) enabled. Though these NAT'ed routers 110 enable many devices, such as desktop computers, laptops, and IP phones to share a single external IP address, from the perspective of a device on the external network 125 the router 110 is the only device on the internal network. This causes interoperability problems when an external device wants to connect to an internal device. Firewalls 115 and other network devices intended to protect the private network 120 from unauthorized entry also present interoperability problems. Though these firewalls 115 and NAT devices are useful in protecting the internal network from intrusions, they also may block desired communications between an external node and an internal node.
For all of these communication nodes and services to function properly there must be interoperability between nodes on the private network, nodes on other private networks 120, and nodes on external networks 125 operated by the third-party service providers. Interoperability between nodes, however, is not assured. All of these IP communications rely on various standards, such as H.323 and SIP, which specify in detail the sequence of communication signals and the exact grammar and syntax that are needed to register nodes for communication services. The standards define how to establish, modify and terminate connections between one communication node 105 and another, or among several communication nodes. Examples of these standards, specifically pertaining to VoIP, include: the H.323 standard developed by the International Telecommunication Union (ITU), Session Initiation Protocol developed by the Internet Engineering Task Force (IETF), and the Media Gateway Control Protocol (MGCP) standard according to IETF RFC 2705.
While these standards are intended to ensure interoperability between communication nodes 105, the reality is that the standards continue to evolve and introduce changes and new methods. Additionally, the standards are not always sufficiently precise in defining syntax or fields, and frequently allow for alternative implementations. Software developers sometimes must even implement proprietary extensions or variants of the protocol to meet customer or vendor requirements. Therefore, IP devices on private networks 120 may use different protocols, or variations of a common protocol, when attempting to communicate amongst themselves and with external networks 125. These issues are addressed by the present invention.
The present invention, a signaling mediation agent (SMA) 130, facilitates communication among communication nodes 105 by ensuring that signaling messages transmitted by the SMA 130 have been modified so that they conform to the protocol variants used by the destination communication node.
The SMA 130 also facilitates communication by ensuring that communication nodes 105 on a private network 120 are authenticated and authorized to receive various communication services, even if the communication nodes on the various networks use different communication protocols or variants of the same protocol.
An objective of the present invention is to provide a method for communication nodes 105 to communicate with each other, even if they use different standard or if they use different variants of the same standard.
Another objective of the present invention is to enable communication nodes 105 that can attach and re-attach to the private network 120 at different physical locations to register and authenticate themselves to both the private network 120 and external networks 125 in order to access communications services available on either the private or external networks 125. This ensures that unauthorized nodes cannot attach to the private network 120 or receive communications from either the private network 120 or external networks 125. Successful registration also assures that other nodes seeking to communicate with the first node are able to locate the first node because the first node has registered its address and other information with both the private network 120 and the external networks 125.
Another objective of the present invention is to enable devices attached to a private network 120 to communicate with devices attached to external networks 125 and to access communications services available on either the private network 120 or an external network 125. One aspect of this enabling includes mediating communications through firewall and network address translation (NAT) devices 115 that may be present between the internal network 120 and external networks 125.
The SMA 130 facilitates communication between nodes on a network and services those nodes may request. Generally, the SMA 130 comprises: a means for receiving communications and signaling messages 135, a Message Processor 140, a User Database 145, a Services Database 150, a Communication Node Database 155, a Protocol Database 160, a Protocol Mediation Processor 165, and a means for transmitting communications and signaling messages 170, each described in greater detail below.
1. Components
In some embodiments the SMA 130 is an application running on a single computer. In other embodiments, the SMA 130 is a plurality of applications that may run on one or more computers. These computer or computers may include dedicated systems or devices such as a call server, an IP-PBX 190, a network switch, a network router 110, a signaling proxy, a gatekeeper, or a server running various applications. Examples of such applications include, but are not limited to: an application that manages authentication of communication nodes, an application that manages registration of communication nodes for a particular service, or an application that assists in firewall/NAT traversal. In some embodiments, the SMA 130 is attached to the private network 120. In other embodiments, the SMA 130 is located on an external network 125.
The Message Processor 140 examines signals received by the SMA 130, checks authentication, node information, and allowable service information in the appropriate databases and passes the message onto the Protocol Mediation Processor 165. The Protocol Mediation Processor (PMP) 165 then applies any necessary modifications to the signal and sends the signal to the transmitting port for transmission. In addition, the PMP 165 may provide all the additional standard functionality of a signaling agent, such as an H.323 gatekeeper, a signaling routed gatekeeper, a SIP proxy or a SIP back-to-back user agent, as specified by the reference standard. The PMP 165 modifies signaling messages as specified by the signaling standard, but it also generates responses to signaling messages as specified by the signaling standard. In some embodiments, the standard signaling functions are provided by an external signaling agent, in other embodiments these functions are incorporated in the SMA 130.
Several databases are needed to support the SMA 130 as it processes registration requests and other signaling messages for communications. In some embodiments, these databases are separate databases. In other embodiments, the databases are contained within a single database comprising all the databases. The databases may reside on the SMA 130 itself or reside on separate computers. The database may also be stored in local memory on the SMA 130. In one embodiment there are four databases: the User Database 145, the Services Database 150, the CN Database 155, and the Protocol Database 160.
The User Database 145 contains a list of authorized users of communications services on the private network 120. In one embodiment, the User Database 145 has entries which may include: a username; a password; authentication data; a device type (e.g. an indication is the device is fixed or mobile); URIs; private telephone numbers; wireline public telephone numbers; cellular telephone numbers; private IP address or port numbers for signaling; device Ethernet address; device ID; or software ID. Additionally, fields may be added or removed as needed. One skilled in the art understands that this list of fields is not limited to having a one-to-one relationship with each other and that there are multiple possible schemas relating the entries.
For each communication node registered to the private network 120, the Services Database 150 contains a list of communications services which that node is authorized to use. In some embodiments, nodes are identified by the username and IP addresses registered to that node, or by only the username, or by only the IP address, or by some other identification system or alias specified by the network administrator 175. Node identification could also be based on the IP address or a combination of the IP address and the port number used for signaling.
The Communication Node Database 155 has a table listing the communication nodes that have been successfully registered to the private network 120. Each communication node has an entry in the table, containing information that identifies the communication node and the protocol variants it uses. CN 105 identification may include: a node alias, a unique device ID (such as a MAC address), an IP address, or a combination of IP address and port number for receiving signaling messages. For each CN 105 there is a field that identifies the protocol and protocol variant used by that node, e.g. Vendor A, Sip 2.0, Release 3.2(2). In some embodiments, the entries identifying the CN 105 can be made automatically by a feed from the User Database 145 once the CN 105 is registered. External services or communication nodes may be identified by a domain name or by specific IP address, set of addresses, or by a set of IP address masks that are used to access external services or communication nodes.
For each major protocol listed in the Communication Node Database (e.g. SIP 2.0) the Protocol Database 160 lists one or more particular implementation as the protocol reference specifications (PRS). The PRS is a set of mediation rules that instruct the PMP 165 how to construct a message so that it conforms to the structure of a specific protocol or variant. The PRS also may instruct the PMP 165 of a particular sequence of messages or message responses required for a particular protocol or variant. In a preferred embodiment there is only one PRS for each base protocol, but in some cases it is desirable to have more than one PRS.
It is expected that even with one protocol standard such as SIP, there are several variants of the standard including extensions both approved or unapproved by the standardizing body. Variations from the protocol reference specification (PRS) are identified based on the name of the vendor or software developer responsible for that implementation of the standard and by the release number of the software, or by a software alias. Variants of the PRS are recorded in the Protocol Database 160 based according to the vendor or developer of the communication node, the base signaling protocol and the version number of the software (e.g. Vendor A, SIP 2.0, 3.1(4)). The Protocol Database 160 contains a detailed specification of variations to the base protocol according to signaling method, field, syntax, punctuation, addressing format, grammar or any other specification that records how the variant in question differs from the PRS.
In one embodiment, protocol variants are identified by a protocol alias. In one embodiment, the network uses port numbers for signaling based on the protocol variant used by a node for communication. In this scenario, one such protocol alias is the TCP or UDP port number the communication nodes use for signaling.
Once a protocol and its specified variations from the PRS are recorded in the Protocol Database 160, and the Protocol Mediation Processor 165 verifies it is able to construct conforming signaling messages based on data in the Protocol Database 160, that protocol and its variations are described as certified. Certified protocols and their variants are authorized for use among nodes on the private network 120 or for communication between nodes on the private network 120 and nodes on external networks 125 or nodes on other private networks.
It is understood that the number of protocol variations authorized at any one moment in time can vary from time to time, and could be zero. The administrator 175 of the Protocol Database 160 has the authority to accept or reject variations to the PRS using the Protocol Certifier 180. The existence of a Protocol Database 160 enables the administrator 175 to either allow or deny authorization for the use of additional protocol variations at other moments in time.
To simplify the mediation of signaling it is useful for each type of signaling message (referred to as a signaling “method”) for each protocol variant to be separately certified as to whether that method as implemented conforms to the PRS. So for example in the case of the base protocol SIP 2.0, there are a number of methods and method extensions that have been standardized such as INVITE, ACK, BYE, REGISTER and others. For each protocol variant it is likely that many of the methods implemented by the variants are identical to the PRS and such messages do not require mediation.
Example 1: The SMA 130 uses different port addresses for receiving signaling messages requiring different types of remediation. For example, port 5060 is used by communication nodes using software requiring no remediation at all (i.e. in conformance with the SIP PRS of the SMA). Port 5070 is used by communication nodes requiring remediation only for REGISTER messages. Port 5071 is used by communication nodes requiring remediation for INVITE messages. Port 5080 is used by communication modes requiring remediation for both REGISTER and INVITE messages. All communication nodes upon being introduced to the network are configured by the end-user or the network administrator 175 or some automated means with the IP address of the SMA 130 and the correct port number that would ensure that messages sent to the SMA 130 received the desired remediation.
In one embodiment of the invention, the SMA 130 has a means for retrieving the protocol information from the CN 105 itself and then populating the CN Database 155. In another embodiment, the CN Database 155 is accessed using an administrative tool having a drop-down menu listing the certified protocol variants that have been approved for use. A method is available for selection of the correct protocol variant from an approved list of variants in order to populate the field in the CN Database 155.
In one embodiment, the Protocol Mediation Processor 165 then constructs the signaling messages to be transmitted to the destination communication node. It begins by querying the Protocol Database 160 regarding the incoming message structure and the structure required by the outgoing message. To reduce the number of queries that the PMP 165 makes to the Protocol Database 160, it is useful to develop a look-up table in local memory for quickly determining which signaling messages need remediation. An example of a look-up table is: for a particular protocol variant identified as SIP 2.0 5.3.1 (meaning base protocol is SIP 2.0, vendor #5, release 3.1 by that vendor), the notation “SIP 2.0 5.3.1: REGISTER, REFER” indicates that for that protocol, only REGISTER and REFER messages require remediation, and all other messages do not require remediation. The Protocol Database 160 has a detailed record of the specification for each protocol variant that has been certified for use on the private network 120. The specification is sufficiently complete that the PMP 165 can query the Protocol Database 160 for all information it needs to construct outgoing messages in conformance with the protocol variant. In another embodiment, the look-up table entries are based on the source address (IP address and/or port number) or destination address (IP address and/or port number) to determine which signaling messages require remediation. The PMP may also construct responses to messages as specified by the reference protocol.
In some embodiments that require high speed processing, there is a local cache of the rules for mediating certified protocol variants in the PMP 165. In this implementation the rules for constructing outgoing messages are stored locally in high-speed memory so that messages are constructed as rapidly as possible.
2. Node to Node Communication and Registration
It is one objective of this invention to enable different variations of the signaling protocol to interoperate with each other.
In some embodiments, the SMA 130 receives both registration messages and connect messages from communication nodes (CNs 105) connected to the private network 120. The SMA 130 uses the registration messages to register and authenticate the CNs 105 by querying the User Database 145. The SMA 130 then determines which internal or external communication services the CN 105 is authorized to use by querying the Services Database. The SMA 130 then queries the CN Database 155 to determine which communications protocol variant the CN 105 uses. The SMA 130 also determines if the CN's 105 signaling is interoperable with the signaling of the destination communication node. If the signaling is not interoperable, the SMA 130 instructs the PMP 165 to modify the signaling as required to ensure interoperability. The SMA 130 then forwards registration requests to other registration agents, for example other SMAs, on the private network 120 or registration agents on the external network 125. The registration agents then register the internal communication nodes for access to services under the control of those agents. For example, one external registration agent may support communications to or from a cellular telephone network. Such a registration agent would perform functions similar to or equivalent to those of a cellular networks Visiting Location Registrar (VLR). Other examples are a registration agent that supports services to or from a VoIP service providing connections to the wireline public telephone network or a registration agent that supports audio conferencing services. The SMA 130 may modify the language, format, and syntax of these registration requests as required for communication with the registration agents.
As the SMA 130 may be responsible for forwarding registration in behalf of multiple CNs 105, it is understood that registrations requests can be forwarded in batches wherein registrations for a number of CNs are updated periodically, or forwarded individually wherein a registration request is made in behalf of a single CN.
Once registered, a CN 105 is able to communicate with other CNs on the network and use services it is authenticated for. If the CN 105 was registered with registration agents on external networks 125, it has access to services those registration agents are responsible for as well.
The originating node, Communication Node 1 (CN1) uses TCP for all signaling messages. The destination node, Communication Node 2 (CN2), uses UDP.
The SMA 130 receives the message and authenticates CN1 for the service requested. The Message Processor then passes the message to the Protocol Mediation Processor 165. The PMP 165 then queries the CN Database 155 to determine which protocols CN1 and CN2 use. Because CN1 uses TCP and CN2 uses UDP, a conversion is required. The PMP 165 then looks up the TCP-to-UDP conversion rules in the Protocol Database 160 and converts the TCP message sent by CN1 to UDP. Then the PMP 165 forwards the message to the Transmitting Port, which send the message to CN2. When CN2 replies, the process occurs again, but the conversion goes from UDP to TCP.
The originating node (CN1) sends a signaling message to the SMA 130 using the SIP REFER method defined by RFC 3515. Some communications services, such as external communications services, may not allow the REFER method. Based on the destination IP address the Protocol Mediation Processor 165 queries the Protocol Database 160 and determines if the REFER method is allowed. If allowed, the PMP 165 constructs a modified signaling message in conformance to the specification provided by the Protocol Database 160 for the communication node being communicated to. If the REFER message is not allowed, the SMA 130 can take other actions such as, but not limited to: constructing a signaling message for CN1 using a SIP Response Code such as 5xx or 6xx indicating the signaling has not been completed. Additionally, the SMA 130 can send an IM to the client indicating that the REFER method is unacceptable to the receiving network. Or alternatively, the SMA 130 can redirect the call to an IVR that would play a voice message indicating “The requested call transfer is not allowed by the external network 125.”
RFC 3581 defines an extension to SIP for Symmetric Response Routing(SRR) that enables responses to SIP requests to successfully pass through NAT devices. Some communication nodes may support SRR extensions and other may not. If one of the nodes involved in the communications is external to the private network 120 and on the other side of a NAT device, the Protocol Mediation Processor 165 must determine by a query to the Protocol Database 160 whether the originating node (CN1) and terminating node (CN2) are using SRR or not. If they are both using SRR, no mediation is required. If the external node uses SRR and the internal node does not, the PMP 165 makes the required changes to the signaling message.
In one embodiment, the SMA 130 also determines which protocol or variant is being used by a source CN 105 by listening on a specific port or IP address for messages.
An example of using signaling addresses to identify protocol variants is: a node using SIP 2.0 base protocol in complete conformance with the PRS of the SMA 130 may use port number 5060 for sending and receiving signaling messages. Nodes using variant number N of SIP would use port 5060+N to send and receive signaling messages where N=1, 2, etc.
In another example, the IP address alone is used. Nodes using the base protocol are assigned IP addresses 192.168.1.xyz where “xyz” being a number between 1 and 255. Nodes using protocol variants, identified by a number “abc” where “abc” is a number between 1 and 255) would be assigned an IP address: 192.168.abc.xyz.
In this case, the SMA 130 uses only one physical port for all communications, the four TCP ports shown are virtual ports all associated with the same physical port and IP address 192.168.0.2.
In one embodiment, for a CN 105 to register with a services registration agent such as a SMA 130, the following steps occur. It is understood that this is a series of steps for a particular embodiment and other embodiments may rearrange the order or require fewer steps or additional steps while still operating within the spirit and scope of the present invention:
The PMP 165 forwards the messaging packet to the SMA's transmitter and then into the private network 120 for transmission to the destination IP address.
Nodes that are registered and authenticated on the private network 120 are allowed access to certain communications services. In one embodiment, a node is authenticated only for services provided by communication nodes on the private network 120. Such “local services” include, but are not limited to, instant messaging, VoIP communications between nodes, video communications between nodes, access to an IP-PBX 190 or a PBX, or a voice messaging service, or a conferencing bridge attached to the private network 120. A node may also be authenticated for external services, such as: a cellular service provider's services; a wireline service provider's VoIP services; access to enhanced services such as an external conferencing or messaging service, or an external PBX service.
3. Node Access to Services
Once the device has obtained an IP address, any CN 105 hosted on the device registers for communications services. In the present invention, the CN 105 registers for these services by communicating with an SMA 130 which assists the CN 105 with registration for communications services and with communications with other CNs on the private network 120 or other CNs on an external network 125.
Several examples are given below:
Example 1: Services are divided into two classes, local service provides by nodes attached to the private network 120, and external services provided by communication nodes attached to external networks 125.
Ace Cellular: able to send and receive messages from the Ace Cellular network delivered to the communication node over an external network 125 connected to the private IP network.
Acme Conferencing: authorized to connect to an Acme conferencing service over an external network 125 connected to the private IP network.
In one embodiment, each communication nodes listed in the database would have an “L”, an “E”, an “LE” or a null “0” entry indicating respectively whether the node was authorized to receive local, external, both local and external, or no services.
In a second example, all registered devices may be authorized to use all communications services available on the private network 120, but only specific list of communication nodes can access services external to the private network 120. That is each communication node listed would have either an “E” or a null “0” entry
In a third example, services available to a communication node would be designated by the domain name or IP address or both of the communication server responsible for that service and the TCP port number which must be used to send signaling messages to that server:
After a communications device has obtained an IP address, each communication node hosted by that device registers for specific communications services. The CN 105 can accomplish this registration by sending a registration request, as specified by a communications protocol such as H.323 or SIP or by some variant of these protocols or by a proprietary registration protocol, to the SMA 130. The SMA 130 queries a User Database 145 to verify that the password or authentication data presented for that username is valid. Authentication may require exchange of additional messages and information between the CN 105 and the registration agent as required by the authentication protocol. Once the registration request has been authenticated, the SMA 130 enters the CN's IP address or IP address and port number for signaling, and other information concerning the newly registered communication node in the database of active and authenticated users on the private network 120. This database is the User Database.
To complete the registration process, the SMA 130 must determine which services the CN 105 is authorized to use and ensure that the CN 105 is registered for such additional services. In some cases no additional registrations may be required. In yet other cases successful authentication may automatically convey authorization for one, several or all communications services.
After the communication node has been registered and authenticated on the private network 120 and has had its private IP address and other information recorded in the User Database, the Message Processor 140 queries the Services Database 150 to determine which local and which external services the communication node is authorized to use. For each such communications service, the Services Database 150 contains data for the IP address and the port address to which registration and other signaling messages should be sent.
Based on the results of that query, the SMA 130 then sends registration requests to other SMAs 130 or registration agents attached to the private network 120 or to external networks 125. These registration requests are built by the Protocol Mediation Processor 165 to ensure that they are constructed using the correct protocol format required by each registration agent and that the fields in the registration message are populated with the correct user information.
These other SMAs 130 or registration agents control access to either internal or external communication services. These other agents receive the registration request, password or authentication data, or other address or identity information, compare such information against a database of communication nodes which are authorized to use said communication services, and determine if the communication node (CN) requesting registration is authorized to receive a set of communications services. If the requested registration can be verified and authenticated, the external registration agent signals back to the SMA 130 that registration has been successfully accomplished.
If the other SMA 130 or registration agent is controlling access to an internal service, the network administrator 175 may choose to forgo the need for a second registration for a particular internal service. Alternatively, certain communication nodes, such as IP-PBXs 190 may require a direct registration for access to that node regardless as to whether they reside on the same private network 120 or not.
Signaling for Registration to Receive Communication Services
Those skilled in the art will recognize that there may be additional intermediate steps in this process requiring acknowledgments or exchange of additional information between the various nodes and or databases. The figure shows only one simplified version of such a sequence of signaling messages.
Signaling for Communication Services
Summary of Steps for Connection Request by a Node on the Internal or External Network 125 for one embodiment
In one embodiment, the SMA 130 sends communication signals from the private network 120 to an external signaling agent. These transmissions provide information to the external agent that facilitates transmission of signaling across a firewall or NAT system that may exist between the private network 120 and the second CN.
Many private networks 120 use private IP addresses as defined by RFC 1918 and use a Network Address Translation (NAT) device 115 to translate between private IP addresses and port numbers used on the private network 120 and other IP addresses and port numbers used on an external network 125. In this discussion the term NAT will be used to refer to both basic NAT (IP address translation) and NAPT (IP address and port translation).
NAT creates several problems for communications between a node on the internal network and a node on the external network 125:
For example, in the SIP protocol (RFC 3261) incorrect private address information would appear in the Via header, the Contact header, and the media addresses given in the SDP message.
To overcome these issues various standards are being developed such as:
The Session Initiation Protocol (SIP) operates over UDP and TCP, among others. When used with UDP, responses to requests are returned to the source address the request came from, and to the port written into the topmost Via header field value of the request. This behavior is not desirable in many cases, most notably, when the client is behind a Network Address Translator (NAT) 185. This extension defines a new parameter for the Via header field, called “rport”, that allows a client to request that the server send the response back to the source IP address and port from which the request originated.
The Internet Engineering Task Force is developing a new protocol called the MIDCOM Protocol whose architecture is described in RFC 3303. This protocol will allow an agent, such as a SMA, to control a middlebox such as a NAT 185 or Firewall. Such a protocol would enable the SMA 130 to facilitate the passage of signaling messages and media streams through NAT and firewall devices.
In addition to these methods for facilitating the traversal of NATs there may be other proprietary methods or other future standards not yet developed. The problem is that different communications nodes on a private network 120 may support different methods or no methods. One objective of the present invention is to enable the Signaling Mediation Agent to manage firewall and NAT traversal on behalf of the communication nodes on the private network 120.
Signaling Addresses
In the present invention, the SMA 130 acts on behalf of internal communication nodes to insure that signaling messages are able to pass through the NAT and firewall. The SMA 130 uses either one of the known methods such as, but not limited to, UPNP or STUN to learn the external IP address and port number that the NAT and Firewall devices 185 will present to the external network 125 for receiving signaling messages from an external node.
In one embodiment for example, the SMA 130 uses internal address 192.168.0.2: 5090 to receive signaling messages from external communication nodes. The NAT device 185 translates this to an external address 4.5.6.7:8662. As described above, the SMA 130 learns this mapping and ensures that any outgoing signaling messages provide the external address 4.5.6.7:8662 in the address fields specifying the return signaling address that an external node must use to signal to an internal node.
As the SMA 130 may use different IP address or different port numbers or both for signaling based on different protocols or different protocol variants which are used by internal nodes or by external nodes, the SMA 130 must discover the external IP address and port number for each of the signaling addresses it employs for communicating to nodes on the external network 125. While these addresses could be automatically discovered using a standard such as STUN or UPnP, they could also be directly controlled and configured by the network administrator 175.
In one embodiment of this invention, the SMA 130 learns the external IP address(s) and port number(s) an external node should use to communicate with the SMA 130 acting on behalf of an internal node. The SMA 130 learns these addresses and enters these addresses in the connect messages on behalf of the internal node. The SMA 130 may also enter these addresses in a database.
For example, to communicate with the SMA 130 each external service may use a specified external address and port number as the destination address for reaching the private network 120 in order to initiate communications with nodes on the private network 120. This external address is entered into the Services Database. In addition, this external address would be provided in any registration message sent to an external registration agent acting on behalf of a communications service.
As an example if there are two external services, Service A and Service B, address 4.5.6.7:8662 may be used as the signaling address provided to Service A and 4.5.6.7: 8884 may be used as the signaling address provided to Service B. The NAT device 185 will map these addresses as follows:
For outgoing signaling message to Service A, the SMA 130 will insure that return signaling is provided according to the Table and that the signaling protocol variant used to construct the signaling message is built using the protocol variant required by Service A, as determined by the SMA 130 by querying the Communications Node Database.
If the base protocol is SIP 2.0, then these signaling addresses also get entered in the Via header, the contact header field, and the SDP message connection field. The SMA 130 would make these modification acting in behalf of communications nodes on the private network 120.
Media Addresses
To provide the correct signaling address for the external node to use in sending signaling messages to the private network 120, it is necessary to provide a correct address that an external node must use for sending the RTP media defined by the Real-Time Transport Protocol, RFC 1889 to an internal communication node.
In one embodiment of this invention, the SMA 130 will act on behalf of the internal communications node to open a “pinhole” in the NAT/Firewall that enables traversal of the RTP media. “Pinhole” refers to the fact that a single port is opened in the firewall of limited temporal duration for the purpose of allowing RTP media to pass through the firewall for the desired communication service and remains open for the duration of that communication session. When the SMA 130 receives a connection request message either from an internal node or from an external node, the SMA 130 will signal the NAT/Firewall 185 device to open a pinhole for the purpose of allowing RTP media to pass through the NAT/Firewall 185 for said communication. The NAT/FW 185 will bind an external IP address/port number combination to the internal node's IP address and translated port number. The SMA 130 will determine and record the internal and external address information for each session, and enter this address information in any signaling messages that require address information for either incoming or outgoing RTP media.
Alternatively, if no direct signaling means exist for the SMA 130 to open a pinhole in the firewall, the SMA 130 can open a pinhole in the NAT and Firewall by sending “spoofed” UDP packet to an external node that has been established to facilitate the creation of pinholes. The spoofed packet uses the internal IP address of the internal communications node and the media port provided by the internal client in its connection message as the source address, rather than the SMA's 130 own IP address as the source address. The spoofed packet uses as the destination address the IP address of the external communications node. The spoofed packet serves to open a pinhole in the Firewall and establish a mapping between an internal address and an external address.
The SMA 130 queries the NAT device 185 to determine the mapping between the internal address (IP and port number) and the external address (IP and port number). Or alternatively the external node will communicate the external IP address back to the SMA 130.
In the case of SIP, the external address of the pinhole to be used for a communications will be entered by the SMA 130 into the SDP message of the outgoing signaling message participating in the establishment of that communications session.
Summary of Steps for Connection Request to a Node on an External Network 125 if there is a NAT on the path:
The SMA 130 connects to a database that contains all the required information. Included in the database would be a Table listing the node name, the node's IP address and the protocol variant used by that node.
The database contains all information that is needed to authenticate the identity of each node for authorization including username and password.
The database contains a table identifying which services each node is authorized to use. In this example only CN1 and CN2 are authorized to have PSTN access.
The database contains all information the SMA 130 needs to be able to convert among the three protocols it supports. In this example, SMA also performs the standard signaling functions of both a SIP proxy and an H.323 signaling routed gatekeeper.