CN101222454B - Method for refusing illegal service stream - Google Patents
Method for refusing illegal service stream Download PDFInfo
- Publication number
- CN101222454B CN101222454B CN2008100052335A CN200810005233A CN101222454B CN 101222454 B CN101222454 B CN 101222454B CN 2008100052335 A CN2008100052335 A CN 2008100052335A CN 200810005233 A CN200810005233 A CN 200810005233A CN 101222454 B CN101222454 B CN 101222454B
- Authority
- CN
- China
- Prior art keywords
- media
- check code
- network side
- packet
- session
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
- 238000000034 method Methods 0.000 title claims abstract description 35
- 230000006870 function Effects 0.000 claims description 133
- 230000004044 response Effects 0.000 claims description 59
- 238000013468 resource allocation Methods 0.000 claims description 28
- 230000008569 process Effects 0.000 claims description 11
- 238000013519 translation Methods 0.000 claims description 6
- 238000013475 authorization Methods 0.000 description 19
- 230000011664 signaling Effects 0.000 description 12
- 230000004048 modification Effects 0.000 description 7
- 238000012986 modification Methods 0.000 description 7
- 238000003032 molecular docking Methods 0.000 description 4
- 238000010586 diagram Methods 0.000 description 3
- 238000004891 communication Methods 0.000 description 2
- 230000007246 mechanism Effects 0.000 description 2
- 230000005540 biological transmission Effects 0.000 description 1
- 238000006243 chemical reaction Methods 0.000 description 1
- 230000000694 effects Effects 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000000977 initiatory effect Effects 0.000 description 1
- 230000003993 interaction Effects 0.000 description 1
- 238000005259 measurement Methods 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 238000012546 transfer Methods 0.000 description 1
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
The invention discloses a method for rejecting an illegal service flow, which comprises the following steps: when user equipment is converted from a network address, namely NAT equipment access a call session control network, during the session negotiation of a media service, network side equipment assigns a check code for the media service and saves the check code in a media gateway, the media gateway sends the check code and an access network side media address assigned for the user equipment to the user equipment; after the establishment of the session is finished, the user equipment sends a media pack to the media gateway according to the received access network side media address, the check code is carried in the media pack, the media gateway checks the check code after the media gateway receives the media pack, if the check is successful, a media port learning is made, if the check is unsuccessful, the received media pack is discarded. The method of the invention solves the problem that the media pack fails to be sent to the real user due to the failure of port learning of the media gateway on the access network side in the prior art.
Description
Technical Field
The invention relates to a method for rejecting illegal service flow when a user accesses a call session control Network from NAT (Network Address Translation) equipment to perform multimedia session.
Background
The NAT technology is originally generated to solve the problem of insufficient Internet IP (Internet Protocol) v4 address, and with the widespread deployment and application of NAT, many enterprises and users need to provide some security protection mechanisms in addition to the original address consideration when deploying NAT in residential networks. NAT can play the effect of effectively hiding network internal address and network internal topology structure, realizes the physical shielding of internal network to external network to a certain extent.
NAT can only convert the header address of an IP packet and port information of a TCP (Transmission Control Protocol)/UDP (User Datagram Protocol) header, and for a Protocol in which a data portion of a packet may contain an IP address or port information, effective conversion cannot be achieved, and protocols such as SIP (Session Initiation Protocol), h.323, h.248 that carry voice and video over IP are difficult to communicate with a public network through conventional NAT devices.
Taking the session service based on the SIP as an example, the main process of establishing the service is as follows:
(1) firstly, session negotiation is carried out for a media Service through SIP signaling, and a source and destination IP address, a port, a QoS (Quality of Service) parameter and the like of the media Service are determined;
(2) establishing a media channel according to the negotiated parameters;
(3) the media stream is transceived over a media channel.
Under the condition of NAT, the address filled in the session description by the user equipment during SIP negotiation is the private network address and port of the user equipment, and the address is not changed when passing through the traditional NAT equipment, so that the opposite end user equipment of the session service cannot send the media stream to the private network address when carrying out media communication.
Therefore, an RACS (Resource and administration Control Sub-System) architecture is proposed by a TISPAN (Telecommunications and Internet Converged Services and protocols for Advanced network) standard organization to help a terminal complete the traversal of the NAT device. TISPAN RACS R1 the architecture is shown in FIG. 1, wherein:
AF (application Function) for providing a Control request service of IP bearer resources, for example, AF in IMS (IP multimedia subsystem) includes P-CSCF (Proxy call session Control Function) and I-BCF.
RACS consists of two entities: SPDF (Service based Policy Decision Function) and a-RACF (Access-Resource Admission control Function).
The SPDF provides a uniform interface to the application layer, shields the underlying network topology and the specific access type, and provides policy control based on services. The SPDF selects a local policy according to the request of the application function AF, maps the request into an IP QoS parameter, and sends the IP QoS parameter to an a-RACF and a BGF (Border gateway function) to request a corresponding resource.
The A-RACF is positioned in the access network and has the functions of admission control and network policy convergence. The a-RACF receives requests from the SPDF and then implements admission control, either accepting or rejecting requests to transfer resources based on the saved policy.
In the transport layer, the BGF is a Packet-to-Packet (Packet-to-Packet) gateway, and may be located between an access network and a core network (to implement a core network boundary gateway function), or between two core networks (to implement an interconnection boundary gateway function). The BGF is also a policy enforcement unit that performs network address translation NAT, gating, QoS marking, bandwidth limiting, usage measurement, and resource synchronization functions under the control of SPDF.
The RCEF (Resource Control implementation Function) is a policy implementation unit of the a-RACF, implements a two-layer/three-layer (L2/L3) media stream policy defined by an access operator and transmitted by the a-RACF through the Re reference point, and implements functions such as gating, QoS marking, and bandwidth limiting.
A flow of the RACS for helping a UE (User Equipment) to traverse an NAT device under the framework is shown in fig. 2, and the specific steps are as follows:
201, a user equipment sends a session request (INVITE) to an AF, wherein the session request carries session description parameters, and addresses in the session description parameters are private network addresses and ports of the user equipment;
the AF may be a proxy call session control function P-CSCF or an application server AS.
202, the AF sends an authorization and authentication request to a service policy decision function SPDF according to the session description parameters carried in the session request;
203, the service policy decision function sends an ADD request (ADD) to the core network border gateway function, which is a terminal at the called application core network side, where the ADD request carries an indication mark, such as a docking mark, that the UE may be behind the NAT device;
204, the core network boundary gateway function sends a response to the service policy decision function, wherein the response carries the terminal information of the core network side applied by the called party;
205, the service policy decision function sends an authorization and authentication response to the proxy call session control function, wherein the authorization and authentication response carries information of a terminal at the core network side applied from the core network border gateway function;
206, the AF forwards the session request to the session opposite terminal (called) user equipment, modifies the media address information in the session description parameter to the address of the core network side terminal on the core network boundary gateway function (informs the called user equipment to send media to the core network side terminal of the core network boundary gateway function);
207, the AF receives a response message of the session request, such as 183 session response message;
208, the AF sends an authorization and authentication request to the service policy decision function, and the request is a terminal of the calling party applying for accessing the network side;
the authorization and authentication requests sent in this step and in step 205 are both media control signaling, which is used to request allocation of media resources.
209, the service policy decision function sends a modification request to the core network border gateway function, wherein the modification request carries a docking flag (notifying the core network border gateway function to perform media learning) and requests to apply for a terminal on the access network side;
210, the core network boundary gateway function sends a response to the service policy decision function, wherein the response carries the terminal information of the access network side;
211, the service policy decision function sends an authorization and authentication response to the proxy call session control function, wherein the authorization and authentication response carries the terminal information of the access network side;
212, the AF forwards the response message to the user equipment, and modifies the media address parameter in the session description to the address of the access network side terminal on the core network boundary gateway function (informs the calling user equipment to send media to the access network side terminal of the core network boundary gateway function);
213, the UE and the session peer continue to perform subsequent session signaling interaction until the session is established;
214, the user equipment sends a media packet to the access network side terminal of the core network boundary gateway function, and the media packet is sent to the core network boundary gateway function after being subjected to address translation by the NAT device (located between the user equipment and the core network boundary gateway function).
The core network boundary gateway function associates the access network side terminal and the core network side terminal distributed in the above-mentioned flow. If the access network side terminal of the core network boundary gateway function has a latching option, after receiving a first RTP/RTCP packet, the terminal learns a port, modifies a remote address (a communication remote end of the access network side terminal) into a source IP and a port (namely a private network address and a port) of the RTP/RTCP packet so as to complete the learning function, then the remote address is handed to the associated core network side terminal to be sent to the called user equipment, the core network side terminal receives a subsequent media packet from the called user and then is handed to the associated access network side terminal, and the access network side terminal sends the media to the calling user equipment through the learned remote address so as to complete the NAT traversal of the media.
One problem with current implementations is that: if there is an attack packet continuously scanning the access network side address and port of the core network border gateway function, it may cause the failure of the learning of the port of the core network border gateway function on the access network side in step 214, resulting in that the media packet of the user cannot be sent to the real user when arriving. Therefore, there must be a mechanism to reject this type of attack packet.
Disclosure of Invention
The technical problem to be solved by the invention is to provide a method for rejecting illegal service flow, when user equipment accesses an IMS network from NAT equipment and completes NAT traversal through equipment such as a media gateway, the illegal service flow can be rejected, thereby completing a media learning process.
In order to solve the above problems, the present invention provides a method for rejecting an illegal service flow, which comprises the following steps:
when user equipment accesses a call session control network from Network Address Translation (NAT) equipment, in the session negotiation process of media services, network side equipment allocates a check code for the media services and stores the check code in a media gateway, and the media gateway sends the check code and an access network side media address allocated for the user equipment to the user equipment;
after the session is established, the user equipment sends a media packet to the media gateway according to the received media address of the access network side, the media packet carries the check code, the media gateway checks the check code after receiving the media packet, and if the check is successful, the media gateway learns the media port.
Further, in the session negotiation process, a media gateway control function MGC allocates the check code and sends the check code to the user equipment UE and the media gateway MG; or the MG distributes the check code and sends the check code to the user equipment.
Further, when the check code is allocated by the media gateway control function, the method specifically comprises the following steps:
when receiving a session request of UE, MGC judges whether the UE is located in NAT equipment, if yes, then allocates check code for the media session, and when sending a media resource allocation request to MG, the MGC carries the allocated check code;
after receiving the media resource allocation request, the MG allocates an access network side media address for the media session, establishes a corresponding relation between the access network side media address and the check code, and carries the access network side media address and the check code when sending a media resource allocation response to the MGC;
MGC receives the media resource allocation response, and sends a session response to UE, wherein the session response carries the media address of the access network side and the check code;
the UE sends a media packet to a media gateway according to the received media address of the access network side, and the media packet carries the media address of the access network side and the check code;
after receiving the media packet sent by the UE, the MG checks the check code in the media packet according to the corresponding relation, finds the check code corresponding to the media address of the access network side in the media packet according to the corresponding relation, and compares the check code with the check code in the media packet, if the check code is consistent, the MG learns the media port, otherwise, the MG discards the media packet.
Further, when the check code is allocated by the media gateway, the method specifically comprises the following steps:
after receiving the session request of the UE, the MGC judges whether the UE is positioned at the NAT equipment, if so, the MGC carries an indication mark of the UE positioned at the NAT equipment when sending a media resource allocation request to the MG;
after the MG receives the media resource allocation request, if the request is found to carry the indication mark, a check code and an access network side media address are allocated for the media session, a corresponding relation between the access network side media address and the check code is established, and the access network side media address and the check code are carried in a media resource allocation response sent to the MGC;
MGC receives the media resource allocation response, sends a session response to UE, and carries the media address of the access network side and the check code in the session response;
the UE sends a media packet to a media gateway according to the received media address of the access network side, and the media packet carries the media address of the access network side and the check code;
after receiving the media packet sent by the UE, the MG checks the check code in the media packet according to the corresponding relation, finds the check code corresponding to the media address of the access network side in the media packet according to the corresponding relation, and compares the check code with the check code in the media packet, if the check code is consistent, the MG learns the media port, otherwise, the MG discards the media packet.
Further, the MGC is a call session control function entity, or a bearer control device, or a combination of both.
Further, the call session control network is a TISPAN system, and the MGC includes a proxy call session control function, a traffic policy decision function, or a combination thereof.
Further, the call session control network is a TISPAN system, and the MG is a core network media gateway function.
Further, the user equipment carries the check code in all the transmitted media packets, and the media gateway checks the received media packets in the following way:
checking the check codes of all the received media packets; or,
checking the check code of the received first media packet; or,
the check code is periodically checked against the received media packets.
Further, the check code is valid only within a certain time period, and the media gateway checks the check code within the valid period of the check code.
Further, the media packet is an RTP packet or a UDP packet, and the check code is carried in an extension header of the RTP packet or the UDP packet.
In the method, the network side distributes the check code and stores the check code in the media gateway and the user equipment in the session negotiation process; after the session is established, when the user equipment sends a media packet to the media gateway, the media packet carries the distributed check code, the media gateway checks the check code after receiving the media packet, if the check is successful, the media port learning is carried out, and if the check is unsuccessful, the received media packet is discarded, so that the problem that the media packet cannot be sent to a real user when the port learning of the media gateway on the access network side fails in the prior art is solved.
Drawings
FIG. 1 is a TISPAN R1 RACS system architecture diagram;
fig. 2 is a schematic diagram illustrating a process of a user accessing an IP session network from a NAT to perform NAT traversal session in the prior art;
FIG. 3 is an architecture diagram of the present invention for a user accessing an IP session network from a NAT for NAT traversal;
fig. 4 shows a flow of performing NAT traversal session (MG distributes check codes) when a user accesses an IP session network from a NAT in the embodiment of the present invention;
fig. 5 shows another embodiment of the present invention, in which a user accesses an IP session network from a NAT to perform a NAT traversal session procedure (MGC allocates a check code);
FIG. 6 shows a user accessing an IP session network from NAT to perform NAT traversal session (bearer device assigns a check code);
fig. 7 shows that the user accesses the IP session network from the NAT to perform NAT traversal session (session and bearer control device assigns check codes).
Detailed Description
In the present invention, a system architecture for a user equipment to access an IP session network from a NAT device for NAT traversal is shown in fig. 3, where:
the user equipment completes address translation through NAT equipment;
a Media Gateway Control Function (MGC) is configured to Control a signaling flow, where the signaling flow includes call signaling (e.g., session request and session response) and Media Control signaling (e.g., Media resource allocation request and Media resource allocation response), and the Media Gateway Control Function is not limited to a call session Control entity, but may also be a bearer Control entity (e.g., SPDF in fig. 1);
the Media Gateway (MG) is used for controlling a Media stream, establishes a Media channel according to a parameter negotiated by a signaling stream, and transmits and receives the Media stream on the Media channel.
The technical solution of the present invention is described in detail below with reference to the accompanying drawings and specific embodiments.
The first embodiment is as follows: in the embodiment, the MG distributes the check code
Referring to fig. 4, the main steps of the method of this embodiment are as follows, wherein the steps related to rejecting illegal traffic flow are described, and other processes can refer to the prior art.
401, a user equipment initiates a session request to a media gateway control function, wherein the session request carries session description parameters;
402, the media gateway control function sends a media resource allocation request to the MG according to the session description parameters carried in the session request of the user, and if the user equipment is judged to be behind the NAT, the media resource allocation request carries an indication mark (such as a paging mark) that the UE may be behind the NAT device;
the request may be sent directly to the media gateway or may be sent to the media gateway via another control device.
403, after receiving the request, the media gateway determines whether check code allocation is required for the media session according to whether the indication flag exists in the resource allocation request, and if the indication flag exists, indicates that the user equipment is behind the NAT device, allocates a check code for the media session;
in addition, the media gateway also allocates an access network side media address for the media session, binds the check code with the allocated access network side address, and establishes a corresponding relation between the access network side media address and the check code.
404, the media gateway sends a media resource allocation response message to the media gateway control function, and the response message carries the access network side media address allocated by the media gateway and the corresponding check code;
the response message may be sent directly by the media gateway to the media gateway control function or may be sent by another control device to the media gateway control function.
405, the media gateway control function sends a session response message to the user equipment, wherein the session response message carries a check code allocated by the media gateway and an access network side media address allocated by the media gateway;
406, the subsequent session signaling continues to interact until the session is established, and the user equipment sends a media RTP stream to the media gateway according to the received access network side media address, wherein the RTP header carries a check code allocated by the media gateway;
407, after receiving the RTP stream, the media gateway determines whether the media check code in the RTP stream is the correct check code according to the above correspondence (i.e. after finding the corresponding check code according to the access network side media address in the RTP stream, the media gateway compares the check code with the check code carried in the RTP stream, if the two check codes are identical, the media gateway receives the RTP stream, learns the source IP address and the source port of the received RTP stream, and sets the remote address of the access network side on the media gateway as the IP address and the port.
And the media gateway forwards the subsequent media according to the established topological relation.
Generally, each media packet sent by the user equipment is required to carry a check code; the check of the check code can be performed in different ways, for example: the flexible check of the check code is performed by checking the first media packet, or checking the media packet periodically, or checking the media packet in a valid period of a certain time period after the check code is allocated (for example, the time when the media gateway returns the media resource allocation response is taken as the standard, and the check code is only valid for a period of time thereafter).
The present embodiment will be described and illustrated in further detail with reference to application examples.
An application flow of this embodiment under the TISPAN RACS framework is shown in fig. 6, where a core network boundary gateway function allocates a check code after receiving a media resource allocation request, and a returned media resource allocation response carries the allocated check code; when the first RTP/UDP packet of the user equipment is received, check codes are firstly checked, media port learning is carried out on the media packet which is successfully checked, and if the check fails, the media packet is discarded, so that the media learning is not influenced by an illegal attack packet. The process specifically comprises the following steps:
601, the user equipment sends SIP INVITE a request to a proxy call session control function, wherein session description parameters are carried;
602, the proxy call session control function sends an authorization and authentication request to the service policy decision function according to the session description parameters carried in the session request of the user;
603, the service policy decision function sends an addition request to the core network border gateway function, requesting to allocate a terminal on the core network side;
604, the core network boundary gateway function sends a response to the service policy decision function, where the response carries the terminal information of the core network side that applies for;
605, the service policy decision function sends an authorization and authentication response to the proxy call session control function, where the authorization and authentication response carries information of the terminal at the core network side applied from the core network border gateway function;
606, the proxy call session control function forwards the session request, modifies the media address information in the session description parameter to the address of the core network side terminal on the core network boundary gateway function;
607, the proxy call session control function receives the response message of the session request;
608, the proxy call session control function sends an authorization and authentication request to the service policy decision function, requesting to apply for a terminal of the access network side;
609, the service policy decision function sends a modification request to a core network border gateway function, wherein the modification request carries a docking mark and requests to apply for a terminal of an access network side;
609, A, the core network boundary gateway function distributes a check code according to the existing Latching indication;
610, the core network boundary gateway function sends a response to the service policy decision function, wherein the response carries the terminal information of the access network side and the check code information allocated by the core network boundary gateway function;
611, the service policy decision function sends an authorization and authentication response to the proxy call session control function, wherein the authorization and authentication response carries the terminal information of the access network side and the check code information allocated by the core network boundary gateway function;
612, the proxy call session control function forwards a response message to the user equipment, modifies the media address parameter in the session description, notifies the user equipment to send media to the access network side terminal of the core network boundary gateway function, and carries the check code information obtained from the service policy decision function to the user equipment;
613, the subsequent session signaling continues to interact until the session is established;
614, the user equipment sends a media packet to the access network side terminal of the core network boundary gateway function, the RTP packet header of the media packet carries the check code information, and the media packet is sent to the core network boundary gateway function after being converted by the NAT. The extended RTP packet header may be as follows:
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
|V=2|P|X| CC |M| PT | sequence number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| timestamp |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| synchronization source(SSRC)identifier |
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
| contributing source(CSRC)identifiers |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| synchronization source(SSRC)identifier |
+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+
| defined by profile | length |
| code |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+--+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
in the fixed header of RTP, X is marked with 1 and an extension header is indicated. The extended header format definition refers to section RFC35505.3.1, with code occupying 32 bits.
6-14. if the access network side terminal with A core network boundary gateway function has latching option, after receiving RTP/RTCP packet sent by user equipment, firstly checking the check code, if the check is successful, then learning the port, and modifying the remote address to the source IP and the port of RTP/RTCP packet: if the check fails, the RTP packet is discarded.
And the subsequent media called from the user equipment can be sent to the user equipment through the learned remote address, so that NAT traversal of the media is completed.
Example two: in this embodiment, the MGC allocates the check code
Referring to fig. 5, the present embodiment mainly includes the following steps:
501, user equipment initiates a session request to a media gateway control function, wherein session description parameters are carried;
502, the media gateway control function judges whether the user equipment is behind NAT, if so, the check code is distributed;
503, the media gateway control function sends a media resource allocation request to the media gateway according to the session description parameters carried in the session request from the user, where the request carries the session description parameters and the corresponding check codes;
the request may be sent directly to the media gateway or may be sent to the media gateway via another control device.
504, after receiving the request, the media gateway allocates an access network side media address for the media session, establishes a corresponding relationship between the allocated access network side address and a check code, and sends a media resource allocation response message to the media gateway control function, wherein the response message carries the access network side media address and the check code;
the media resource allocation response message may be sent directly from the media gateway to the media gateway control function, or may be sent to the media gateway control function via another control device.
505, the media gateway control function sends a session response message to the user equipment, wherein the session response message carries a check code allocated by the media gateway control function and an access network side media address allocated by the media gateway;
subsequent session signaling continues to interact 506 until the session is established.
And the user equipment sends a media RTP stream to the media gateway according to the received media address of the access network side, wherein the RTP head carries a check code distributed by the control function of the media gateway.
507, after receiving the RTP stream, the media gateway judges whether the media check code in the stream is the correct check code, if the check code is correct, the media gateway receives the RTP stream, learns the source IP address and the source port of the received RTP stream, and sets the remote address of the access network side on the media gateway as the IP address and the port. And the media gateway forwards the media of the subsequent media according to the established topological relation.
The media gateway control function in this embodiment is not limited to a session control device (e.g., a call session control function entity), and may also be a bearer control device (e.g., SPDF), or multiple implementation schemes such as P-CSCF plus SPDF.
The present embodiment is further described in detail with an application example under the TISPAN RACS architecture.
Referring to fig. 7, in the session request process, if it is determined that the user equipment is behind the NAT, the P-CSCF or SPDF allocates a check code and carries the check code in the authorization and authentication request; the core network boundary gateway function establishes the corresponding relation between the access network side terminal address and the check code, when receiving the first RTP/UDP packet of the user equipment, firstly checks the check code, performs media port learning on the media packet which is successfully checked, discards the media packet if the check fails, thereby ensuring that the media learning is not influenced by the illegal attack packet, which specifically comprises the following steps:
701, the user equipment sends SIP INVITE a request to a proxy call session control function, wherein session description parameters are carried;
701, A (optional), the service policy decision function allocates a check code according to the judgment of the user equipment behind the NAT;
702, the proxy call session control function sends an authorization and authentication request to the service policy decision function according to the session description parameters carried in the user's session request;
703, the service policy decision function sends an increase request to the core network border gateway function, requesting to apply for a terminal on the core network side;
704, the core network boundary gateway function sends a response to the service policy decision function, wherein the response carries the terminal information of the core network side applied;
705, the service policy decision function sends an authorization and authentication response to the proxy call session control function, which carries the information of the terminal at the core network side applied from the core network border gateway function;
706, the proxy call session control function forwards the session request, and modifies the media address information in the session description parameter to the address of the core network side terminal on the core network boundary gateway function;
707, the proxy call session control function receives a response message to the session request.
707.B, if no check code is allocated in step 701.A, the proxy call session control function allocates a check code because the user equipment accesses through NAT;
708, the proxy call session control function sends an authorization and authentication request to the service policy decision function, requests to apply for a terminal accessing to the network side, and carries the check code in the authorization and authentication request;
709, the service policy decision function sends a modification request to a core network border gateway function, wherein the modification request carries a docking flag and a corresponding check code, and requests to apply for a terminal of an access network side;
710, the core network boundary gateway function sends a response to the service policy decision function, where the response carries the terminal information of the access network side and establishes a corresponding relationship between the access network side terminal and the check code;
711, the service policy decision function sends an authorization and authentication response to the proxy call session control function, which carries the terminal information of the access network side;
712, the proxy call session control function forwards a response message to the user equipment, modifies the media address parameter in the session description, notifies the user equipment to send media to the access network side terminal of the core network boundary gateway function, and carries the check code information allocated by the proxy call session control function to the user equipment;
713, the subsequent session signaling continues to interact until the session is established;
714, the user equipment sends a media packet to the access network side terminal of the core network boundary gateway function, the RTP packet header of the media packet carries the check code information, and the media packet is sent to the core network boundary gateway function after being converted by the NAT.
714, A, if the access network side terminal with the core network boundary gateway function has a latching option, after receiving the RTP/RTCP packet, firstly checking the check code, if the check is successful, carrying out port learning, modifying the remote address into the source IP and the port of the RTP/RTCP packet, and subsequently sending the media from the called party to the user equipment through the learned remote address. Thereby completing NAT traversal of media; if the check fails, the RTP packet is discarded.
The RTP extension header format is described in step 614 in the above embodiment, and is not described herein again.
The present invention may be embodied in other specific forms without departing from the spirit or essential attributes thereof, and it should be understood that various changes and modifications can be effected therein by one skilled in the art without departing from the spirit and scope of the invention as defined in the appended claims.
Claims (10)
1.A method of rejecting illegal traffic flows, comprising the steps of:
when user equipment accesses a call session control network from Network Address Translation (NAT) equipment, in the session negotiation process of media services, network side equipment allocates a check code for the media services and stores the check code in a media gateway, and the media gateway sends the check code and an access network side media address allocated for the user equipment to the user equipment;
after the session is established, the user equipment sends a media packet to the media gateway according to the received media address of the access network side, the media packet carries the check code, the media gateway checks the check code after receiving the media packet, if the check is successful, the media port learning is carried out, otherwise, the media packet is discarded.
2. The method of claim 1,
in the session negotiation process, a media gateway control function MGC distributes the check code and sends the check code to user equipment UE and a media gateway MG; or,
and the MG distributes the check code and sends the check code to the user equipment.
3. The method of claim 2, wherein when the check code is assigned by a media gateway control function, the method comprises the following steps:
when receiving a session request of UE, MGC judges whether the UE is located in NAT equipment, if yes, then allocates check code for the media session, and when sending a media resource allocation request to MG, the MGC carries the allocated check code;
after receiving the media resource allocation request, the MG allocates an access network side media address for the media session, establishes a corresponding relation between the access network side media address and the check code, and carries the access network side media address and the check code when sending a media resource allocation response to the MGC;
MGC receives the media resource allocation response, and sends a session response to UE, wherein the session response carries the media address of the access network side and the check code;
the UE sends a media packet to a media gateway according to the received media address of the access network side, and the media packet carries the media address of the access network side and the check code;
after receiving the media packet sent by the UE, the MG checks the check code in the media packet according to the corresponding relation, finds the check code corresponding to the media address of the access network side in the media packet according to the corresponding relation, and compares the check code with the check code in the media packet, if the check code is consistent, the MG learns the media port, otherwise, the MG discards the media packet.
4. The method as claimed in claim 2, wherein when the check code is allocated by the media gateway, the method is divided into the following steps:
after receiving the session request of the UE, the MGC judges whether the UE is positioned at the NAT equipment, if so, the MGC carries an indication mark of the UE positioned at the NAT equipment when sending a media resource allocation request to the MG;
after the MG receives the media resource allocation request, if the request is found to carry the indication mark, a check code and an access network side media address are allocated for the media session, a corresponding relation between the access network side media address and the check code is established, and the access network side media address and the check code are carried in a media resource allocation response sent to the MGC;
MGC receives the media resource allocation response, sends a session response to UE, and carries the media address of the access network side and the check code in the session response;
the UE sends a media packet to a media gateway according to the received media address of the access network side, and the media packet carries the media address of the access network side and the check code;
after receiving the media packet sent by the UE, the MG checks the check code in the media packet according to the corresponding relation, finds the check code corresponding to the media address of the access network side in the media packet according to the corresponding relation, and compares the check code with the check code in the media packet, if the check code is consistent, the MG learns the media port, otherwise, the MG discards the media packet.
5. The method of claim 2 or 3 or 4,
the MGC is a call session control function entity, or a bearer control device, or a combination of the two.
6. The method of claim 5,
the call session control network is a TISPAN system, and the MGC includes a proxy call session control function, a service policy decision function, or a combination of both.
7. The method of claim 1 or 2,
the call session control network is a TISPAN system, and the MG is a core network media gateway function.
8. The method of claim 1 or 2 or 3 or 4,
the user equipment carries the check code in all the transmitted media packets, and the media gateway checks the received media packets according to the following modes:
checking the check codes of all the received media packets; or,
checking the check code of the received first media packet; or,
the check code is periodically checked against the received media packets.
9. The method of claim 1 or 2 or 3 or 4,
the check code is valid only in a certain time period, and the media gateway checks the check code in the valid period of the check code.
10. The method of claim 8,
the media packet is an RTP packet or a UDP packet, and the check code is carried in an extension header of the RTP packet or the UDP packet.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008100052335A CN101222454B (en) | 2008-01-31 | 2008-01-31 | Method for refusing illegal service stream |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN2008100052335A CN101222454B (en) | 2008-01-31 | 2008-01-31 | Method for refusing illegal service stream |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN101222454A CN101222454A (en) | 2008-07-16 |
| CN101222454B true CN101222454B (en) | 2011-09-21 |
Family
ID=39632032
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN2008100052335A Expired - Fee Related CN101222454B (en) | 2008-01-31 | 2008-01-31 | Method for refusing illegal service stream |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN101222454B (en) |
Families Citing this family (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102281293B (en) * | 2011-08-01 | 2017-04-05 | 中兴通讯股份有限公司 | The transmission method and system of transmission control protocol type of session Media Stream |
| CN112532513A (en) * | 2019-09-19 | 2021-03-19 | 上海淘票儿信息科技有限公司 | Gateway and service data processing method |
Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1411224A (en) * | 2001-09-29 | 2003-04-16 | 华为技术有限公司 | Safe identification method of PC customer's terminal |
| CN1518688A (en) * | 2000-12-29 | 2004-08-04 | 英特尔公司 | System and method for providing authentication and verification services in enhanced media gateway |
| CN1556606A (en) * | 2003-12-30 | 2004-12-22 | 港湾网络有限公司 | Identificaton method of internet protocol speech sound cut-in equipment |
-
2008
- 2008-01-31 CN CN2008100052335A patent/CN101222454B/en not_active Expired - Fee Related
Patent Citations (3)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1518688A (en) * | 2000-12-29 | 2004-08-04 | 英特尔公司 | System and method for providing authentication and verification services in enhanced media gateway |
| CN1411224A (en) * | 2001-09-29 | 2003-04-16 | 华为技术有限公司 | Safe identification method of PC customer's terminal |
| CN1556606A (en) * | 2003-12-30 | 2004-12-22 | 港湾网络有限公司 | Identificaton method of internet protocol speech sound cut-in equipment |
Also Published As
| Publication number | Publication date |
|---|---|
| CN101222454A (en) | 2008-07-16 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| US7885262B2 (en) | Method and an apparatus for resource admission control process | |
| KR101280281B1 (en) | An improved method and system for ip multimedia bearer path optimization through a succession of border gateways | |
| JP5312594B2 (en) | In-band DPI media reservation correction to RFC3313 | |
| EP2605471B1 (en) | Relay-based media channel establishing method and the system thereof | |
| EP1991878B1 (en) | Network-triggered quality of service (qos) reservation | |
| US7649881B2 (en) | Pinning the route of IP bearer flows in a next generation network | |
| US20090207843A1 (en) | System and method for providing network address translation control in a network environment | |
| US9008081B2 (en) | Serving gateway proxies for non-SIP speakers in a next generation network | |
| US20080273520A1 (en) | NETWORK ARCHITECTURE FOR DYNAMICALLY SETTING END-TO-END QUALITY OF SERVICE (QoS) IN A BROADBAND WIRELESS COMMUNICATION SYSTEM | |
| CN1633102A (en) | Method and system for realizing network address translation traversal | |
| JP4643712B2 (en) | Communication control apparatus, communication system and control method for controlling QoS for each line | |
| EP2490382B1 (en) | Method for intercommunicating between private network user and network with QOS guarantee | |
| US20080069086A1 (en) | Mobile Communication System Based On Ip And Session Initiation Method Thereof | |
| US20090204698A1 (en) | Method, system and apparatus for reserving bearer resources | |
| WO2007045137A1 (en) | A method of qos authorization | |
| CN101222454B (en) | Method for refusing illegal service stream | |
| EP2120465B1 (en) | Method, entity and system of realizing network address transfer | |
| CN102447751A (en) | Method and system for performing NAT (network Address translation) traversal by VoIP (Voice over Internet protocol) application | |
| EP2327186B1 (en) | Method for supporting quality of service | |
| KR100929083B1 (en) | How to provide heteromanganese services | |
| de Gouveia et al. | A framework to improve QoS and mobility management for multimedia applications in the IMS | |
| CN111865875A (en) | Method, device, communication equipment and terminal for accessing real-time media stream | |
| CN101146068B (en) | Private network user and system and method for network intercommunication with QoS network |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20110921 Termination date: 20180131 |