CN1812402B - Method for realizing H.323 communication data packet through fire wall - Google Patents
Method for realizing H.323 communication data packet through fire wall Download PDFInfo
- Publication number
- CN1812402B CN1812402B CN200510002998XA CN200510002998A CN1812402B CN 1812402 B CN1812402 B CN 1812402B CN 200510002998X A CN200510002998X A CN 200510002998XA CN 200510002998 A CN200510002998 A CN 200510002998A CN 1812402 B CN1812402 B CN 1812402B
- Authority
- CN
- China
- Prior art keywords
- state table
- address
- port
- new state
- packet
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Expired - Fee Related
Links
Images
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
A method for realizing H.323 communication data packet to pass through firewall includes obtaining state table matching to said data packet from all state tables existed currently in firewall by firewall according to received H.323 communication data packet, judging whether received H.323 communication data packet is data packet of connection channel build-up type or not and obtaining dynamic bargaining ZP address and port data in said data packet as well as adding new state table built up according to obtained ZP address and port data to firewall if it is or otherwise retransmitting data packet and ending flow process .
Description
Technical field
The present invention relates to the firewall information safe practice, particularly relate to a kind of the realization based on the method for the communication data packet passing fire wall of agreement H.323.
Background technology
At present, flourish along with IP network broadband services in recent years, packet-based multimedia communications system standard H.323 agreement extensively applies in video conference and the IP phone.Be called for short H.323 system based on the communication system of agreement H.323, mainly comprise terminal (terminal), gateway (gateway), gatekeeper (gatekeeper), multipoint control unit functional entitys such as (MCU, Multipoint Control Unit).
Wherein, terminal is a user oriented equipment in the system H.323, and it can communicate with other-end equipment, gateway or multipoint control unit, support voice, data and video information mutual.Gateway is the interworking point of system and available circuit switching network H.323, and its Core Feature is that the media information of different system and signaling information are changed, to realize these systems and the H.323 intercommunication of system.The gatekeeper is the management entity in the system H.323, and its RAS agreement by H.225.0 provides the management function to terminal and calling.H.323IP the calling routing procedure in the telephone system is cooperated with gatekeeper to finish by terminal, gateway.Multipoint control unit (MCU) is a visual plant of H.323 realizing conference communication in the system, it comprises multiple spot control (MC) and multiple spot is handled (MP) function, MCU realizes a plurality of members that participate in a conference are controlled by protocol procedures H.245, and receive the member's that participates in a conference audio/video information, handle the back loopback to each member through mixings, exchange etc.
In the communication system based on agreement H.323, a calling can comprise multiple media information simultaneously, and such as audio frequency, video etc., every kind of media information transmits on a logic channel.When making a call, at first use H.225.0 call control protocol between calling and called, to set up and call out contact, set up H.245 control channel simultaneously; Using control channel H.245 to set up different media channels according to the feature of calling out then is logic channel, makes multimedia messages transmit on different media channels.
But,, therefore, often be difficult to pass through traditional dedicated firewall based on the communication of agreement H.323, particularly after fire compartment wall has used the network address translation (nat) technology because most business enterprice sectors consider to have disposed dedicated firewall from network security.Reason mainly is: complicated H.323 agreement needs the dynamic assignment port and produces and safeguard a plurality of data channel.Be exactly specifically, for traditional dedicated firewall, safety regulation on it and corresponding state table are provided with by the network manager, and the IP address and the port that relate in H.323 communicating by letter are dynamic changes, the network manager can't know definite IP address and port in advance, therefore corresponding safety regulation can't be set exactly, H.323 causing communicates by letter is difficult to pass through traditional dedicated firewall.If the very big safety regulation of range of opening is set to be guaranteed the carrying out of communicating by letter then can bring very big security risk again.
The technology that existing fire compartment wall supports agreement H.323 to pass through mainly is to realize protocol communication passing fire wall H.323 by increasing extra equipment, such as penetration tunnel scheme, middleboxes communication (Middlebox Communications), H.323 agency (Full Proxy) and ALG (Application layer gateways) etc.Its operation principle is: dispose H.323 terminal, make the H.323 specific extras of terminal sensing, H.323 terminal is transmitted to this extras with packet, by extras the H.323 protocol communication packet of receiving is handled and is transmitted.Owing to increased extras, not only increased the cost aspect information security, and adopt the terminal of technique scheme to reconfigure, and make it point to extras, so also increased the configuration management work of network manager to the terminal of employing technique scheme.And the extras in some scheme have served as the role of gatekeeper/gateway proxy, and extras need be handled and transmit all communication, thereby these extras are easy to become the bottleneck of communication, cause network transmission performance lower.
Summary of the invention
In view of this, main purpose of the present invention is to provide a kind of H.323 method of communication data packet passing fire wall that realizes, can make H.323 protocol communication passing fire wall, and need not extras and reconfigure terminal, thereby improves network transmission performance.
For achieving the above object, technical scheme of the present invention is achieved in that
The invention provides a kind of H.323 method of communication data packet passing fire wall that realizes, this method may further comprise the steps:
A. in fire compartment wall all state tables, obtain the state table that is complementary with this packet according to the current existence of information slave firewall of the H.323 communication data packet of receiving;
B. judge whether the H.323 communication data packet received is the packet of endpoint registration type or inquiry response type or lane negotiation will type, if, execution in step C then; Otherwise transmit the H.323 communication data packet of receiving, process ends;
C. obtain the IP address and the port data of the dynamic negotiation in the communication data packet H.323, make up according to firewall operation mode in state table that is obtained in the steps A and the state table and to comprise the IP address that obtained and the new state table of port data, add fire compartment wall to, and transmit the H.323 communication data packet of receiving.
Making up the method that the new state table adds fire compartment wall to according to firewall operation mode in state table that is obtained in the steps A and the state table described in the step C is:
C1. create annexation and be any source IP address and port new state table to IP address that is obtained and port data;
C2. whether there is the IP address translation attributes in the state table that is obtained among the determining step A, if exist, then in the new state table, add reverse IP address translation attributes according to the state table that is obtained in the steps A, add the new state table that adds reverse IP address translation attributes to fire compartment wall, and revise H.323 communication data packet content according to IP address translation attributes type; Otherwise keep current new state table constant, and add current new state table to fire compartment wall;
C3. inquire about whether exist in the fire compartment wall with current new state table in the purpose IP address state table identical with port data, if exist, then upgrade the IP address translation attributes of current new state table, and will add fire compartment wall to through the new state table that upgrades according to the IP address translation attributes of the state table that is inquired; Otherwise keep current new state table constant.
Among the step C2, describedly in the new state table, add reverse IP address translation attributes according to the state table that is obtained in the steps A and be:
If there is the source IP address converting attribute in the state table that is obtained, then in current new state table, add from the state table that steps A the is obtained source IP address after the conversion and port to the IP address that step C is obtained and the purpose IP address translation attributes of port;
If there is purpose IP address translation attributes in the state table that is obtained, then in current new state table, add from step C1 the purpose IP address before the purpose IP address transition and the source IP address converting attribute of port in the state table that source IP address and port arbitrarily obtain to steps A.
Among the step C2, describedly revise H.323 according to IP address translation attributes type that the communication data packet content is: if IP address translation attributes type is adding purpose IP address translation attributes in current new state table, then, revise IP address and port in the current H.323 communication data payload package of receiving with purpose IP address and port after the conversion of purpose IP address translation attributes; Otherwise not carrying out packet content revises.
Among the step C3, the IP address translation attributes that described IP address translation attributes according to the state table that is inquired upgrades current new state table is:
If there is the source IP address converting attribute in the state table that is inquired, then upgrade the source IP address converting attribute of current new state table with this source IP address converting attribute;
If there is purpose IP address translation attributes in the state table that is inquired, then upgrade the purpose IP address translation attributes of current new state table with this purpose IP address translation attributes.
Among the step C3, purpose IP address and port data in the described current new state table, for with purpose IP address and port data after the conversion of purpose IP address translation attributes, be purpose IP address and the port data that is comprised in the current state table when in current new state table, not having purpose IP address translation attributes when in current new state table, having purpose IP address translation attributes.
All state tables of the current existence of described fire compartment wall are state table and the also set of the state table of interpolation of fire compartment wall dynamic creation that initial configuration is added.
Before whether the H.323 communication data packet that the described judgement of step B is received was the packet of endpoint registration type or inquiry response type or lane negotiation will type, this method may further include: the H.323 communication data packet of receiving is carried out abstract syntax counting ASN grammer decompose.
Realization provided by the present invention is the method for protocol communication passing fire wall H.323, type according to the H.323 communication data packet of receiving judges whether needs establishment new state table, when needs are created the new state table, from the H.323 communication data packet of receiving, extract the IP address and the port data of dynamic negotiation, dynamic creation comprises the IP address of dynamic negotiation and the new state table of port data according to fire compartment wall work at present pattern then, and the IP address translation attributes in the interpolation new state table, when receiving new packet, can utilize the new state table to mate, thereby set up new interface channel.
Therefore, the inventive method can combine with fire compartment wall, need not extras, also need not to change the configuration of original H.323 equipment, and only to handling with being connected the packet of setting up correlation type, thereby higher reliability and performance can be provided.And the inventive method is applicable to other the various mode of operations such as proxy mode, Direct Model and route pattern of gatekeeper in the H.323 communication; Can support general mode and the quick mode H.323 called out; Support the various mode of operations of fire compartment wall, comprise packet filtering pattern, NAT pattern, reverse NAT pattern, two-way NAT pattern etc.; And support various network topologies.
Description of drawings
Fig. 1 realizes the H.323 method flow diagram of protocol communication passing fire wall for one embodiment of the invention;
Fig. 2 makes up the method flow diagram of new state table for one embodiment of the invention;
Fig. 3 is the network environment framework in one embodiment of the invention.
Embodiment
For making purpose of the present invention, technical scheme clearer, the present invention is further described in more detail below in conjunction with drawings and the specific embodiments.
Main thought of the present invention is: the type according to the H.323 communication data packet of receiving judges whether needs establishment new state table, when needs are created the new state table, from the H.323 communication data packet of receiving, extract the IP address and the port data of dynamic negotiation, dynamic creation comprises the IP address of dynamic negotiation and the new state table of port data according to fire compartment wall work at present pattern then, and the IP address translation attributes in the interpolation new state table, guaranteeing that new interface channel can set up, and revise packet content to realize nat feature.
Because gatekeeper's participation, H.323 communication is Three Party Communication.In H.323 communicating by letter, before call setup, terminal can be registered to the gatekeeper, so that the IP address and the port of call accepted signalling path are notified to the gatekeeper separately with terminal.When a certain terminal is inquired about the IP address of its call accepted signalling path of wanting calling terminal and port to the gatekeeper, the gatekeeper will be notified this terminal by the IP address of calling terminal and port.Like this, this terminal can be set up the call signaling passage to its terminal that will call out, set up H.245 control channel simultaneously, use control channel H.245 to set up different media logic passages then, make multimedia messages on different media logic passages, transmit according to the feature of calling out.
Communicate to connect the process of foundation as can be seen from above-mentioned, passage need send three types packet in order to connect: the packet of endpoint registration type, inquiry response type and lane negotiation will type.Wherein, the packet of lane negotiation will type comprises the packet of consulting the control channel type, consulting the media logic channel type.When fire compartment wall is received above-mentioned three types packet, need therefrom extract the IP address and the port data of dynamic negotiation, and dynamically create the new state table on the fire compartment wall in view of the above, thus the foundation of permission new tunnel.After fire compartment wall has used nat feature, the processing procedure more complicated, new state table need be determined jointly according to the state table of the state table of control channel, packet content, current already present data channel, in addition, also need revise the content of packet, make new interface channel also use nat feature.
Fig. 1 realizes the H.323 method flow diagram of protocol communication passing fire wall for one embodiment of the invention.Wherein said fire compartment wall can comprise network processing unit and central processing unit.In the present embodiment, the network processing unit of fire compartment wall need carry out the state table coupling to the packet of receiving, according to the state table that is matched the packet of receiving is handled, be transmitted to central processing unit with the packet received with the state table of its coupling then, further handle by central processing unit.And the H.323 communication data packet that fire compartment wall is received comprises header part and payload segment, and the header part generally comprises source IP address and port, purpose IP address and information such as port and agreement, and payload segment comprises based on the communication data of agreement H.323.
As shown in Figure 1, method provided by the invention may further comprise the steps:
The central processing unit of step 101~102, fire compartment wall (CPU) extracts state table and communication data packet H.323 from the packet of receiving, and carries out abstract syntax counting 1 (ASN.1) grammer and decompose, to discern the H.323 type of communication data packet.
In network service, two network entities need connect earlier and communicate.The general state table that adopts is preserved the data link information.The IP address and the port information that comprise the packet that passes through in the state table, the processing method that also comprises the safety regulation appointment to the data connection, such as, packet whether directly by, whether the IP address that comprises in the packet and port are carried out conversion, how conversion, whether do other and check etc., also comprise the state that current data connects, connect such as, data and to be in mounting phase, establishment stage, ending phase etc.
Usually, the initial condition table that is comprised on the fire compartment wall is obtained according to information configuration such as network topology environment, user's specific requirements by the network manager.In addition, in the present embodiment, state table also can produce in the following manner: when first packet of a certain data connection arrives fire compartment wall, information such as IP address in the network processing unit extraction packet in the fire compartment wall and port, the current state table that comprises on these information and the fire compartment wall is mated, if the match is successful, then transmit packet; If coupling is unsuccessful, then check the safety regulation of the fire compartment wall that the network manager sets, if packet meets safety regulation, the packet that then allows these data to connect passes through, and fire compartment wall is set up state table for these data connect.This by checking the mode of safety regulation creation state table, also can think to obtain according to information configuration such as network topology environment, user's specific requirements the mode of state table by the network manager.
In the present embodiment, the state table that the H.323 communication data packet that arrives fire compartment wall has been created through the network processing unit coupling or set up state table etc. at the state table that does not have to mate and according to safety regulation and handle after, form the CPU that new packet uploads to fire compartment wall with communication data packet H.323 with this data packet matched state table, to create the new state table according to this state table.Not having the state table that can mate and setting up state table according to safety regulation also is a kind of mode of obtaining the state table that is complementary with packet.
Wherein, abstract syntax counting 1 (ASN.1, Abstract Syntax Notation One) is the language of the defined explanation structural information of CCITTX.208.Because H.323 agreement adopts ASN.1 to describe its syntax gauge, therefore,, then must be at first communication data packet be H.323 carried out corresponding grammer and decompose if desired from H.323 obtaining the information that needs the communication data packet.
From the new interface channel process of foregoing foundation as can be seen, the packet that comprises endpoint registration type, inquiry response type, lane negotiation will type with the packet of setting up new interface channel correlation type.Above-mentioned three types packet is the packet that interface channel is set up type.
Above-mentioned processing procedure is only carried out at protocol communication packet H.323, if the packet that the fire compartment wall network processing unit is received is not a protocol communication packet H.323, does not then carry out above-mentioned processing.
Make up the new state table in such scheme step 104 and the step 105 and add the new state table as shown in Figure 2, can may further comprise the steps to the detailed process of fire compartment wall:
Present embodiment mainly is a H.323 agreement of basis, extracts IP address and port data from specific type of data packet, and this IP address and port data H.323 protocol dynamic are consulted to obtain.
If type of data packet is: H.225.0RAS:registrationRequest, show that this is the terminal packet of request registration to the gatekeeper, obtain the IP address and the port of terminal call accepted from the TransportAddress field of the H.323 agreement defined of this packet, as the purpose IP address and the port of newly-built state table.
If type of data packet is: H.225.0RAS:registrationConfirm, show that this is the packet that a gatekeeper notifies the endpoint registration success, obtain the IP address and the port of terminal call accepted from the TransportAddress field of the H.323 agreement defined of this packet, as the purpose IP address and the port of newly-built state table.
If type of data packet is: H.225.0RAS:admissionConfirm, show that this is the packet that a gatekeeper replys terminal inquiry, obtain the IP address and the port of terminal call accepted from the destCallSignalAddress field of the H.323 agreement defined of this packet, as the purpose IP address and the port of newly-built state table.
If type of data packet is: H.225.0CS:connect, show that this is that a terminal room is consulted the H.245 packet of control channel, obtain terminal from the h245Address field of the H.323 agreement defined of this packet and accept to set up H.245 the IP address and the port of passage, as the purpose IP address and the port of newly-built state table.
If type of data packet is: OpenLogicalChannel H.225.0CS:setup, show that this is that a terminal room adopts quick mode to consult the packet of media logic passage, obtain IP address and the port that terminal accepts to set up media data logical channel and medium control logic passage from the mediaChannel and the mediaControlChannel field of the H.323 agreement defined of this packet, as the purpose IP address and the port of newly-built state table.
If type of data packet is: H.245openLogicalChannelAck, show that this is the packet that a terminal room is consulted the media logic passage, obtain IP address and the port that terminal accepts to set up media data logical channel and medium control logic passage from the mediaChannel and the mediaControlChannel field of the H.323 agreement defined of this packet, as the purpose IP address and the port of newly-built state table.
H.323 the gatekeeper in the system has three kinds of mode of operations: Direct Model, route pattern, proxy mode.Because the source IP address that the new tunnel that the gatekeeper initiates when different working modes connects is different with port, therefore, the source IP address of new state table and port need be made as arbitrarily, this moment, the original form of new state table was: any_ip:any_port-〉dyn_ip:dyn_port, expression is from source IP address and port: any_ip:any_port to purpose IP address with being connected of port: dyn_ip:dyn_port.Wherein any_ip:any_port is any source IP address and the port of new state table, IP address and the port of dyn_ip:dyn_port for obtaining from communication data packet H.323.
Step 202~203, whether there is the source IP address converting attribute in the state table that judgement is extracted from the packet of receiving, if, adding purpose IP address translation attributes in current constructed new state table then, the purpose IP address translation attributes that is added is: the purpose IP address before the conversion is the source IP address after the conversion in the previous status table, purpose IP address after the conversion is the IP address that is obtained in the step 201, promptly adding source IP address after the conversion in the previous status table and port translation is the IP address that obtained in the step 201 and the purpose IP address translation attributes of port, and revise this H.323 IP address and port information in the communication data payload package, continue execution in step 204; If not, then direct execution in step 204.
Because purpose IP address and port are invisible, so needs are revised IP address and port information in the packet.Describe for convenient, will be called the previous status table from the state table that packet extracts.
Step 204~205, whether there is purpose IP address translation attributes in the state table that judgement is extracted from the packet of receiving, if, then in current constructed new state table, add the source IP address converting attribute, the source IP address converting attribute that is added is: the source IP address before the conversion is any source IP address, source IP address after the conversion is the purpose IP address before the conversion in the previous status table, promptly add any source IP address from the initial format of new state table and port translation the purpose IP address before the purpose IP address transition and the source IP address converting attribute of port in the previous status table, continue execution in step 206; If not, then direct execution in step 206.
Whether the mode of operation of fire compartment wall exists address translation attributes with the state table that extracts from packet is corresponding.
When fire compartment wall is operated in NAT pattern following time, the situation that just has the source IP address converting attribute in the previous status table, this is for the purpose terminal, show that the dyn_ip in the initial new state table is invisible to the terminal that communicates with, need be converted to the IP address of fire compartment wall, corresponding dyn_port also needs to be converted to the port of fire compartment wall.The form of the new state table of this moment is:
any_ip:any_port->fw_ip:fw_port=>any_ip:any_port->dyn_ip:dyn_port
Wherein, fw_ip:fw_port is fire compartment wall IP address and port.This state table represents to exist the attribute of purpose IP address and port translation: be transformed into dyn_ip:dyn_port from fw_ip:fw_port.
When fire compartment wall is operated in reverse NAT pattern following time, the situation that just has purpose IP address translation attributes in the previous status table, this is for the purpose terminal, show that the any_ip in the initial new state table is invisible to the terminal that communicates with, need be converted to the IP address of fire compartment wall, corresponding any_porr also needs to be converted to the port of fire compartment wall.The form of the new state table of this moment is:
any_ip:any_port->dyn_ip:dyn_port=>fw_ip:fw_port->dyn_ip:dyn_port
Wherein, fw_ip:fw_port is the IP address and the port of fire compartment wall.This state table represents to exist the attribute of source IP address and port translation: be transformed into fw_ip:fw_port from any_ip:any_port.
When fire compartment wall is operated in two-way NAT pattern following time, the situation that just has source IP address converting attribute and purpose IP address translation attributes in the previous status table simultaneously, this is for the purpose terminal, show that any_ip and dyn_ip in the initial new state table are invisible to the terminal that communicates with, need be converted to the IP address of fire compartment wall respectively, corresponding any_port and dyn_port also need to be converted to respectively the port of fire compartment wall.The form of the new state table of this moment is:
any_ip:any_port->fw_ip1:fw_port1=>fw_ip2:fw_port2->dyn_ip:dyn_port
Wherein, fw_ip1:fw_port1 is respectively IP address and ports different on the fire compartment wall with fw_ip2:fw_port2.This state table represents to exist the attribute of source IP address and port translation: be transformed into fw_ip2:fw_port2 from any_ip:any_port, also have the attribute of purpose IP address and port translation: be transformed into dyn_ip:dyn_port from fw_ip1:fw_port1.
When fire compartment wall is operated in packet filtering pattern or other pattern following time, just neither there is the source IP address converting attribute in the previous status table, there is not the situation of purpose IP address translation attributes again, above-mentioned state table is exactly to need the new state table that adds.
Because the H.323 communication that the gatekeeper participates in is Three Party Communication, IP address of extracting from packet and port might be through conversions, no longer be the original ip address and the port of H.323 equipment dynamic negotiation, but therefore the IP address and the port of fire compartment wall need be reduced into it original IP address and port.Same the state table corresponding with the packet of being received can only carry the wherein mode of operation between two sides owing to Three Party Communication, might lose the attribute of third-party source IP address conversion.Therefore, need from the state table of having created, obtain these attributes, and upgrade current new state table with these attributes.
Wherein, if there is purpose IP address translation attributes in the current new state table, then search with change after the purpose IP address state table identical with port, otherwise directly utilize purpose IP address and port in the current new state table to search state table.
State table above supposing:
Any_ip:any_port-〉fw_ip1:fw_port1=〉fw_ip2:fw_port2-〉dyn_ip:dyn_port is exactly current new state table, so, search in the state table of having created exactly whether to have purpose IP address and port be the state table of dyn_ip:dyn_port, if exist, then show to have the state table identical with port with the purpose IP address of current new state table.
Step 208~209, judge whether the state table find exists the source IP address converting attribute, if, then upgrade source IP address converting attribute in the current constructed new state table with this source IP address converting attribute, continue execution in step 209; Otherwise the source IP address converting attribute to current constructed new state table does not upgrade, directly execution in step 209.
That is to say, check whether this state table has the attribute of source IP address conversion,, then show H.323 the visit of equipment need be through the source IP address conversion if having, therefore, need to upgrade the attribute of the source IP address conversion of current new state table with this source IP address conversion.
Step 210~211, judge whether the state table find exists purpose IP address translation attributes, if then upgrade purpose IP address translation attributes in the current constructed new state table with this purpose IP address translation attributes; Otherwise the purpose IP address translation attributes to current constructed new state table does not upgrade, directly execution in step 212.
The execution sequence of above-mentioned steps 208~209 and step 210~211 can exchange.
That is to say, check whether this state table has the attribute of purpose IP address transition, if have, then show original ip address and port that the IP address of extracting and port are not H.323 equipment from packet, therefore, need upgrade the attribute of the purpose IP address transition of current new state table with this purpose IP address transition.So far just obtained the final form of new state table.
Describe with a concrete example below.
Fig. 3 is the network environment framework in one embodiment of the invention, and wherein FW is a fire compartment wall, and the IP address of its three network interfaces is respectively ip_fw1, ip_fw2, ip_fw3, and corresponding port is respectively: port_fw1, port_fw2, port_fw3; GK is gatekeeper H.323, and the IP address is ip_gk, and port is port_gk; C1, C2 are respectively two H.323 terminals, and its IP address is respectively ip_c1, ip_c2, and corresponding port is respectively: port_c1, port_c2.
According to the firewall security policy difference of terminal H.323 to the gatekeeper, may there be 16 kinds of firewall operation modes in C1 to GK and C2 to GK, being two-way NAT pattern with wherein the most complicated C1 to GK and C2 to GK below is example, illustrates that process is set up in the communication when C1 calls out C2.
When GK was operated in proxy mode, the call signaling passage, H.245 control channel was set up gatekeeper and two terminal rooms, and the call signaling data, H.245 control data is transmitted by the gatekeeper, and the media logic passage is directly set up at two terminal rooms.Process is set up in concrete communication:
1, C1, C2 register to GK, with the IP address and the port of call accepted signalling path are notified GK separately.
2, C1 is to the IP address and the port of the call accepted signalling path of GK inquiry C2, and GK is with oneself IP address and port notice C1;
3, C1 sets up the call signaling passage to GK, and GK sets up the call signaling passage to C2;
4, C2 notice GK accepts H.245 the IP address and the port of control channel, and GK is with oneself IP address and port notice C1;
5, C1 sets up H.245 control channel to GK, and GK sets up H.245 control channel to C2;
6, C2 notice GK accepts the IP address and the port of media logic passage, and GK is with oneself IP address and port notice C1;
7, C1 sets up the media logic passage to GK, and GK sets up the media logic passage to C2.
When GK was operated in route pattern, the call signaling passage was set up gatekeeper and two terminal rooms, and the call signaling data are transmitted by the gatekeeper, and H.245 control channel, media logic passage are directly set up at two terminal rooms.When GK was operated in Direct Model, the call signaling passage, H.245 control channel, media logic passage were directly set up at two terminal rooms of communication.Concrete communication is set up process and is not repeated them here.
Above-mentioned communication process, processing procedure for the packet of receiving registration type, query type, negotiation control channel and negotiation media logic passage is similar, only set up registration type in the process below and the packet of query type is an example, the present invention is illustrated with the call signaling passage.
Is how example explanation fire compartment wall adds state table when receiving the packet of endpoint registration type with C2 to the packet of GK registration.
Wherein, because C2 to GK is two-way NAT pattern, be so C2 registers pairing previous status table to GK:
ip_c2:port_c2->ip_fw2:port_fw2=>ip_fw3:port_fw3->ip_gk:port_gk。The IP address and the port of the call accepted signalling path that if ip_dyn1:port:dyn1 is C2 to be opened, detailed process is:
1) from packet, extract the IP address and the port of C2 call accepted: ip_dyn1:port_dyn1,
According to the present invention, when fire compartment wall is received the packet of endpoint registration type, will create new state table, here, the original form of new state table is: ip_any:port_any-〉ip_dyn1:port_dyn1.
2) because there is the source IP address converting attribute in the previous status table, thus need be in the new state table adding purpose IP address transition, this moment, the form of new state table was:
ip_any:port_any->ip_fw3:port_fw3=>ip_any:port_any->ip_dyn1:port_dyn1
Because purpose IP address and port are invisible, the IP address and the port information that need to revise in the packet are: ip_fw3:port_fw3 simultaneously.
3) because there is purpose IP address translation attributes in the previous status table, so need add the source IP address conversion in the new state table, this moment, the new state sheet form was:
ip_any:port_any->ip_fw3:port_fw3=>ip_fw2:port_fw2->ip_dyn1:port_dyn1(1)
The new state table (1) and the amended packet of interpolation needing have just been obtained this moment.
Here can use the endpoint registration requested packets, also can use the packet of endpoint registration success, the IP address of the C2 call accepted that wherein extracts from packet is the same with port.Difference is that the previous status table of these two packet correspondences is different, but the processing procedure principle is identical.
Like this, new state table (1) has been set up the call signaling passage for the terminal call C2 that is positioned at the same side with GK.Particularly, suppose that the terminal C3 that is positioned at GK the same side calls out C2, then C3 at first needs IP address and the port to GK inquiry C2 call accepted, because GK and C3 are positioned at the same side, without fire compartment wall, so C3 can not produce the new state table when GK inquires about.When C2 sent the packet that is used to call out, fire compartment wall just can have been transmitted packet according to new state table (1) at C3.
When following surface analysis C1 inquires about the C2 address to GK, the packet that GK responds, this packet is the packet of inquiry response type.Detailed process is:
Wherein, because C1 to GK is two-way NAT pattern, so corresponding previous status table is:
ip_gk:port_gk->ip_fw3:port_fw3=>ip_fw1:port_fw1->ip_c1:port_c1。
1) extract IP address and the port that GK responds from packet: in fact ip_dyn2:port_dyn2, IP address and port ip_dyn2:port_dyn2 are exactly C2 amended IP address and port: ip_fw3:port_fw3 in the packet of GK registration.
The original form of new state table is: ip_any:port_any-〉ip_fw3:port_fw3.
2) because there is the source IP address converting attribute in the previous status table, thus need be in the new state table adding purpose IP address transition, this moment, the form of new state table was:
Ip_any:port_any-〉ip_fw1:port_fw1=〉ip_any:port_any-〉ip_fw3:port_fw3, IP address and the port information revised simultaneously in the packet are: ip_fw1:port_fw1.
3) because there is purpose IP address translation attributes in the previous status table, so need add the source IP address conversion in the new state table, this moment, the new state sheet form was:
ip_any:port_any->ip_fw1:port_fw1=>ip_fw3:port_fw3->ip_fw3:port_fw3。(2)
The new state table (2) and the amended packet of interpolation needing have so just been obtained.When the gatekeeper was operated in proxy mode or route pattern, C1 just can utilize new state table (1) and (2) to set up C1 to the call signaling passage of C2.
4) can see 3) in have purpose IP address translation attributes in the current form of new state table, purpose IP address after the conversion and port are ip_fw3:port_fw3, but this is not the IP address of H.323 equipment, but the IP address of fire compartment wall.
Owing to the state table (1) that the GK registration phase adds be at C2:
Ip_any:port_any-〉ip_fw3:port_fw3=〉ip_fw2:port_fw2-〉ip_dyn1:port_dyn1, the IP address translation attributes of ignoring this state table, to carry out purpose IP address and port before the purpose IP address transition be ip_fw3:port_fw3 to this state table as can be seen, so this state table is exactly and the current state table:
Ip_any:port_any-〉ip_fw1:port_fw1=〉ip_fw3:poft_fw3-〉the purpose IP address state table identical of ip_fw3:port_fw3 with port, and there is the attribute of source IP address converting attribute and purpose IP address transition in this state table, purpose IP address after the conversion is ip_dyn1, and ip_dyn1 is only the H.323 real IP address of equipment.
Equally, there is the source IP address converting attribute in the current form of current new state table, source IP address after the conversion is ip_fw3, but this is not the IP address of H.323 equipment, but the IP address of fire compartment wall, and also there is the source IP address converting attribute in C2 to the state table that the GK registration phase adds, and the source IP address after the conversion is ip_fw2, and ip_fw2 is only the IP address that needs when visiting equipment H.323.Therefore, upgrade the attribute of current new state table with the attribute of conversion of the source IP address of this state table and purpose IP address transition, the state table and the merging of current new state table that C2 is added to the GK registration phase just, the form of new state table is at this moment:
ip_any:port_any->ip_fw1:port?fw1=>ip_fw2:port_fw2->ip_dyn1:port_dyn1(3)
Needing just to have obtained the new state table (3) of interpolation this moment.When the gatekeeper is operated in Direct Model following time, according to this new state table, C1 just can be established to the call signaling passage of C2, has kept the firewall operation mode of two-way NAT simultaneously.
From the foregoing description as can be seen, the new state table that fire compartment wall is created according to the data type received can be the required passage that establishes a communications link of protocol communication terminal H.323, but the use of the new state table of being created and topology of networks and gatekeeper's mode of operation all has relation.
From such scheme as can be seen, the inventive method can combine with fire compartment wall, need not extras, also need not to change the configuration of original H.323 equipment, thereby higher reliability and performance can be provided.And, gatekeeper's proxy mode during the inventive method is not only applicable to H.323 communicate by letter, and be applicable to other mode of operations such as gatekeeper's Direct Model and route pattern; Can support general mode and the quick mode H.323 called out; Support the various mode of operations of fire compartment wall, comprise packet filtering pattern, NAT pattern, reverse NAT pattern, two-way NAT pattern etc.; And support various network topologies.
In a word, the above only is preferred embodiment of the present invention, and is in order to restriction the present invention, within the spirit and principles in the present invention not all, any modification of being done, is equal to replacement, improvement etc., all should be included within protection scope of the present invention.
Claims (8)
1. realize the H.323 method of communication data packet passing fire wall for one kind, it is characterized in that this method may further comprise the steps:
A. in fire compartment wall all state tables, obtain the state table that is complementary with this packet according to the current existence of information slave firewall of the H.323 communication data packet of receiving;
B. judge whether the H.323 communication data packet received is the packet of endpoint registration type or inquiry response type or lane negotiation will type, if, execution in step C then; Otherwise transmit the H.323 communication data packet of receiving, process ends;
C. obtain the IP address and the port data of the dynamic negotiation in the communication data packet H.323, make up according to firewall operation mode in state table that is obtained in the steps A and the state table and to comprise the IP address that obtained and the new state table of port data, add fire compartment wall to, and transmit the H.323 communication data packet of receiving.
2. method according to claim 1 is characterized in that, makes up the method that the new state table adds fire compartment wall to according to firewall operation mode in state table that is obtained in the steps A and the state table described in the step C to be:
C1. create annexation and be any source IP address and port new state table to IP address that is obtained and port data;
C2. whether there is the IP address translation attributes in the state table that is obtained among the determining step A, if exist, then in the new state table, add reverse IP address translation attributes according to the state table that is obtained in the steps A, add the new state table that adds reverse IP address translation attributes to fire compartment wall, and revise H.323 communication data packet content according to IP address translation attributes type; Otherwise keep current new state table constant, and add current new state table to fire compartment wall;
C3. inquire about whether exist in the fire compartment wall with current new state table in the purpose IP address state table identical with port data, if exist, then upgrade the IP address translation attributes of current new state table, and will add fire compartment wall to through the new state table that upgrades according to the IP address translation attributes of the state table that is inquired; Otherwise keep current new state table constant.
3. method according to claim 2 is characterized in that, among the step C2, describedly adds reverse IP address translation attributes according to the state table that is obtained in the steps A in the new state table and is:
If there is the source IP address converting attribute in the state table that is obtained, then in current new state table, add from the state table that steps A the is obtained source IP address after the conversion and port to the IP address that step C is obtained and the purpose IP address translation attributes of port;
If there is purpose IP address translation attributes in the state table that is obtained, then in current new state table, add from step C1 the purpose IP address before the purpose IP address transition and the source IP address converting attribute of port in the state table that source IP address and port arbitrarily obtain to steps A.
4. method according to claim 2, it is characterized in that, among the step C2, describedly revise H.323 according to IP address translation attributes type that the communication data packet content is: if IP address translation attributes type is adding purpose IP address translation attributes in current new state table, then, revise IP address and port in the current H.323 communication data payload package of receiving with purpose IP address and port after the conversion of purpose IP address translation attributes; Otherwise not carrying out packet content revises.
5. method according to claim 2 is characterized in that, among the step C3, the IP address translation attributes that described IP address translation attributes according to the state table that is inquired upgrades current new state table is:
If there is the source IP address converting attribute in the state table that is inquired, then upgrade the source IP address converting attribute of current new state table with this source IP address converting attribute;
If there is purpose IP address translation attributes in the state table that is inquired, then upgrade the purpose IP address translation attributes of current new state table with this purpose IP address translation attributes.
6. method according to claim 2, it is characterized in that, among the step C3, purpose IP address and port data in the described current new state table, for with purpose IP address and port data after the conversion of purpose IP address translation attributes, be purpose IP address and the port data that is comprised in the current state table when in current new state table, not having purpose IP address translation attributes when in current new state table, having purpose IP address translation attributes.
7. method according to claim 1 is characterized in that, all state tables of the current existence of described fire compartment wall are state table and the also set of the state table of interpolation of fire compartment wall dynamic creation that initial configuration is added.
8. method according to claim 1, it is characterized in that, before whether the H.323 communication data packet that the described judgement of step B is received was the packet of endpoint registration type or inquiry response type or lane negotiation will type, this method further comprised: the H.323 communication data packet of receiving is carried out abstract syntax counting ASN grammer decompose.
Priority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200510002998XA CN1812402B (en) | 2005-01-27 | 2005-01-27 | Method for realizing H.323 communication data packet through fire wall |
Applications Claiming Priority (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN200510002998XA CN1812402B (en) | 2005-01-27 | 2005-01-27 | Method for realizing H.323 communication data packet through fire wall |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN1812402A CN1812402A (en) | 2006-08-02 |
| CN1812402B true CN1812402B (en) | 2010-11-03 |
Family
ID=36845091
Family Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN200510002998XA Expired - Fee Related CN1812402B (en) | 2005-01-27 | 2005-01-27 | Method for realizing H.323 communication data packet through fire wall |
Country Status (1)
| Country | Link |
|---|---|
| CN (1) | CN1812402B (en) |
Families Citing this family (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN110445806B (en) * | 2019-08-22 | 2022-03-01 | 视联动力信息技术股份有限公司 | A method, device and co-transfer server for calling Internet terminal |
Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1466344A (en) * | 2002-06-21 | 2004-01-07 | 南京北极星软件有限公司 | Method for passing fire wall by VOIP |
| CN1551569A (en) * | 2003-04-08 | 2004-12-01 | Adv通讯公司 | Transmission method of multimedia data over a network |
-
2005
- 2005-01-27 CN CN200510002998XA patent/CN1812402B/en not_active Expired - Fee Related
Patent Citations (2)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN1466344A (en) * | 2002-06-21 | 2004-01-07 | 南京北极星软件有限公司 | Method for passing fire wall by VOIP |
| CN1551569A (en) * | 2003-04-08 | 2004-12-01 | Adv通讯公司 | Transmission method of multimedia data over a network |
Non-Patent Citations (5)
| Title |
|---|
| CN 1466344 A,全文. |
| 柯金水,王芙蓉,戴彬.基于软交换的NAT/防火墙穿透技术研究.江西通信科技 3.2004,(3),1-5. |
| 柯金水,王芙蓉,戴彬.基于软交换的NAT/防火墙穿透技术研究.江西通信科技 3.2004,(3),1-5. * |
| 黄廷学,戴冠中,朱志祥.H.323通信穿透防火墙的一种实现.微电子学与计算机 6.2001,(6),39-42. |
| 黄廷学,戴冠中,朱志祥.H.323通信穿透防火墙的一种实现.微电子学与计算机 6.2001,(6),39-42. * |
Also Published As
| Publication number | Publication date |
|---|---|
| CN1812402A (en) | 2006-08-02 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| EP1650916B1 (en) | The system and method for realize multimedia call crossover the private network | |
| US7684397B2 (en) | Symmetric network address translation system using STUN technique and method for implementing the same | |
| US8489751B2 (en) | Middlebox control | |
| JP3872477B2 (en) | Multiple call system and method through local IP network | |
| WO2007036160A1 (en) | An apparatus, system and method for realizing communication between the client and the server | |
| US7773580B2 (en) | Apparatus and method for voice processing of voice over internet protocol (VoIP) | |
| US20130007291A1 (en) | MEDIA INTERWORKING IN IPv4 AND IPv6 SYSTEMS | |
| CN101390362B (en) | Client for networked communication device and method for establishing media session | |
| CN101902506A (en) | SIP call-based traversal network address translation method and system | |
| US7675902B2 (en) | Method for realizing signaling agent based on MEGACO protocol | |
| US7298747B2 (en) | Method of setting up communications in a packet switching system | |
| CN100493048C (en) | Multimedia communication proxy system and method capable of crossing network address conversion and firewall | |
| KR101606142B1 (en) | Apparatus and method for supporting nat traversal in voice over internet protocol system | |
| JP5207270B2 (en) | Communication system between multiple networks | |
| US20080318556A1 (en) | Ip based lawful interception on legacy equipment | |
| US20100208734A1 (en) | Communications relay device, program and method, and network system | |
| CN100583814C (en) | Method for implementing multimedia service NAT transition | |
| CN1559133B (en) | Network gateway device and communications system for real item communication connections | |
| CN1812402B (en) | Method for realizing H.323 communication data packet through fire wall | |
| CN102420835B (en) | Method for realizing real-time transport protocol (RTP) media stream agent in unified communication system | |
| CN100401700C (en) | A method for point-to-point calling of multimedia terminals in two private networks | |
| JP4870882B2 (en) | Communication method between IP networks | |
| JP2002009846A (en) | Communication system employing multimedia proxy server | |
| JP2002190827A (en) | Internet phone connection method between different networks | |
| CN104104740A (en) | Method for exchanging distributed network information |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| C14 | Grant of patent or utility model | ||
| GR01 | Patent grant | ||
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee |
Granted publication date: 20101103 Termination date: 20210127 |