Research on the technology of multi-media services traversing NAT and firewall in the Next Generation Network

I. Introduction

With the rapid development of computer and communication technologies, it has become the development direction of networks to carry voice, data, images and other services through public branch networks. With this trend of business-driven and network convergence, the next-generation network (NGN) with Softswitch devices as its core emerged. NGN is implemented in the group network. It adopts a distributed network structure to effectively carry voice, video, and multimedia services, and separates business applications, business control, and business transmission functions. In the process of network construction, NGN can smoothly transition from the existing data network, which brings the following benefits: the existing network devices and terminal devices can be directly applied to NGN, many IP-based protocols can continue to be used. But at the same time, we inevitably encounter many problems, in which private network traversal is an urgent problem. Before that, let's take a look at the NGN network structure.

NGN is a network that integrates voice, data, multimedia, and mobile services. The network layers can be divided into the following layers: access layer, transport layer, control layer, and service layer.

Access layer: it consists of various gateways, smart access terminal devices, and integrated access devices. Various access methods are used to connect users to the network (including broadband access and mobile access ), and convert the information format to the information format that can be transmitted on the network.

Transport Layer: refers to the NGN bearer network, which provides a public transmission platform for various businesses and media streams. It mostly uses a group-based transmission mode. At present, the main core transmission network is the broadband IP network.

Control Layer: Implements call processing control, access protocol adaptation, interconnection, and other comprehensive control functions and business logic. It determines the business that the user receives and controls the processing of the business flow by the low-layer network elements. The main entity is the softswitch device.

Business Layer: It processes business logic and provides comprehensive and intelligent services for customers to achieve business customization and business-related management functions, such as business authentication and billing.

Ii. penetration problems in NGN broadband access

In NGN broadband access, the main concern is the broadband access problem at the edge access layer in NGN. Because the core bearer network and broadband access of NGN are built on the existing IP network, access users must be addressed through IP addresses. However, the actual situation is that due to the rapid expansion of the Internet, the IPv4 address space is seriously exhausted. To solve this problem, a large number of CEN and CEN are deploying network address converter (NAT) at the network egress ).

Nat is a standard of the Internet and is located at the boundary of the private network and public network. When the IP Address Data Group sent by the private network reaches the NAT device, Nat is responsible for converting the internal private network IP address into a valid public IP address. When an external data group arrives at the NAT, nat converts a public IP address to a private IP Address by checking the information in the NAT saved ing table, and then forwards it to the internal receiving point.

Generally, for general data packets, the NAT device only needs to convert the IP address and port number. However, for applications such as H.323, sip, and MGCP, The Real Media connection information is transmitted in the packet load, which leads to problems. Assume that terminal A initiates a call to Terminal B, and the softswitch forwards the call information of Terminal A to Terminal B. According to the protocol such as H.323 and sip, terminal B obtains the private IP address of Terminal A from the packet load and tries to establish a RTP connection with terminal A. However, because the IP address is private, private addresses are inaccessible on the public network, so calls cannot be established. From figure 3, we can clearly see how Nat hinders the abortion of end-to-end media.

At the same time, to improve the security of the internal network, most enterprises use the firewall at the network exit to limit the type and traffic of data packets entering the internal network. IP-based voice and video communication protocols require that IP addresses and port numbers be used between terminals to establish data communication channels. Therefore, there is a dilemma: each terminal of NGN must listen for external calls at any time, but the firewall does not allow any packets from the Internet to pass through. Even if we use a mechanism to open a port of the firewall and receive data packets created by calls from the Internet, however, the RTP/RTCP in voice and video communication needs to use a dynamic allocation port to send and receive media streams, so the firewall problem is also a problem we have to face in the actual development of NGN.

3. A solution to the dedicated network traversal Problem

Currently, there are many solutions for private network traversal problems, such as Application Layer Gateway (ALG), proxy technology, and Protocol extension, to some extent, they solve the problems of voice, video traversing firewall and Nat, but there are some shortcomings. The Application Layer Gateway and proxy technologies need to be upgraded to the existing Nat and firewall devices, which is not easy for most enterprise networks that have already deployed NAT devices. Although protocol expansion does not require changes to the existing NAT devices, it also requires the expansion of the existing terminals, Softswitch devices, network guard and SIP servers, and other control devices, the implementation process is also very difficult. Here we will introduce an IP-based traversal technology.

1. IP-based communication technology

Based on the client/server operating mode, the IP technology provides secure connections between networks.

The solution consists of two components: Application Server (server) and agent client (client ). The client is placed in the private network after the firewall and Nat. The communication between the terminal and the firewall's external devices is represented by the client, and the terminals in the private network are registered to the client. The server is placed in the public network and has a public IP address. A signaling and control channel is created between the client and the server. Through this channel, the client forwards all user registration information and call control signals to the server, and then the server forwards the information to the softswitch device. In addition, the client forwards audio, video, and other media streams to the server. The client and server use custom protocols. It is worth noting that, the signaling or media stream sent from the terminal to the client must be packaged by the client into a group format that complies with the custom protocol requirements before forwarding. After arriving at the server, the terminal can be unwrapped. Only through this process can the server obtain the information required to traverse NAT.

By opening a few ports on the firewall, this scheme allows TCP connections between the client and the server to carry various control signals. When one terminal calls another terminal outside the firewall, all data packets can be routed to the server through the client, and the returned data can also be routed back to the terminal through the client. After a call is established, the client ensures that all the necessary audio and video channels that pass through the firewall are open when forwarding the media streams, so that audio and video data can be transmitted through the open channels on these firewalls. Usually, you can open several fixed ports on the firewall through the Administrator's simple configuration.

2. Solve the NAT traversal Problem

First, all terminals in the private network register with the client. The client saves all the terminal information and registers with the server on the public network. After the server receives the registration information, to facilitate user management, the server assigns a user serial number to each client and forwards the registration information to the softswitch device. When the registration information arrives at the server, the server can obtain the valid public IP address after Nat translation from the data packet header Through the custom protocol between the client and the server, and save the address information. In this way, the server can send data to Nat based on this address. Therefore, RTP/RTCP data can smoothly enter the private network.

Take 5 as an example. When Terminal A and terminal C register with client 1 and client 2 respectively, the stored user information is shown in table 1 and table 2. When Client1 and Client2 forward registration messages to the server through NAT, Nat allocates external legal addresses to A and C respectively, assuming a (123.44.55.11: 1050) and C (123.44.55.22: 1060 ). The user address information stored on the server is shown in table 3. Now, a initiates a call to C. After a sends the call signaling to Client1, the channel between Client1 and server is sent to the server, and the server performs the signaling processing and then forwards it to the softswitch system. In addition, the softswitch system performs address resolution to send the called request message to the server. In this case, the server searches for the client table that is saved by itself based on the private IP address of C parsed by the softswitch, and obtains the legal public IP address of C. At this time, the server creates a connection table, save the connection information from A to C, as shown in table 4. At the same time, call signaling is forwarded to the NAT outside the private network of C. by querying the self-maintained ing table, Nat can send this message to Client2. Client2 then queries the user's notebook table, and the message is sent to C correctly. Similarly, the transfer mode is similar for other signaling messages in the call connection process.

For media streams, the server acts as a media relay. After the call connection is established, Terminal A sends the RTP/RTCP packet to Terminal C. Client1 only needs to send the RTP/RTCP package to the fixed port of the server. Server checks the connection information table saved by itself to directly complete the forwarding function. It is worth noting that since RTP is based on UDP packets, in order to keep the ing relationship on Nat unchanged for UDP packets within a complete call period, we must continuously send messages from the client to the server. When there is no voice, we must also send messages that are comfortable with noise.

3. Considerations for other issues

(1) As a signaling proxy, the server is equivalent to a softswitch system and the client is transparent to users. When a user sends the registration information to the server through the client and the server registers with the softswitch system, the user must undergo identity authentication, only after the registration and authentication are passed can the user perform subsequent call connections and sessions. Therefore, the server must have the ability to accept user registration and manage relevant registration information to ensure that the user can make multiple calls after successful registration, without the need to re-register each call, if the user is not registered, the server rejects the call directly after receiving the call.

(2) The Client/Server is a multi-protocol entity. Therefore, standard protocols must be used to communicate with terminals and SoftSwitch. These protocols include MGCP, H.248, H.323, and sip. The client and server use custom protocols.

(3) In terms of architecture, multiple servers can be deployed if there are many devices that require private network traversal and one server proxy cannot process them.

(4) because all media streams are forwarded by the server, if the server function is enhanced, the uncontrolled media streams in the softswitch system can be solved: the user bandwidth can be controlled, prevents unauthorized media streams from establishing connections. You can pay by traffic and obtain QoS information of media streams.

Iv. Conclusion

This article introduces a client/server-based method to traverse NAT and firewall-Allow IP. This technology is simple and direct, and does not require any expansion of the existing NAT device. It only requires the NAT device to open a few ports through policy configuration, and supports multiple protocols, with good scalability. In addition, the tunneling mechanism is easy to implement multi-level NAT traversal. At the same time, we should inevitably see that the tunneling technology also has its own shortcomings. All the communications that pass through the firewall must be transitioned through the server, this process through the client and server will bring a certain delay. Many device manufacturers have used this method to solve the problem of audio/video traversal through NAT and firewall. Although the name is different, the basic principle is the same. I believe that with the expansion of the Next Generation Network, this traversal technology will be increasingly applied to the next generation network.

References

[1] Zhao huiling, ye Hua. Next-generation network technology with Softswitch as the core. Beijing: People's post and telecommunications Press, 2002

[2] Mi Zhengyi. IP network telephone technology. Beijing: People's post and telecommunications Press, 2000

[3] tsirtsis g, srisuresh P. Network Address Translation-protocol translation (NAT-PT). RFC 2766, IETF, February 2000

[4] S. Davies, read S, Cordell P, Scott B A. traversal of non-Protocol aware firewils & NATs. Draft-davies-fw-nat-traversal-01, IETF, October 2001

[5] srevens Wr. TCP/IP details Volume 1: Protocol. Beijing: Machinery Industry Press, 2002

【Author】: State Key Laboratory of Integrated Business Network, Xi'an University of Electronic Science and Technology