WO2001030036A1 - An arrangement for h.323 proxies - Google Patents

An arrangement for h.323 proxies Download PDF

Info

Publication number
WO2001030036A1
WO2001030036A1 PCT/NO2000/000336 NO0000336W WO0130036A1 WO 2001030036 A1 WO2001030036 A1 WO 2001030036A1 NO 0000336 W NO0000336 W NO 0000336W WO 0130036 A1 WO0130036 A1 WO 0130036A1
Authority
WO
WIPO (PCT)
Prior art keywords
network adapter
arrangement according
media
port
network
Prior art date
Application number
PCT/NO2000/000336
Other languages
French (fr)
Inventor
Knut Snorre Bach Corneliussen
Kevin Kliland
Original Assignee
Telefonaktiebolaget L.M. Ericsson
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget L.M. Ericsson filed Critical Telefonaktiebolaget L.M. Ericsson
Priority to GB0209264A priority Critical patent/GB2371457B/en
Priority to AU11796/01A priority patent/AU1179601A/en
Priority to DE10085067T priority patent/DE10085067T1/en
Publication of WO2001030036A1 publication Critical patent/WO2001030036A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/029Firewall traversal, e.g. tunnelling or, creating pinholes
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L65/00Network arrangements, protocols or services for supporting real-time applications in data packet communication
    • H04L65/1066Session management
    • H04L65/1101Session protocols
    • H04L65/1106Call signalling protocols; H.323 and related
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/618Details of network addresses
    • H04L2101/663Transport layer addresses, e.g. aspects of transmission control protocol [TCP] or user datagram protocol [UDP] ports
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/256NAT traversal
    • H04L61/2564NAT traversal for a higher-layer protocol, e.g. for session initiation protocol [SIP]

Definitions

  • the present invention relates to large scale multimedia network implementations according to the H.323 standard recommendation of the International Telecommunication Union, and especially to such networks comprising firewalls.
  • the recommended standard H.323 describes multimedia networks and communication therein, wherein such networks may include local area networks (LAN) such as a LAN in a private enterprise, a public agency, a business corporation or some other type of organisation.
  • LAN local area networks
  • a firewall In order to protect a LAN connected to other networks from unauthorised, and possibly hostile access from network users outside the LAN, communication between the LAN and other networks is often run through a protection arrangement referred to as a firewall.
  • the firewall interacts with the communication so as to limit or refuse undesired or unwanted communication according to a given set of rules.
  • H.323 Important areas covered by H.323 are: a) Registration, admission and status (RAS) signalling, b) Q.931 and H.245 signalling, and c) traffic and media channels
  • RAS is usually signalled over predefined ports and is accordingly trivial to get through firewalls.
  • Q.931 and H.245 are usually signalled over dynamically allocated ports and hence more difficult to get through firewalls.
  • GK Gatekeeper
  • Performance improvements e.g. by multiplexing traffic, prioritising traffic or QoS (Quality of Service), eavesdropping, interfering with the media (e.g. for adding commercials) and bridging (e.g. between protocols and or protocol versions), security mechanisms (integrity, authentication and privacy) all points out functionality normally hard to achieve in H.323 networks.
  • QoS Quality of Service
  • eavesdropping interfering with the media (e.g. for adding commercials) and bridging (e.g. between protocols and or protocol versions), security mechanisms (integrity, authentication and privacy) all points out functionality normally hard to achieve in H.323 networks.
  • UDP User Datagram Protocol
  • TCP Transmission Control Protocol
  • IPSEC Internet Protocol Security
  • US 5 802 058 discloses a media manager in a communications network that intermediates connection setup between endpoints and marshals resources for the connection
  • WO 98/37664 describes a network wherein a set of media components including IP traffic is encapsulated in an ATM VC as an entity and switched using a robust signalling system to employ resultant connection records for usage based tarriffing
  • US 5 898 830 discloses a firewall providing enhanced network security and user transparency.
  • an object of the present invention is to propose an arrangement which is capable of solving all of the problems mentioned in the Problem Areas section of this specification.
  • the objects of the present invention is achieved by providing an H.323 proxy, hereinafter referred to as a network adapter (NA), which could be embodied by implementation as a small computer application.
  • the NA is typically located somewhere on the LAN or the border of corporate LAN, and usually in the demilitarised zone (DMZ) of a firewall.
  • the network adapter of the present invention is capable of solving all of the problems mentioned in the Problem Areas section of this specification.
  • the network adapter receives all the signalling (RAS/Q.931 /H.245 hence is itself a GK) as well as the media (RTP/RTCP) from its connected endpoints, other network adapters and/or one or more H.323 gatekeepers (GK).
  • RAS/Q.931 /H.245 hence is itself a GK
  • RTP/RTCP media from its connected endpoints
  • Figure A is a schematic drawing of an example a possible configuration of a multimedia network incorporating the network adapter of the present invention
  • figure B is a schematic drawing of a network adapter of the present invention.
  • FIG 1 an example of a typical signalling scenario is shown, wherein an endpoint (1) behind a NA (2) is communicating with another endpoint (5) behind another NA (4), and wherein both NAs are communicating with the same GK (3) .
  • the same signalling scenario could also be described by: endpoint (1) -> network adapter (2) -> gatekeeper (3) -> network adapter (4) -> endpoint (5).
  • a network adapter of the present invention The important features of a network adapter of the present invention are: a) Endpoints need not be made aware of the fact that its traffic is passed through a network adapter. b) There is no constraint on the number of network adapters that could forward traffic between endpoints.
  • a network adapter consisting of two different modules.
  • One module is a controlling part (6) for controlling the H.323 signalling (RAS/Q.931/H.245) and another is a forwarding part (7) for forwarding media packets.
  • the controlling module or part (6) is responsible for communicating with endpoints, gatekeepers and other network adapters. It is also responsible for providing instructions to the forwarding part regarding where to expect traffic, and to where this traffic should be sent.
  • the forwarding module or part (7) simply forwards media traffic from a NA port connected to an H.323 client to a NA port connected to another NA. Hence this part is a prerequisite when traversing firewalls. Since the forwarding part also handles TCP, T.120 is supported also for the T.120 clients dynamically allocating ports
  • the NA of the present invention is contemplated also to include functionality such as: a) Enabling of support for firewalls and Network Address Translation (NAT).
  • NAT Network Address Translation
  • the network adapter of the present invention can use the H.245 part of H.323 to instruct endpoints and NAs on which port and IP address to send traffic.
  • it is simple to configure a firewall to support this arrangement by opening a predefined range of ports.
  • the network adapters of the present invention should be placed in a De-Militarised Zone (DMZ).
  • DMZ De-Militarised Zone
  • the F- interface (8) is used by the controlling part for instructing the forwarding part on which connections to forward traffic, as described earlier.
  • Such functionality will be provided by the controlling part and may be used when setting up new connections d) Multiplexing of the signalling connections in order to enhance performance. This requires a signalling multiplexing protocol that could work in the same way as a media multiplexing protocol, although on TCP instead of UDP. This functionality is provided by the controlling part.
  • Provision of integrity, authentication and privacy can easily be applied between network adapters. For such purposes, IPSEC and or SSL may be applied.
  • a configuration manager may decide the kind of security mechanisms which is to apply between different NAs.
  • SSL could be used for all TCP (used for signalling) connections between certain identified GKs and NAs.
  • a manager may specify that between certain identified NAs, IPSEC shall be used on all UDP connections. This functionality can be provided by the controlling or the forwarding part, or by a combination of these.
  • the controlling part, the F- interface and the forwarding part makes use of methods for copying UDP packets on certain predefined connections, and then forward such copies to a recording unit.
  • Different kinds of bridging can be located in the network adapter of the present invention. Such bridging may be to translate between different versions of the standard, such as version 1 of h.323 to version 2. or between different standards, such as SIP to H323. This functionality may be provided by the controlling or the forwarding part, or a combination of these.
  • Interacting with the media channels by means of a media Application Programmers Interface ( API), located above the forwarding part.
  • API media Application Programmers Interface
  • the forwarding part (7) provides an interface with three basic commands or messages and their corresponding acknowledge messages and return values: a) openChannel(direction, protocol) -> return freePort, status(d l ⁇ ⁇ X ok) b) startChannel(direction, port, remotelpAddress, r ⁇ motePort, protocol) -> return status (ok/not ok) c) closeChannel ⁇ ort, direction, protocol) -> return status (ok/not ok)
  • the parameter direction indicates either from the LAN environment to the external environment or from the external environment to the LAN environment.
  • the parameter protocol is either TCP or UDP, indicating that the network adapter example according to the present invention is also supporting TCP packets forwarding, although initially built to forward UDP packets.
  • the reason for separating openChannel and startChannel was to optimise the code.
  • the message openChannel initiates and sets up parts of the environment that may be initiated and prepared before the startChannel command is executed, such as for getting a free server port etc.
  • the H.323 message that triggers both the openChannel and startChannel messages is the Q.931 set-up message when running fast start, and the H.245 openLogicalChannel message when running plain H.323. On closing, it is in order the Q.931 releaseComplete and H.245 closeLogicalChannel that invokes closeChannel. This applies in both cases when running TCP and UDP. To clarify, when running fast start, the H.245 openLogicalChannel is in fact tunnelled within the Q.931 set-up message. The openChannel and startChannel messages could in this scenario have been merged, but have, however, in other scenarios proven useful to be kept separate.
  • the network adapter comprises functionality for allowing signals/messages to traverse several nodes.
  • a node can be an endpoint, a NA (network adapter) or a gatekeeper (in SIP, a SIP server).
  • NA network adapter
  • SIP network adapter
  • NA network adapter
  • NA gatekeeper
  • NA NA
  • Plain e.g. H.323 systems don't have such functionality, but this is provided in systems including the NA according to the invention.
  • Two different solutions or approaches can support node traversal:
  • each node stores such information, preferably persistent;
  • the signals/messages are updated with such information as the messages are transported through the system, and, hence, through NAs.
  • Each node, or the message itself, must maintain data on which node that sent a message and to which node the message is going to be passed.
  • Endpoint or endpoint-like data The home environment, represented by an H.323 gatekeeper (or SIP server) in this document, receives endpoint and or network adapter like information.
  • NA like information might be accesstype (e.g. H323Phone, H323Pc PstnUni, PstnNni, H320Uni, H320Nni, GsmUni, GsmNni, PbxUni). Or similarly, for SIP systems, SipPhone, SipPc, etc.. If the message itself is going to maintain information on addresses, the following elements are added in the messages:
  • Address pair list Each node in the system adds its addresses to the address pair list. There might in fact be several addresses for each node: The physical address of the node, the address of the voice channel, the media channel,etc.
  • Link index The link index identifies which node is currently addressed in the address pair list. Messages can be issued either from the endpoints or the home environment gatekeepers. The link index only has to be used when messages are issued from the home environment gatekeepers. Then, the whole addressing path down to the endpoint should be included in the messages before the message traverse down to the endpoint. On the way, only the link index is modified.
  • the range of ports that the forwarding part of the NA is going to use has to be configured both on the firewall and the NA.
  • T.120 is supported also for the T.120 clients dynamically allocating ports

Abstract

The invention provides, in multimedia networks comprising firewalls, an arrangement for a communications unit, especially for H.323 proxies, whereby a network adapter (NA) (2, 4) is provided. The NA (2, 4) provides mechanisms for letting multimedia H.323 traffic through firewalls and a wide range of functionalities such as firewall support, NAT, media stream multiplexing, QoS mechanisms, performance enhancements for signalling connections, eavesdropping, bridging, interacting with media channels, and integrity, authentication and privacy between network adapters of the invention.

Description

AN ARRANGEMENT FOR H.323 PROXIES
FIELD OF THE INVENTION.
The present invention relates to large scale multimedia network implementations according to the H.323 standard recommendation of the International Telecommunication Union, and especially to such networks comprising firewalls.
THE PROBLEM AREAS.
The recommended standard H.323 describes multimedia networks and communication therein, wherein such networks may include local area networks (LAN) such as a LAN in a private enterprise, a public agency, a business corporation or some other type of organisation. In order to protect a LAN connected to other networks from unauthorised, and possibly hostile access from network users outside the LAN, communication between the LAN and other networks is often run through a protection arrangement referred to as a firewall. The firewall interacts with the communication so as to limit or refuse undesired or unwanted communication according to a given set of rules.
Important areas covered by H.323 are: a) Registration, admission and status (RAS) signalling, b) Q.931 and H.245 signalling, and c) traffic and media channels
RAS is usually signalled over predefined ports and is accordingly trivial to get through firewalls. Q.931 and H.245 are usually signalled over dynamically allocated ports and hence more difficult to get through firewalls. In a H.323 Gatekeeper (GK) routed call, such as when two endpoints communicate via a GK and not directly, a GK in some way has to interact with a firewall in order to let such traffic through. It is however even more difficult to let the media channels through firewalls as such traffic is normally set up directly between the endpoints. This means that an arrangement comprising a GK in some way interacting with a firewall and the endpoints and or a corresponding arrangement has to be made.
Performance improvements e.g. by multiplexing traffic, prioritising traffic or QoS (Quality of Service), eavesdropping, interfering with the media (e.g. for adding commercials) and bridging (e.g. between protocols and or protocol versions), security mechanisms (integrity, authentication and privacy) all points out functionality normally hard to achieve in H.323 networks.
KNOWN SOLUTIONS AND PROBLEMS WITH THESE.
One known solution to the problems described above is to use proprietary endpoints and firewalls. This still do not solve problems related to let H.323 traffic through firewalls, traffic prioritising, Quality of Service and security mechanisms.
Another known solution for letting the media and signalling channels through a firewall is to open a wide range of ports for User Datagram Protocol (UDP) and Transmission Control Protocol (TCP) traffic. A serious disadvantage of such a solution is that the firewall then has practically no control of the traffic going into the LAN which it is supposed to protect.
Further, security mechanisms for purposes such as integrity, authentication and privacy might be achieved and supported by the endpoints themselves. Disadvantages of those solutions are that they might spend some extra time on negotiation the security properties, and that other standards or conventions have to be deployed and supported. Especially on UDP, which is the media traffic bearer, Internet Protocol Security (IPSEC) that might support e.g. media channel privacy is of little value as it is not deployed on a sufficient scale.
Further background material related to the technical area is presented in a number of patent related documents: US 5 802 058 which discloses a media manager in a communications network that intermediates connection setup between endpoints and marshals resources for the connection; WO 98/37664 describes a network wherein a set of media components including IP traffic is encapsulated in an ATM VC as an entity and switched using a robust signalling system to employ resultant connection records for usage based tarriffing; and US 5 898 830 discloses a firewall providing enhanced network security and user transparency.
Mechanisms for letting H.323 traffic through firewalls by providing some kind of proxy arrangement exist and are also known. Problems in these mechanisms are related to "fast start" and "tunneling", and the fact that the elements endpoints, proxy and gatekeeper all need to cooperate and interact with each other for solving the problem. OBJECTS OF THE INVENTION.
Accordingly, it is an object of the present invention is to propose an arrangement which is capable of solving all of the problems mentioned in the Problem Areas section of this specification.
BRIEF DISCLOSURE OF THE INVENTION.
The objects of the present invention is achieved by providing an H.323 proxy, hereinafter referred to as a network adapter (NA), which could be embodied by implementation as a small computer application. The NA is typically located somewhere on the LAN or the border of corporate LAN, and usually in the demilitarised zone (DMZ) of a firewall. The network adapter of the present invention is capable of solving all of the problems mentioned in the Problem Areas section of this specification. The network adapter receives all the signalling (RAS/Q.931 /H.245 hence is itself a GK) as well as the media (RTP/RTCP) from its connected endpoints, other network adapters and/or one or more H.323 gatekeepers (GK). A description of the signalling and the media traffic is given in a later section of this specification.
BRIEF DESCRIPTION OF THE DRAWINGS.
Figure A is a schematic drawing of an example a possible configuration of a multimedia network incorporating the network adapter of the present invention, and figure B is a schematic drawing of a network adapter of the present invention.
DETAILED DESCRIPTION OF EMBODIMENTS.
With reference to figure 1 , an example of a typical signalling scenario is shown, wherein an endpoint (1) behind a NA (2) is communicating with another endpoint (5) behind another NA (4), and wherein both NAs are communicating with the same GK (3) . The same signalling scenario could also be described by: endpoint (1) -> network adapter (2) -> gatekeeper (3) -> network adapter (4) -> endpoint (5).
Media follows to some extent the same path, but is in the example of figure 1 communicated directly between the two network adapters NA (2) and NA (4) respectively. The network configuration regarding the locations of the endpoints, NAs and GKs could however be arranged in various ways, also different from the example shown in figure 1.
The important features of a network adapter of the present invention are: a) Endpoints need not be made aware of the fact that its traffic is passed through a network adapter. b) There is no constraint on the number of network adapters that could forward traffic between endpoints.
Referring to figure 2, a network adapter consisting of two different modules is shown. One module is a controlling part (6) for controlling the H.323 signalling (RAS/Q.931/H.245) and another is a forwarding part (7) for forwarding media packets.
The controlling module or part (6) is responsible for communicating with endpoints, gatekeepers and other network adapters. It is also responsible for providing instructions to the forwarding part regarding where to expect traffic, and to where this traffic should be sent.
The forwarding module or part (7) simply forwards media traffic from a NA port connected to an H.323 client to a NA port connected to another NA. Hence this part is a prerequisite when traversing firewalls. Since the forwarding part also handles TCP, T.120 is supported also for the T.120 clients dynamically allocating ports
The NA of the present invention is contemplated also to include functionality such as: a) Enabling of support for firewalls and Network Address Translation (NAT). When controlling both the signalling and media, the network adapter of the present invention can use the H.245 part of H.323 to instruct endpoints and NAs on which port and IP address to send traffic. When controlling where the endpoints and NAs of the present invention receive and send its media, it is simple to configure a firewall to support this arrangement by opening a predefined range of ports. When enabling endpoints located in different NAT to communicate with H.323, the network adapters of the present invention should be placed in a De-Militarised Zone (DMZ). The F- interface (8), as shown in figure 2, is used by the controlling part for instructing the forwarding part on which connections to forward traffic, as described earlier. b) Multiplexing of several media streams going to the same receiving network. By multiplexing H.323 traffic among network adapters, this traffic can be sent on separate underlying links or virtual connections. Such connections might have different QoS. By multiplexing is meant transmitting several media streams, otherwise sent on separate UDP connections, on the same UDP connection. Accordingly, a multiplexing protocol must include some sort of original connection identity on the multiplexed UDP connection. This functionality will be provided by the controlling part c) Implementing other QoS mechanisms. This could be achieved by first determining the round trip delay, such as by sending test probes or packets from a NA towards another identified NA, or by other means. Then, if the round trip delay is deemed to be too high, the NA could refuse a connection on a set-up attempt. Such functionality will be provided by the controlling part and may be used when setting up new connections d) Multiplexing of the signalling connections in order to enhance performance. This requires a signalling multiplexing protocol that could work in the same way as a media multiplexing protocol, although on TCP instead of UDP. This functionality is provided by the controlling part. e) Provision of integrity, authentication and privacy can easily be applied between network adapters. For such purposes, IPSEC and or SSL may be applied. A configuration manager may decide the kind of security mechanisms which is to apply between different NAs. As an example, SSL could be used for all TCP (used for signalling) connections between certain identified GKs and NAs. A manager may specify that between certain identified NAs, IPSEC shall be used on all UDP connections. This functionality can be provided by the controlling or the forwarding part, or by a combination of these. f) Eavesdropping. Because all media traffic is routed through the network adapter, eavesdropping can be performed at this point. Eavesdropping of H.323 communications that does not go through a network adapter is generally difficult, because you have no control over where the traffic is flowing, or of which set of ports are used for H.323 media. However, in the NA of the present invention, implementation of support for eavesdropping is simple. The controlling part, the F- interface and the forwarding part makes use of methods for copying UDP packets on certain predefined connections, and then forward such copies to a recording unit. g) Support for local differences from H.323. Different kinds of bridging can be located in the network adapter of the present invention. Such bridging may be to translate between different versions of the standard, such as version 1 of h.323 to version 2. or between different standards, such as SIP to H323. This functionality may be provided by the controlling or the forwarding part, or a combination of these. h) Interacting with the media channels by means of a media Application Programmers Interface ( API), located above the forwarding part. Commercials and advertising may easily be applied in this way. This may be accomplished in different ways, such as by replacing or combining certain parts of a video conference with commercial text or video, or a combination of these. Such a media API must have possibilities for specifying where to perform such replacing and what to replace with. This is a rather complex task, since knowledge or information of parameters such as the video format etc. must be obtainable. Such information may, however, be obtained from and by means of the signalling or the controlling part. Hence an arrangement supporting such functionality has to be provided by both the controlling part and the forwarding part. In this context, another possibility provided by the NA of the present invention, is the possibility to add an identity of a person or persons taking part in a video conference. This information would also have to be obtained from and by means of the controlling part, by reading the end-user alias (typically E.164 number or e-mail alias), and then insert the identity information somewhere in the video conference picture.
It should be noted that all of the mechanisms and functionality described above may be applied on any network providing media.
Now, again with reference to figure 2, in the following, an example of an implementation of a F-interface (8) between a controlling part (6) and a forwarding part (7) of a network adapter according to the present invention is described: The forwarding part (7) provides an interface with three basic commands or messages and their corresponding acknowledge messages and return values: a) openChannel(direction, protocol) -> return freePort, status(d l\ θX ok) b) startChannel(direction, port, remotelpAddress, rβmotePort, protocol) -> return status (ok/not ok) c) closeChannelφort, direction, protocol) -> return status (ok/not ok)
The parameter direction, indicates either from the LAN environment to the external environment or from the external environment to the LAN environment. The parameter protocol is either TCP or UDP, indicating that the network adapter example according to the present invention is also supporting TCP packets forwarding, although initially built to forward UDP packets. In the example described above, the reason for separating openChannel and startChannel was to optimise the code. The message openChannel initiates and sets up parts of the environment that may be initiated and prepared before the startChannel command is executed, such as for getting a free server port etc. The H.323 message that triggers both the openChannel and startChannel messages is the Q.931 set-up message when running fast start, and the H.245 openLogicalChannel message when running plain H.323. On closing, it is in order the Q.931 releaseComplete and H.245 closeLogicalChannel that invokes closeChannel. This applies in both cases when running TCP and UDP. To clarify, when running fast start, the H.245 openLogicalChannel is in fact tunnelled within the Q.931 set-up message. The openChannel and startChannel messages could in this scenario have been merged, but have, however, in other scenarios proven useful to be kept separate.
The network adapter comprises functionality for allowing signals/messages to traverse several nodes. A node can be an endpoint, a NA (network adapter) or a gatekeeper (in SIP, a SIP server). In a network, there may be several endpoints, gatekeepers (SIP servers) and NAs, i.e., both on the originating and the terminating side. Plain e.g. H.323 systems don't have such functionality, but this is provided in systems including the NA according to the invention. Two different solutions or approaches can support node traversal:
1. Either each node stores such information, preferably persistent; or
2. The signals/messages are updated with such information as the messages are transported through the system, and, hence, through NAs.
The type of information that has to be addressed is such as:
a) Addresses: Each node, or the message itself, must maintain data on which node that sent a message and to which node the message is going to be passed.
b) Endpoint or endpoint-like data: The home environment, represented by an H.323 gatekeeper (or SIP server) in this document, receives endpoint and or network adapter like information. NA like information might be accesstype (e.g. H323Phone, H323Pc PstnUni, PstnNni, H320Uni, H320Nni, GsmUni, GsmNni, PbxUni). Or similarly, for SIP systems, SipPhone, SipPc, etc.. If the message itself is going to maintain information on addresses, the following elements are added in the messages:
1. Address pair list: Each node in the system adds its addresses to the address pair list. There might in fact be several addresses for each node: The physical address of the node, the address of the voice channel, the media channel,etc.
2. Link index: The link index identifies which node is currently addressed in the address pair list. Messages can be issued either from the endpoints or the home environment gatekeepers. The link index only has to be used when messages are issued from the home environment gatekeepers. Then, the whole addressing path down to the endpoint should be included in the messages before the message traverse down to the endpoint. On the way, only the link index is modified.
The range of ports that the forwarding part of the NA is going to use has to be configured both on the firewall and the NA.
ADVANTAGES.
Important advantages provided by the NA of the present invention are:
- Firewalls can be traversed transparent to standard H.323 clients;
- NAT is supported;
- eavesdropping may be applied;
- commercials or advertising may be added; - QoS mechanisms may easily be applied;
- performance improvements regarding both signalling traffic and media traffic by introducing multiplexing protocols may be achieved;
- bridging between different protocols etc. may easily be applied;
- security functionality may easily be added; - due to that the forwarding part also handles TCP, T.120 is supported also for the T.120 clients dynamically allocating ports; and
- broadening can be achieved, wherein the forwarding part of the network adapter may be utilised by non-H.323 applications. Acronyms:
DMZ De Militarised Zone GK Gatekeeper
IPSEC Internet Protocol Security
NA Network Adapter
LAN Local Area Network

Claims

P a t e n t c l a i m s .
1.
An arrangement for a communications unit, especially for H.323 proxies, c harac te r i s e d i n a network adapter (2,4), the network adapter (2,4) comprising a controlling part (6) and a forwarding part (7), wherein the controlling part (6) and the communicating part (7) are interconnected (8), the controlling part is adapted to receive H.323 signalling, and the forwarding part is adapted to receive media traffic.
2.
An arrangement according to claim 1, c h arac t e r i s e d i n that the H.323 signalling comprises RAS, Q.931 or H.245 or any combinations of these.
3.
An arrangement according to claim 1 or 2, c h ara c t e ri se d i n that the controlling part is adapted to communicate with endpoints, gatekeepers and other network adapters.
4.
An arrangement according to any of the previous claims, c harac t e ri s e d i n that the forwarding part is adapted to forward media traffic from a port of the network adapter connected to a client to a port of the network adapter connected to a port of another network adapter, and vice versa.
5.
An arrangement according to claim 4, c h aract e ri se d i n that media traffic on a media channel is RTP or UDP.
6.
An arrangement according to any of the previous claims, c h ara c t e ri s e d i n that the network adapter is located in the demilitarised zone (DMZ) of a firewall.
7.
An arrangement according to any of the previous claims, c harac t e ri s e d i n that the network adapter is a gatekeeper.
8.
An arrangement according to any of the previous claims, c h arac t e ri s e d i n that the interconnection between the controlling part and the forwarding part conveys at least commands and messages selected from a group comprising: openChannel(direction,protocol) , returnfreePortstatus(status) , startChannel(direction,port,remoteIPaddress,remotePort,protocol) , returnStatus(status) and closeChannel(port,direction,protocol).
9.
An arrangement according to any of the previous claims, c h arac teri s e d i n that the network adapter provides functionalities of firewall support, NAT, media stream multiplexing, QoS mechanisms, performance enhancements for signalling connections, eavesdropping, bridging, interacting with media channels, and integrity, authentication and privacy between network adapters or a combination of one ore more of the aforementioned.
PCT/NO2000/000336 1999-10-18 2000-10-11 An arrangement for h.323 proxies WO2001030036A1 (en)

Priority Applications (3)

Application Number Priority Date Filing Date Title
GB0209264A GB2371457B (en) 1999-10-18 2000-10-11 An arrangement for H.323 proxies
AU11796/01A AU1179601A (en) 1999-10-18 2000-10-11 An arrangement for h.323 proxies
DE10085067T DE10085067T1 (en) 1999-10-18 2000-10-11 An arrangement for H.323 proxies

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
NO19995081 1999-10-18
NO995081A NO995081D0 (en) 1999-10-18 1999-10-18 Device for H.323 proxy

Publications (1)

Publication Number Publication Date
WO2001030036A1 true WO2001030036A1 (en) 2001-04-26

Family

ID=19903874

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/NO2000/000336 WO2001030036A1 (en) 1999-10-18 2000-10-11 An arrangement for h.323 proxies

Country Status (6)

Country Link
AU (1) AU1179601A (en)
DE (1) DE10085067T1 (en)
ES (1) ES2222790B2 (en)
GB (1) GB2371457B (en)
NO (1) NO995081D0 (en)
WO (1) WO2001030036A1 (en)

Cited By (8)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
GB2369746A (en) * 2000-11-30 2002-06-05 Ridgeway Systems & Software Lt Communications system with network address translation
KR20020083887A (en) * 2001-04-26 2002-11-04 (주)엔써커뮤니티 Method for communicating audio and video data in multimedia communication system using h.323 protocol
KR20030047471A (en) * 2001-12-10 2003-06-18 (주)애니 유저넷 Firewall tunneling method for Voip and it's tunneling gateway
WO2004043040A1 (en) * 2002-11-05 2004-05-21 Marratech Ab Apparatus and method for negotiating network parameters
EP1667378A1 (en) * 2003-09-02 2006-06-07 Huawei Technologies Co., Ltd. Method of implementing multimedia protocol passing through network address transform device
US7752319B2 (en) 2001-09-25 2010-07-06 Siemens Aktiengesellschaft Method and device for implementation of a firewall application for communication data
US8185943B1 (en) 2001-12-20 2012-05-22 Mcafee, Inc. Network adapter firewall system and method
US9055098B2 (en) 2001-12-20 2015-06-09 Mcafee, Inc. Embedded anti-virus scanner for a network adapter

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO1998017048A1 (en) * 1996-10-16 1998-04-23 British Telecommunications Public Limited Company Multimedia call centre
WO1998037664A2 (en) * 1997-02-21 1998-08-27 Northern Telecom Limited Multimedia switching system
US5802058A (en) * 1996-06-03 1998-09-01 Lucent Technologies Inc. Network-independent connection management
EP0910197A2 (en) * 1997-09-12 1999-04-21 Lucent Technologies Inc. Methods and apparatus for a computer network firewall with dynamic rule processing
US5898830A (en) * 1996-10-17 1999-04-27 Network Engineering Software Firewall providing enhanced network security and user transparency
US5958015A (en) * 1996-10-29 1999-09-28 Abirnet Ltd. Network session wall passively listening to communication session, with use of access rules, stops further communication between network devices by emulating messages to the devices
EP0967764A2 (en) * 1998-06-25 1999-12-29 Siemens Information and Communication Networks, Inc. Improved apparatus and methods to realize H.323 proxy services

Family Cites Families (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5550906A (en) * 1994-08-05 1996-08-27 Lucent Technologies Inc. Telecommunications feature server

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5802058A (en) * 1996-06-03 1998-09-01 Lucent Technologies Inc. Network-independent connection management
WO1998017048A1 (en) * 1996-10-16 1998-04-23 British Telecommunications Public Limited Company Multimedia call centre
US5898830A (en) * 1996-10-17 1999-04-27 Network Engineering Software Firewall providing enhanced network security and user transparency
US5958015A (en) * 1996-10-29 1999-09-28 Abirnet Ltd. Network session wall passively listening to communication session, with use of access rules, stops further communication between network devices by emulating messages to the devices
WO1998037664A2 (en) * 1997-02-21 1998-08-27 Northern Telecom Limited Multimedia switching system
EP0910197A2 (en) * 1997-09-12 1999-04-21 Lucent Technologies Inc. Methods and apparatus for a computer network firewall with dynamic rule processing
EP0967764A2 (en) * 1998-06-25 1999-12-29 Siemens Information and Communication Networks, Inc. Improved apparatus and methods to realize H.323 proxy services

Cited By (16)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US8291116B2 (en) 2000-11-30 2012-10-16 Cisco Technology, Inc. Communications system
GB2369746A (en) * 2000-11-30 2002-06-05 Ridgeway Systems & Software Lt Communications system with network address translation
US7512708B2 (en) 2000-11-30 2009-03-31 Tandberg Telecom As Communications system
KR20020083887A (en) * 2001-04-26 2002-11-04 (주)엔써커뮤니티 Method for communicating audio and video data in multimedia communication system using h.323 protocol
US7752319B2 (en) 2001-09-25 2010-07-06 Siemens Aktiengesellschaft Method and device for implementation of a firewall application for communication data
KR20030047471A (en) * 2001-12-10 2003-06-18 (주)애니 유저넷 Firewall tunneling method for Voip and it's tunneling gateway
US9876818B2 (en) 2001-12-20 2018-01-23 McAFEE, LLC. Embedded anti-virus scanner for a network adapter
US9055098B2 (en) 2001-12-20 2015-06-09 Mcafee, Inc. Embedded anti-virus scanner for a network adapter
US8627443B2 (en) 2001-12-20 2014-01-07 Mcafee, Inc. Network adapter firewall system and method
US8185943B1 (en) 2001-12-20 2012-05-22 Mcafee, Inc. Network adapter firewall system and method
WO2004043040A1 (en) * 2002-11-05 2004-05-21 Marratech Ab Apparatus and method for negotiating network parameters
EP1667378A1 (en) * 2003-09-02 2006-06-07 Huawei Technologies Co., Ltd. Method of implementing multimedia protocol passing through network address transform device
US8605728B2 (en) 2003-09-02 2013-12-10 Huawei Technologies Co., Ltd. Method of implementing traversal of multimedia protocols through network address translation device
US8102856B2 (en) 2003-09-02 2012-01-24 Huawei Technologies Co., Ltd. Method of implementing traversal of multimedia protocols through network address translation device
US7706370B2 (en) 2003-09-02 2010-04-27 Huawei Technologies Co., Ltd. Method of implementing multimedia protocol passing through network address transform device
EP1667378A4 (en) * 2003-09-02 2006-09-27 Huawei Tech Co Ltd Method of implementing multimedia protocol passing through network address transform device

Also Published As

Publication number Publication date
GB2371457B (en) 2004-05-05
ES2222790A1 (en) 2005-02-01
DE10085067T1 (en) 2002-12-12
AU1179601A (en) 2001-04-30
GB2371457A (en) 2002-07-24
GB0209264D0 (en) 2002-06-05
NO995081D0 (en) 1999-10-18
ES2222790B2 (en) 2006-07-01

Similar Documents

Publication Publication Date Title
AU2002218404B2 (en) Communications system
JP3774191B2 (en) Audio-video circuit technology with firewall and network address translation
EP1687958B1 (en) Method and system for filtering multimedia traffic based on ip address bindings
US8489751B2 (en) Middlebox control
Holdrege et al. Protocol complications with the IP network address translator
US7483437B1 (en) Method of communicating packet multimedia to restricted endpoints
EP1065858B1 (en) Label switched media gateway and network
US20030033418A1 (en) Method of implementing and configuring an MGCP application layer gateway
US10484435B2 (en) Call set-up systems
AU2002218404A1 (en) Communications system
WO2001030036A1 (en) An arrangement for h.323 proxies
US20030046403A1 (en) Method for routing data streams of a communication connection between users of a connectionless packet data network, and a packet data network, a control device and a program module therefore
US20070192844A1 (en) Network security system and the method thereof
Gou et al. Multi-agent system for multimedia communications traversing NAT/firewall in next generation networks
EP1168749B1 (en) Firewall apparatus
Khan et al. An extensive study on application level gateways (ALGs)
EP2019555A1 (en) Bridging enterprise advanced communication systems through the public Internet
Nielsen of Deliverable: The Status of Basic Relays and Gateways
KR20030021511A (en) Method and server for RTP channel

Legal Events

Date Code Title Description
AK Designated states

Kind code of ref document: A1

Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY BZ CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW

AL Designated countries for regional patents

Kind code of ref document: A1

Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG

121 Ep: the epo has been informed by wipo that ep was designated in this application
DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
ENP Entry into the national phase

Ref document number: 200250032

Country of ref document: ES

Kind code of ref document: A

WWE Wipo information: entry into national phase

Ref document number: P200250032

Country of ref document: ES

ENP Entry into the national phase

Ref document number: 200209264

Country of ref document: GB

Kind code of ref document: A

WWE Wipo information: entry into national phase

Ref document number: 10110303

Country of ref document: US

122 Ep: pct application non-entry in european phase
RET De translation (de og part 6b)

Ref document number: 10085067

Country of ref document: DE

Date of ref document: 20021212

WWE Wipo information: entry into national phase

Ref document number: 10085067

Country of ref document: DE

NENP Non-entry into the national phase

Ref country code: JP

WWP Wipo information: published in national office

Ref document number: 200250032

Country of ref document: ES

Kind code of ref document: A

WWG Wipo information: grant in national office

Ref document number: 200250032

Country of ref document: ES

Kind code of ref document: A