WO2001030036A1 - An arrangement for h.323 proxies - Google Patents
An arrangement for h.323 proxies Download PDFInfo
- Publication number
- WO2001030036A1 WO2001030036A1 PCT/NO2000/000336 NO0000336W WO0130036A1 WO 2001030036 A1 WO2001030036 A1 WO 2001030036A1 NO 0000336 W NO0000336 W NO 0000336W WO 0130036 A1 WO0130036 A1 WO 0130036A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- network adapter
- arrangement according
- media
- port
- network
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/029—Firewall traversal, e.g. tunnelling or, creating pinholes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H04L65/1066—Session management
- H04L65/1101—Session protocols
- H04L65/1106—Call signalling protocols; H.323 and related
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/618—Details of network addresses
- H04L2101/663—Transport layer addresses, e.g. aspects of transmission control protocol [TCP] or user datagram protocol [UDP] ports
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/256—NAT traversal
- H04L61/2564—NAT traversal for a higher-layer protocol, e.g. for session initiation protocol [SIP]
Definitions
- the present invention relates to large scale multimedia network implementations according to the H.323 standard recommendation of the International Telecommunication Union, and especially to such networks comprising firewalls.
- the recommended standard H.323 describes multimedia networks and communication therein, wherein such networks may include local area networks (LAN) such as a LAN in a private enterprise, a public agency, a business corporation or some other type of organisation.
- LAN local area networks
- a firewall In order to protect a LAN connected to other networks from unauthorised, and possibly hostile access from network users outside the LAN, communication between the LAN and other networks is often run through a protection arrangement referred to as a firewall.
- the firewall interacts with the communication so as to limit or refuse undesired or unwanted communication according to a given set of rules.
- H.323 Important areas covered by H.323 are: a) Registration, admission and status (RAS) signalling, b) Q.931 and H.245 signalling, and c) traffic and media channels
- RAS is usually signalled over predefined ports and is accordingly trivial to get through firewalls.
- Q.931 and H.245 are usually signalled over dynamically allocated ports and hence more difficult to get through firewalls.
- GK Gatekeeper
- Performance improvements e.g. by multiplexing traffic, prioritising traffic or QoS (Quality of Service), eavesdropping, interfering with the media (e.g. for adding commercials) and bridging (e.g. between protocols and or protocol versions), security mechanisms (integrity, authentication and privacy) all points out functionality normally hard to achieve in H.323 networks.
- QoS Quality of Service
- eavesdropping interfering with the media (e.g. for adding commercials) and bridging (e.g. between protocols and or protocol versions), security mechanisms (integrity, authentication and privacy) all points out functionality normally hard to achieve in H.323 networks.
- UDP User Datagram Protocol
- TCP Transmission Control Protocol
- IPSEC Internet Protocol Security
- US 5 802 058 discloses a media manager in a communications network that intermediates connection setup between endpoints and marshals resources for the connection
- WO 98/37664 describes a network wherein a set of media components including IP traffic is encapsulated in an ATM VC as an entity and switched using a robust signalling system to employ resultant connection records for usage based tarriffing
- US 5 898 830 discloses a firewall providing enhanced network security and user transparency.
- an object of the present invention is to propose an arrangement which is capable of solving all of the problems mentioned in the Problem Areas section of this specification.
- the objects of the present invention is achieved by providing an H.323 proxy, hereinafter referred to as a network adapter (NA), which could be embodied by implementation as a small computer application.
- the NA is typically located somewhere on the LAN or the border of corporate LAN, and usually in the demilitarised zone (DMZ) of a firewall.
- the network adapter of the present invention is capable of solving all of the problems mentioned in the Problem Areas section of this specification.
- the network adapter receives all the signalling (RAS/Q.931 /H.245 hence is itself a GK) as well as the media (RTP/RTCP) from its connected endpoints, other network adapters and/or one or more H.323 gatekeepers (GK).
- RAS/Q.931 /H.245 hence is itself a GK
- RTP/RTCP media from its connected endpoints
- Figure A is a schematic drawing of an example a possible configuration of a multimedia network incorporating the network adapter of the present invention
- figure B is a schematic drawing of a network adapter of the present invention.
- FIG 1 an example of a typical signalling scenario is shown, wherein an endpoint (1) behind a NA (2) is communicating with another endpoint (5) behind another NA (4), and wherein both NAs are communicating with the same GK (3) .
- the same signalling scenario could also be described by: endpoint (1) -> network adapter (2) -> gatekeeper (3) -> network adapter (4) -> endpoint (5).
- a network adapter of the present invention The important features of a network adapter of the present invention are: a) Endpoints need not be made aware of the fact that its traffic is passed through a network adapter. b) There is no constraint on the number of network adapters that could forward traffic between endpoints.
- a network adapter consisting of two different modules.
- One module is a controlling part (6) for controlling the H.323 signalling (RAS/Q.931/H.245) and another is a forwarding part (7) for forwarding media packets.
- the controlling module or part (6) is responsible for communicating with endpoints, gatekeepers and other network adapters. It is also responsible for providing instructions to the forwarding part regarding where to expect traffic, and to where this traffic should be sent.
- the forwarding module or part (7) simply forwards media traffic from a NA port connected to an H.323 client to a NA port connected to another NA. Hence this part is a prerequisite when traversing firewalls. Since the forwarding part also handles TCP, T.120 is supported also for the T.120 clients dynamically allocating ports
- the NA of the present invention is contemplated also to include functionality such as: a) Enabling of support for firewalls and Network Address Translation (NAT).
- NAT Network Address Translation
- the network adapter of the present invention can use the H.245 part of H.323 to instruct endpoints and NAs on which port and IP address to send traffic.
- it is simple to configure a firewall to support this arrangement by opening a predefined range of ports.
- the network adapters of the present invention should be placed in a De-Militarised Zone (DMZ).
- DMZ De-Militarised Zone
- the F- interface (8) is used by the controlling part for instructing the forwarding part on which connections to forward traffic, as described earlier.
- Such functionality will be provided by the controlling part and may be used when setting up new connections d) Multiplexing of the signalling connections in order to enhance performance. This requires a signalling multiplexing protocol that could work in the same way as a media multiplexing protocol, although on TCP instead of UDP. This functionality is provided by the controlling part.
- Provision of integrity, authentication and privacy can easily be applied between network adapters. For such purposes, IPSEC and or SSL may be applied.
- a configuration manager may decide the kind of security mechanisms which is to apply between different NAs.
- SSL could be used for all TCP (used for signalling) connections between certain identified GKs and NAs.
- a manager may specify that between certain identified NAs, IPSEC shall be used on all UDP connections. This functionality can be provided by the controlling or the forwarding part, or by a combination of these.
- the controlling part, the F- interface and the forwarding part makes use of methods for copying UDP packets on certain predefined connections, and then forward such copies to a recording unit.
- Different kinds of bridging can be located in the network adapter of the present invention. Such bridging may be to translate between different versions of the standard, such as version 1 of h.323 to version 2. or between different standards, such as SIP to H323. This functionality may be provided by the controlling or the forwarding part, or a combination of these.
- Interacting with the media channels by means of a media Application Programmers Interface ( API), located above the forwarding part.
- API media Application Programmers Interface
- the forwarding part (7) provides an interface with three basic commands or messages and their corresponding acknowledge messages and return values: a) openChannel(direction, protocol) -> return freePort, status(d l ⁇ ⁇ X ok) b) startChannel(direction, port, remotelpAddress, r ⁇ motePort, protocol) -> return status (ok/not ok) c) closeChannel ⁇ ort, direction, protocol) -> return status (ok/not ok)
- the parameter direction indicates either from the LAN environment to the external environment or from the external environment to the LAN environment.
- the parameter protocol is either TCP or UDP, indicating that the network adapter example according to the present invention is also supporting TCP packets forwarding, although initially built to forward UDP packets.
- the reason for separating openChannel and startChannel was to optimise the code.
- the message openChannel initiates and sets up parts of the environment that may be initiated and prepared before the startChannel command is executed, such as for getting a free server port etc.
- the H.323 message that triggers both the openChannel and startChannel messages is the Q.931 set-up message when running fast start, and the H.245 openLogicalChannel message when running plain H.323. On closing, it is in order the Q.931 releaseComplete and H.245 closeLogicalChannel that invokes closeChannel. This applies in both cases when running TCP and UDP. To clarify, when running fast start, the H.245 openLogicalChannel is in fact tunnelled within the Q.931 set-up message. The openChannel and startChannel messages could in this scenario have been merged, but have, however, in other scenarios proven useful to be kept separate.
- the network adapter comprises functionality for allowing signals/messages to traverse several nodes.
- a node can be an endpoint, a NA (network adapter) or a gatekeeper (in SIP, a SIP server).
- NA network adapter
- SIP network adapter
- NA network adapter
- NA gatekeeper
- NA NA
- Plain e.g. H.323 systems don't have such functionality, but this is provided in systems including the NA according to the invention.
- Two different solutions or approaches can support node traversal:
- each node stores such information, preferably persistent;
- the signals/messages are updated with such information as the messages are transported through the system, and, hence, through NAs.
- Each node, or the message itself, must maintain data on which node that sent a message and to which node the message is going to be passed.
- Endpoint or endpoint-like data The home environment, represented by an H.323 gatekeeper (or SIP server) in this document, receives endpoint and or network adapter like information.
- NA like information might be accesstype (e.g. H323Phone, H323Pc PstnUni, PstnNni, H320Uni, H320Nni, GsmUni, GsmNni, PbxUni). Or similarly, for SIP systems, SipPhone, SipPc, etc.. If the message itself is going to maintain information on addresses, the following elements are added in the messages:
- Address pair list Each node in the system adds its addresses to the address pair list. There might in fact be several addresses for each node: The physical address of the node, the address of the voice channel, the media channel,etc.
- Link index The link index identifies which node is currently addressed in the address pair list. Messages can be issued either from the endpoints or the home environment gatekeepers. The link index only has to be used when messages are issued from the home environment gatekeepers. Then, the whole addressing path down to the endpoint should be included in the messages before the message traverse down to the endpoint. On the way, only the link index is modified.
- the range of ports that the forwarding part of the NA is going to use has to be configured both on the firewall and the NA.
- T.120 is supported also for the T.120 clients dynamically allocating ports
Abstract
Description
Claims
Priority Applications (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
GB0209264A GB2371457B (en) | 1999-10-18 | 2000-10-11 | An arrangement for H.323 proxies |
AU11796/01A AU1179601A (en) | 1999-10-18 | 2000-10-11 | An arrangement for h.323 proxies |
DE10085067T DE10085067T1 (en) | 1999-10-18 | 2000-10-11 | An arrangement for H.323 proxies |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
NO19995081 | 1999-10-18 | ||
NO995081A NO995081D0 (en) | 1999-10-18 | 1999-10-18 | Device for H.323 proxy |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2001030036A1 true WO2001030036A1 (en) | 2001-04-26 |
Family
ID=19903874
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/NO2000/000336 WO2001030036A1 (en) | 1999-10-18 | 2000-10-11 | An arrangement for h.323 proxies |
Country Status (6)
Country | Link |
---|---|
AU (1) | AU1179601A (en) |
DE (1) | DE10085067T1 (en) |
ES (1) | ES2222790B2 (en) |
GB (1) | GB2371457B (en) |
NO (1) | NO995081D0 (en) |
WO (1) | WO2001030036A1 (en) |
Cited By (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB2369746A (en) * | 2000-11-30 | 2002-06-05 | Ridgeway Systems & Software Lt | Communications system with network address translation |
KR20020083887A (en) * | 2001-04-26 | 2002-11-04 | (주)엔써커뮤니티 | Method for communicating audio and video data in multimedia communication system using h.323 protocol |
KR20030047471A (en) * | 2001-12-10 | 2003-06-18 | (주)애니 유저넷 | Firewall tunneling method for Voip and it's tunneling gateway |
WO2004043040A1 (en) * | 2002-11-05 | 2004-05-21 | Marratech Ab | Apparatus and method for negotiating network parameters |
EP1667378A1 (en) * | 2003-09-02 | 2006-06-07 | Huawei Technologies Co., Ltd. | Method of implementing multimedia protocol passing through network address transform device |
US7752319B2 (en) | 2001-09-25 | 2010-07-06 | Siemens Aktiengesellschaft | Method and device for implementation of a firewall application for communication data |
US8185943B1 (en) | 2001-12-20 | 2012-05-22 | Mcafee, Inc. | Network adapter firewall system and method |
US9055098B2 (en) | 2001-12-20 | 2015-06-09 | Mcafee, Inc. | Embedded anti-virus scanner for a network adapter |
Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1998017048A1 (en) * | 1996-10-16 | 1998-04-23 | British Telecommunications Public Limited Company | Multimedia call centre |
WO1998037664A2 (en) * | 1997-02-21 | 1998-08-27 | Northern Telecom Limited | Multimedia switching system |
US5802058A (en) * | 1996-06-03 | 1998-09-01 | Lucent Technologies Inc. | Network-independent connection management |
EP0910197A2 (en) * | 1997-09-12 | 1999-04-21 | Lucent Technologies Inc. | Methods and apparatus for a computer network firewall with dynamic rule processing |
US5898830A (en) * | 1996-10-17 | 1999-04-27 | Network Engineering Software | Firewall providing enhanced network security and user transparency |
US5958015A (en) * | 1996-10-29 | 1999-09-28 | Abirnet Ltd. | Network session wall passively listening to communication session, with use of access rules, stops further communication between network devices by emulating messages to the devices |
EP0967764A2 (en) * | 1998-06-25 | 1999-12-29 | Siemens Information and Communication Networks, Inc. | Improved apparatus and methods to realize H.323 proxy services |
Family Cites Families (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5550906A (en) * | 1994-08-05 | 1996-08-27 | Lucent Technologies Inc. | Telecommunications feature server |
-
1999
- 1999-10-18 NO NO995081A patent/NO995081D0/en unknown
-
2000
- 2000-10-11 WO PCT/NO2000/000336 patent/WO2001030036A1/en active IP Right Grant
- 2000-10-11 AU AU11796/01A patent/AU1179601A/en not_active Abandoned
- 2000-10-11 GB GB0209264A patent/GB2371457B/en not_active Expired - Fee Related
- 2000-10-11 ES ES200250032A patent/ES2222790B2/en not_active Expired - Fee Related
- 2000-10-11 DE DE10085067T patent/DE10085067T1/en not_active Withdrawn
Patent Citations (7)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5802058A (en) * | 1996-06-03 | 1998-09-01 | Lucent Technologies Inc. | Network-independent connection management |
WO1998017048A1 (en) * | 1996-10-16 | 1998-04-23 | British Telecommunications Public Limited Company | Multimedia call centre |
US5898830A (en) * | 1996-10-17 | 1999-04-27 | Network Engineering Software | Firewall providing enhanced network security and user transparency |
US5958015A (en) * | 1996-10-29 | 1999-09-28 | Abirnet Ltd. | Network session wall passively listening to communication session, with use of access rules, stops further communication between network devices by emulating messages to the devices |
WO1998037664A2 (en) * | 1997-02-21 | 1998-08-27 | Northern Telecom Limited | Multimedia switching system |
EP0910197A2 (en) * | 1997-09-12 | 1999-04-21 | Lucent Technologies Inc. | Methods and apparatus for a computer network firewall with dynamic rule processing |
EP0967764A2 (en) * | 1998-06-25 | 1999-12-29 | Siemens Information and Communication Networks, Inc. | Improved apparatus and methods to realize H.323 proxy services |
Cited By (16)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US8291116B2 (en) | 2000-11-30 | 2012-10-16 | Cisco Technology, Inc. | Communications system |
GB2369746A (en) * | 2000-11-30 | 2002-06-05 | Ridgeway Systems & Software Lt | Communications system with network address translation |
US7512708B2 (en) | 2000-11-30 | 2009-03-31 | Tandberg Telecom As | Communications system |
KR20020083887A (en) * | 2001-04-26 | 2002-11-04 | (주)엔써커뮤니티 | Method for communicating audio and video data in multimedia communication system using h.323 protocol |
US7752319B2 (en) | 2001-09-25 | 2010-07-06 | Siemens Aktiengesellschaft | Method and device for implementation of a firewall application for communication data |
KR20030047471A (en) * | 2001-12-10 | 2003-06-18 | (주)애니 유저넷 | Firewall tunneling method for Voip and it's tunneling gateway |
US9876818B2 (en) | 2001-12-20 | 2018-01-23 | McAFEE, LLC. | Embedded anti-virus scanner for a network adapter |
US9055098B2 (en) | 2001-12-20 | 2015-06-09 | Mcafee, Inc. | Embedded anti-virus scanner for a network adapter |
US8627443B2 (en) | 2001-12-20 | 2014-01-07 | Mcafee, Inc. | Network adapter firewall system and method |
US8185943B1 (en) | 2001-12-20 | 2012-05-22 | Mcafee, Inc. | Network adapter firewall system and method |
WO2004043040A1 (en) * | 2002-11-05 | 2004-05-21 | Marratech Ab | Apparatus and method for negotiating network parameters |
EP1667378A1 (en) * | 2003-09-02 | 2006-06-07 | Huawei Technologies Co., Ltd. | Method of implementing multimedia protocol passing through network address transform device |
US8605728B2 (en) | 2003-09-02 | 2013-12-10 | Huawei Technologies Co., Ltd. | Method of implementing traversal of multimedia protocols through network address translation device |
US8102856B2 (en) | 2003-09-02 | 2012-01-24 | Huawei Technologies Co., Ltd. | Method of implementing traversal of multimedia protocols through network address translation device |
US7706370B2 (en) | 2003-09-02 | 2010-04-27 | Huawei Technologies Co., Ltd. | Method of implementing multimedia protocol passing through network address transform device |
EP1667378A4 (en) * | 2003-09-02 | 2006-09-27 | Huawei Tech Co Ltd | Method of implementing multimedia protocol passing through network address transform device |
Also Published As
Publication number | Publication date |
---|---|
GB2371457B (en) | 2004-05-05 |
ES2222790A1 (en) | 2005-02-01 |
DE10085067T1 (en) | 2002-12-12 |
AU1179601A (en) | 2001-04-30 |
GB2371457A (en) | 2002-07-24 |
GB0209264D0 (en) | 2002-06-05 |
NO995081D0 (en) | 1999-10-18 |
ES2222790B2 (en) | 2006-07-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
AU2002218404B2 (en) | Communications system | |
JP3774191B2 (en) | Audio-video circuit technology with firewall and network address translation | |
EP1687958B1 (en) | Method and system for filtering multimedia traffic based on ip address bindings | |
US8489751B2 (en) | Middlebox control | |
Holdrege et al. | Protocol complications with the IP network address translator | |
US7483437B1 (en) | Method of communicating packet multimedia to restricted endpoints | |
EP1065858B1 (en) | Label switched media gateway and network | |
US20030033418A1 (en) | Method of implementing and configuring an MGCP application layer gateway | |
US10484435B2 (en) | Call set-up systems | |
AU2002218404A1 (en) | Communications system | |
WO2001030036A1 (en) | An arrangement for h.323 proxies | |
US20030046403A1 (en) | Method for routing data streams of a communication connection between users of a connectionless packet data network, and a packet data network, a control device and a program module therefore | |
US20070192844A1 (en) | Network security system and the method thereof | |
Gou et al. | Multi-agent system for multimedia communications traversing NAT/firewall in next generation networks | |
EP1168749B1 (en) | Firewall apparatus | |
Khan et al. | An extensive study on application level gateways (ALGs) | |
EP2019555A1 (en) | Bridging enterprise advanced communication systems through the public Internet | |
Nielsen | of Deliverable: The Status of Basic Relays and Gateways | |
KR20030021511A (en) | Method and server for RTP channel |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
ENP | Entry into the national phase |
Ref document number: 200250032 Country of ref document: ES Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: P200250032 Country of ref document: ES |
|
ENP | Entry into the national phase |
Ref document number: 200209264 Country of ref document: GB Kind code of ref document: A |
|
WWE | Wipo information: entry into national phase |
Ref document number: 10110303 Country of ref document: US |
|
122 | Ep: pct application non-entry in european phase | ||
RET | De translation (de og part 6b) |
Ref document number: 10085067 Country of ref document: DE Date of ref document: 20021212 |
|
WWE | Wipo information: entry into national phase |
Ref document number: 10085067 Country of ref document: DE |
|
NENP | Non-entry into the national phase |
Ref country code: JP |
|
WWP | Wipo information: published in national office |
Ref document number: 200250032 Country of ref document: ES Kind code of ref document: A |
|
WWG | Wipo information: grant in national office |
Ref document number: 200250032 Country of ref document: ES Kind code of ref document: A |