Application of Private Network traversal Technology in the softswitch system (details)

I. Introduction

Next Generation Network (NGN) is a communication Network based on group exchange technology, the overall architecture, signaling control, and bearer network are quite different from existing circuit switching networks. As a technology that implements communication traffic exchange and media transmission within a group network, Softswitch technology will be the core technology of the NGN network. As the Softswitch technology itself is based on IP address-based networking, a set of softswitch architecture can be established on the existing basic data network. Benefits: many existing IP-based protocols can be used, and a large number of network devices and terminal devices can be directly applied to Softswitch networks. Although building a softswitch network based on the existing data network has the above advantages, there are also many problems, among which private network traversal is a problem to be solved.

Ii. Private Network traversal problems in the softswitch system

1. Concepts of private networks and the emergence of NAPT Technology

With the popularization of TCP/IP-based Internet, the number and scale of private networks (private networks) are also growing. A private network is a relatively independent and closed network composed of private IP addresses to connect to various network devices. This networking method is widely used in the construction of LAN of various scales. It can be said that in today's online world, the number of network devices using private IP addresses is far greater than the number of devices with valid Internet IP addresses. To allow these devices to access resources outside the private network, NAT (Network Address Translation) technology emerged. When an intranet device attempts to access an external network, NAT technology can convert its private IP address to a valid IP address. While using NAT, dynamic port translation (PAT) technology is usually used to solve the shortage of valid IP addresses. In this way, all devices in a private network share one or more valid IP addresses as the egress address. Only when a device requests to connect to an external network, A valid IP address and a port number are allocated to the request for external connection. When the request ends, the port number and the IP address are immediately recovered. NAT and PAT are often used at the same time, known as network address port translation (NAPT ). The Application of NAPT brings many benefits to the IP network: for example, it relieves the shortage of Internet IP addresses in the IPv4 architecture and improves the security and manageability inside the private network. Due to these advantages, NAPT has been widely applied to various private network gateway devices. It is a basic function of most network router devices and an important part of network firewall functions.

2. Problems Affecting soft switch caused by NAPT

(1) NAT Problems

Assume that we have A Softswitch Network as shown in Figure 1. In this network, Terminal A and terminal B are in the private network and only have private IP addresses, while Terminal C has independent legal IP addresses. For ease of description, if all terminals are SIP terminals, standard SIP protocol is also used for communication between SoftSwitch and terminals. If Terminal A initiates A call request to Terminal B, A message package shown in 2 is generated. After the message package passes through the NAPT of the router, change to the Message package shown in Figure 3 (1050 is the port number dynamically allocated by NAPT ).

When Terminal B registers with Softswitch, it notifies the softswitch of its private address through the registration message at the SIP protocol layer, and when Terminal B does not actively initiate a connection request, the firewall does not assign an accessible IP address and port number to it. Therefore, the softswitch cannot send the INVITE message to Terminal B, and the call cannot be connected.

(2) PAT Problems

Assume that terminal A initiates A call to Terminal C. Because there is no firewall or router on Terminal C, Softswitch can smoothly forward the INVITE message packet to Terminal C, which carries the SDP information, used for media negotiation between terminals. The main purpose of media negotiation is to select an appropriate decoder and establish a connection to the RTP media stream. The SDP information contained in the INVITE message sent by Terminal A is shown in Figure 4 (10006 is the port number for Terminal A to establish the RTP connection ).

　

Figure 4 SDP information in INVITE messages

After receiving the SDP information, Terminal C tries to establish a RTP connection with 192.168.0.3: 10006. Obviously, this is an internal address of the private network, so the call cannot be established.

From the above analysis, we can see that NAPT affects Softswitch communication mainly in two aspects: on the one hand, all devices in the private network use internal IP addresses, although through NAPT, the IP addresses at the IP layer can be converted to external addresses, however, private IP addresses in higher application layer messages are powerless, which is called NAT. On the other hand, the private network device is allocated to a valid IP address and port number only when actively initiating a connection to the external network. Without special processing, the device is invisible to the external network and cannot accept the call request sent by the softswitch. This can be called the PAT problem. Because of the SIP-based problems, when the softswitch and terminal use other protocols such as H.323, MGCP, or H.248, similar problems also exist.

3. A solution to the private network traversal Problem

1. Various methods to solve the NAPT traversal Problem

(1) NAT/ALG Method

This method adds the ability to identify and process VoIP-related application layer protocols on the firewall or vro to achieve private network traversal. This solution is intuitive, but the biggest drawback is that users must replace or upgrade their routers or firewalls. As the related protocols develop and expand, devices must also be upgraded.

(2) how to set proxy for private network devices

In this way, you do not need to make any changes to the user's device. You can only add a special Proxy device to the local terminal that operates the softswitch network to achieve private network traversal. The author believes that this technology is superior to the previous technology. This Proxy also acts as a Proxy for media streams while performing Proxy and conversion of signaling. For now, we call it NAT/FW Proxy.

(3) other solutions

Other private network traversal solutions include the MIDCOM solution, STUN solution, and TURN solution. These solutions are similar to the NAT/ALG solution. You need to upgrade the vro and firewall, or the terminal device.

2. Use NAT/FW Proxy to solve the private network PAT Problem

Take Figure 1 as an example to add the NAT/FW Proxy device to the softswitch network to form the network structure shown in Figure 5. After the NAT/FW Proxy device is added, all terminal devices after the Private Network Gateway (vro or firewall, you must change the registered IP address from the IP address of the softswitch device to the IP address of the NAT/FW Proxy device. The interaction between NAT/FW Proxy devices and SoftSwitch devices can adopt protocols such as SIP, MGCP, and H.248, which is related to the device type of the Proxy.

On the one hand, after a device sends a registration information to the NAT/FW Proxy, the NAT/FW Proxy will assign a Proxy signaling port to the device, then, replace the terminal address (Contact domain) in the original registration information with the address of the NAT/FW Proxy, and send it to the softswitch through this port. In this way, in the future, no matter whether the terminal sends a signaling message to the softswitch or a signaling message to the softswitch sending terminal, it will go through NAT/FW Proxy to facilitate special processing of these signals. On the other hand, when a terminal device in the private network sends a registration message to the NAT/FW Proxy device, the private gateway installed on the outer layer of the private network will randomly allocate a valid IP address and port number to the connection to form a "window ". After receiving the registration message, the NAT/fw proxy device tries to keep the window open and then binds the port number to the PROXY port number allocated on the device, it is equivalent to establishing a transparent signaling channel between the device and the softswitch, which solves the PAT problem in the NAPT.

The method of keeping this "window" varies depending on the terminal. For example, for a SIP terminal, you can set a small registration validity period, so that the terminal device will continuously send registration messages to NAT/FW Proxy. For MGCP terminals, NAT/FW Proxy can continuously send AUEP messages to them, and then the terminal will send corresponding messages to keep the "window" open. Either way, ensure that the time interval between sending messages by the terminal is less than the opening time limit of the "window.

3. Use NAT/FW Proxy to Solve Private Network NAT Problems

Assume that all the terminals are SIP terminals, and the communication between the softswitch and the terminal also adopts the standard SIP protocol. 5. Because both Terminal A and terminal B are devices in the private network, an external access port is allocated to the private network device when registering with the NAT/FW Proxy, assume that the ports are 123.44.55.11: 1050 (Terminal A) and 123.44.55.22: 1060 (Terminal B) respectively, and the Proxy signaling ports are allocated on the NAT/FW Proxy. Assume that the ports are 123.44.55.77: 1001 (Terminal A) and 123.44.55.77: 1002 (Terminal B ). Now A initiates A call to B. The INVITE message reaches NAT/FW PROXY after it passes through the private network gateway. NAT/FW PROXY performs PROXY conversion for this signaling and sends it to SoftSwitch. 6. Figure 7:

After receiving and processing the INVITE message, the softswitch is ready to forward it to B. Because B is also registered to the softswitch through the NAT/FW Proxy, the message sent is shown in figure 8, after the NAT/fw proxy receives the packet and performs PROXY conversion, the packet is sent to the router or firewall on the outer layer of B, as shown in result 9.

By querying the list of self-maintained connections, the firewall can correctly send this signaling message to Terminal B. Other signaling messages in the call connection process. The transfer method is similar to that of INVITE.

4. Use NAT/FW Proxy to implement Proxy connection for media streams

Take the call Terminal C of Terminal A in Figure 5 as an example. When A sends an INVITE message and reaches the NAT/FW Proxy, NAT/FW Proxy will assign two RTP Proxy ports to, one is the outbound call proxy port, and the other is the inbound call proxy port, and the other is the A2 port. NAT/FW Proxy uses the port information of A2 to replace the description of the RTP Port in the SDP packet in the original INVITE message and sends it to the softswitch. When the softswitch sends back the SDP information of Terminal C, the NAT/FW Proxy records the actual RTP Port of Terminal C, replaces it with the A1 port information, and sends it to Terminal. After the call is established, once Terminal A starts to send the RTP packet, A temporary RTP "window" will be created on the private network device ", as long as the media stream is continuously sent (when there is no voice, the terminal should also send a comfortable and noisy RTP packet), this "window" will always open. Because the peer RTP Port obtained by device A is actually the outbound Proxy port A1 on the nat/FW Proxy, the RTP packet is sent to the NAT/FW Proxy, NAT/FW Proxy sends the RTP packet to the real RTP Port of Terminal C. Similarly, the RTP Port of Terminal C is actually the Proxy port A2 on the NAT/FW Proxy, so the RTP packet will be sent to A2, then, the NAT/FW Proxy forwards the RTP packet to Terminal A through the temporary RTP "window" on the private network device.

When both devices are in two firewalls and both are registered on one NAT/FW Proxy, in step 5, Terminal A calls Terminal B, because NAT/FW Proxy can know that both devices are registered on their own, you do not need to assign two Proxy ports to each terminal, but only need to assign one port. For example, A1 and B1. A1 serves both as the outbound port of Terminal A and the inbound port of Terminal B, while B1 serves as the outbound port of Terminal B, it is also used as the inbound port of Terminal. If Terminal A and terminal B are still under the same private gateway device, NAT/FW Proxy can not allocate any Proxy ports to them, instead, let them directly establish RTP stream connections within the private network.

5. Considerations for other issues

The above descriptions of using NAT/FW Proxy for private network traversal are based on the terminal using the SIP protocol, but in fact this method is not limited to the SIP terminal. When the terminal uses H.248, MGCP and other protocols, as long as the corresponding NAT/FW Proxy Support, can also achieve private network traversal.

In terms of architecture, there are many devices that need to perform a private network traversal Proxy. If one NAT/FW Proxy cannot be processed, you can deploy multiple NAT/FW proxies, and register these devices to different NAT/FW proxies. For example, configure a NAT/FW Proxy to process the private network traversal of the SIP terminal, and configure two NAT/FW proxies to process the private network traversal of the MGCP terminal.

Iv. Expansion and Application in the softswitch system

Using the NAT/FW Proxy architecture, in addition to implementing the private network traversal function, as long as a little extension, it can also bring other unexpected gains to the softswitch system.

1. Protecting Softswitch devices from attacks

Under normal configuration, the IP address of the softswitch device is visible to all users. In this case, it is difficult to prevent some attacks, such as DoS attacks, initiated by someone who maliciously attacks the softswitch device. However, if all terminals are required to be registered on the NAT/FW Proxy device and the NAT/FW Proxy is used to communicate with the softswitch, the softswitch address is completely invisible to the outside, in addition, because NAT/FW Proxy devices are relatively low in cost, you can configure multiple NAT/FW Proxy devices. Even if they are under attack, you only need to replace one NAT/FW Proxy on the terminal for registration.

2. prevent communication fraud

Generally, once the softswitch establishes a call for both parties, the addresses, ports, and media capabilities of both terminals are completely transparent to the other party, in this case, if some terminals that support point-to-point connection bypass the softswitch and directly initiate a connection to the other party, the softswitch will not be able to charge fees, and communication fraud will occur. If all terminals are registered on the NAT/FW Proxy as described in section 1, the terminal can only interact through the Proxy port on the NAT/FW Proxy, terminals are transparent only to the other party's number, which can avoid fraud to a large extent.

3. Media Stream Control

If all the terminals are registered on the NAT/FW Proxy, the media streams between the terminals must be transferred through the NAT/FW Proxy. If the NAT/FW Proxy function is enhanced, it is entirely possible to solve the problem of media stream non-control in the softswitch system. For example, you can pay by traffic, user bandwidth can be controlled to prevent unauthorized media stream connections (such as video media streams), and QoS information of media streams can be obtained, even meeting the requirements of the National Security Department for sensitive call listening.

However, to achieve these benefits, we also have to pay the price, that is, the media streams of the entire Softswitch Network must be aggregated to the locations of each NAT/FW Proxy, this greatly increases the burden on this part of the network, and also weakens the flexibility of softswitch due to control and load separation.

V. Conclusion

This article introduces a method to solve the private network traversal problem in the softswitch network by setting a special proxy server. Now this method has been applied. I believe that as the size of the softswitch network continues to expand, this private network Traversal method will be increasingly applied to the softswitch network.