CN1411287A - Flexible exchanger for separatedly carrying internet protocol voice service by distributed fire wall - Google Patents

Flexible exchanger for separatedly carrying internet protocol voice service by distributed fire wall Download PDF

Info

Publication number
CN1411287A
CN1411287A CN 02132365 CN02132365A CN1411287A CN 1411287 A CN1411287 A CN 1411287A CN 02132365 CN02132365 CN 02132365 CN 02132365 A CN02132365 A CN 02132365A CN 1411287 A CN1411287 A CN 1411287A
Authority
CN
China
Prior art keywords
server
master
backup
address translation
network address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CN 02132365
Other languages
Chinese (zh)
Other versions
CN1250017C (en
Inventor
莫里斯·G·德索扎
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Samsung Electronics Co Ltd
Original Assignee
Samsung Electronics Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Samsung Electronics Co Ltd filed Critical Samsung Electronics Co Ltd
Publication of CN1411287A publication Critical patent/CN1411287A/en
Application granted granted Critical
Publication of CN1250017C publication Critical patent/CN1250017C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Telephonic Communication Services (AREA)

Abstract

A switch capable of handling voice-over-IP (VoIP) traffic between calling devices and called devices. The switch comprises: call application nodes for executing call process server applications, wherein a first call process server application and a similar second call process server application form a first load sharing group server application; and network address translation nodes for executing firewall server applications. A first firewall server application executed on a first network address translation node is associated with a similar second firewall server application executed on a second network address translation nodes separate from the first network address translation node. The first and second firewall server applications form a second load sharing group server application. The second load sharing group server application receives VoIP traffic and selects one of the first and second firewall server applications to verify that the VoIP traffic is authorized to access at least one of the call process server applications in the call application nodes according to a load distribution algorithm.

Description

Distributed fire wall
The soft switch device that is used for the load sharing internet protocol voice service
The present invention requires the priority of No. the 60/325th, 247, the U.S. Provisional Patent Application that proposes September 27 calendar year 2001.
Mutually with reference to related application
The present invention is relevant with the invention of those disclosed in the non-temporary patent application of following United States Patent (USP):
1)[Docket?No.SAMS01-00186],filed?December?31,2001,entitled″SYSTEM?AND?METHOD?FOR?DISTRIBUTED?CALL?PROCESSING?USINGLOAD?SHARING?GROUP;″
2)[Docket?No.SAMS01-00187],filed?December?31,2001,entitled″SYSTEM?AND?METHOD?FOR?DISTRIBUTED?CALL?PROCESSING?USINGA?DISTRIBUTED?TRUNK?IDLELIST;″
3) [Docket No.SAMS01-00188], filed December 31,2001, entitled " DISTRIBUTED IDENTITY SERVER FOR USE IN ATELECOMMUNICATION SWITCH; " and
4)[Docket?No.SAMS01-00189],filed?December?31,2001,entitled″SYSTEM?AND?METHOD?FOR?PROVIDING?A?SUBSCRIBER?DATABASEUSING?GROUP?SERVICES?INA?TELECOMMUNICATION?SYSTEM.″
Above-mentioned application transfers assignee of the present invention jointly.The open text of these related application is inserted in here, for your guidance.
Technical field
The present invention relates generally to telecommunication system, relate in particular to and utilize distributed fire wall that the interchanger of the professional load sharing (load sharing) of internet protocol voice (VoIP) is provided.
Background technology
Telecommunications provider constantly is that telecommunications service and equipment are set up new markets and expansion existing market.A kind of important channel that reaches this purpose is, makes more cheap, the more reliable while of equipment, improves the performance of Telecommunication network equipment.Do like this make telecommunications provider can keep or even improve the ability of their network in, reduce infrastructure and operating cost.Simultaneously, telco service provider is devoted to improve the quantity of service quality and the available service of increase end user.
A kind of telecommunications service of more and more popularizing are internet protocol voice (VoIP).VoIP is the application that a kind of user of making can upload sending voice business (for example, make a phone call, fax and other data) at Internet Protocol (IP) network.VoIP uses voice signal traffic segment framing, and they are stored in the packets of voice.Packets of voice is by utilizing the Network Transmission of any traditional multimedia (that is, voice, video, fax and data) agreement.H.323 these agreements comprise, IPDC, Media Gateway Control Protocol, session initiation protocol (SIP), Megaco, Session Description Protocol (SDP) and Skinny or the like.For Internet telephony, SIP and H.323 being even more important.
Session initiation protocol (SIP) is a kind of application layer control signaling protocol redirect mode (Redirect Mode), that be used for the VoIP realization that utilizes.SIP is a kind of Textuality client-server base agreement, it provides necessary protocol, so that end users' system can provide different services with acting server, comprise call forward, by called and calling number identification, multicast invitation and basic call distribution (ACD) automatically.Can be embedded in sip address (for example, URL (unified resource positioning address)) in the webpage, so that easy ' click-to-talk ' service is provided.
H.323 be a kind of International Telecommunications Union (ITU-T) standard, it is included as one group of standard of packet-based network definition real-time multimedia communication.H.323 define group calls in several control, channel foundation and encoding and decoding technique standard, be used for transmission over networks real-time voice and image in service of can not giving security or service quality.Network can comprise packet network (especially internet), LAN (LAN), wide area network (WAN) and Intranet.
Owing to following reason, the main benefit of VoIP is to reduce expenses:
1) voice-and-data only passes a line and propagates into family, or only passes single ip network and propagate into company;
2) speech conversion is become digital packet and directly be put on the internet, avoid circuit switching device or telephone operator and their expense fully; With
3) the IP network utilization is highly susceptible to flexible " soft " interchanger with software upgrading.The IP phone gateway occupies the space more much smaller than circuit switching device, and has quite low power supply and refrigeration requirement.
The common application network address transition of telecommunications soft switch device node (NAT)/firewall node (FN) is protected the internal work of soft switch device.The NAT/ fire compartment wall is carried out network address translation function, and this function provides the open IP that is exposed to extenal grouped network the address.Nat feature is become public address and conversely from the secret IP address transition of internal network.Firewall functionality can be one of several types, comprises packet filter, gateway circuit, application gateway or credible gateway.Traditional firewall is that the combination by main frame and router realizes.Router can be on the grouping level control professional, admit or deny grouping according to the source of port numbers or destination-address.This technology is called as packet filtering.Main frame can be controlled professional on application level, admits access control according to the more detailed and protocol-dependent inspection of business.The process of checking and transmit Packet Service is called as the agency.
Regrettably, the traditional firewall system provides these abilities of distributing based on predetermined work.For the calling that is derived from IP network, this depends on the static allocation of load.In addition, be scaled to big or on a small scale the time, the traditional firewall system is restricted when the soft switch device.In the former method, convergent-divergent often involves static change configuration and is required to stop.
Therefore, need be used in improvement firewall system in the telecommunication system.Especially, need easily to be scaled to big or firewall system on a small scale.Further, need not rely on the network firewall of the static allocation of business load for the calling that is derived from IP network.
Summary of the invention
In order to solve the above-mentioned defective of present technology, a basic purpose of the present invention provide a kind of can administer calls equipment and called device between the professional interchanger of internet protocol voice (VoIP); According to a preferred embodiment of the invention, this interchanger comprises: 1) can carry out several call applications nodes that the call proceeding server is used, wherein, the first call proceeding server use to be to carry out on first of several call applications nodes, and interrelate with the similar second call proceeding server application of carrying out on second of several call applications nodes that separate with the first call applications node, the first load sharing group server is used thereby the first and second call proceeding servers are used formation; With 2) can carry out several network address translation nodes that SOCKS server is used, wherein, first SOCKS server use to be to carry out on first of several network address translation nodes, and interrelate with similar second SOCKS server application of on second of several network address translation nodes that separate with the first network address translation node, carrying out, thereby first and second SOCKS servers are used and are formed the application of the second load sharing group server, wherein professional the application by the second load sharing group server of the VoIP that interrelates with voip call receives, one of use with the second load sharing group server application choice, first and second SOCKS servers, so that according to load sharing algorithm, examine that VoIP business and whether be authorized at least one that the call proceeding server is used in the access call application node.
According to one embodiment of present invention, load sharing algorithm distributes the VoIP business in an alternating manner between first and second SOCKS servers are used.
According to another embodiment of the invention, load sharing algorithm is according to the current business load allocating VoIP business of the current business load and the application of second SOCKS server of the application of first SOCKS server.
According to another embodiment of the invention, load sharing algorithm distributes the VoIP business, is substantially equal to the current business load that second SOCKS server is used on the order of magnitude so that the current business that keeps first SOCKS server to use loads on.
According to another embodiment of the invention, first SOCKS server is used and is comprised first master-backup group server application, wherein, first master-backup group server is used and is included in first master firewall processes of carrying out on the first network address translation node and the first backup firewall processes that interrelates with the first master firewall processes.
According to another embodiment of the invention, the state information that interrelates with the first master firewall processes is reflected into the first backup firewall processes that interrelates with the first master firewall processes.
According to another embodiment of the invention, the first backup firewall processes is present on the first network address translation node.
According to another embodiment of the invention, the first backup firewall processes is present on the network address translation node that separates with the first network address translation node.
In one embodiment of the invention, second SOCKS server is used and is comprised second master-backup group server application, wherein, second master-backup group server is used and is included in second master firewall processes of carrying out on the second network address translation node and the second backup firewall processes that interrelates with the second master firewall processes.
In another embodiment of the present invention, the state information that interrelates with the second master firewall processes is reflected into the second backup firewall processes that interrelates with the second master firewall processes.
In another embodiment of the present invention, the second backup firewall processes is present on the second network address translation node.
In another embodiment of the present invention, the second backup firewall processes is present on the call applications node that separates with the second network address translation node.
Aforementioned content has quite briefly been delineated feature of the present invention and technological merit, makes those of ordinary skill in the art can understand following detailed description of the present invention better.Hereinafter will describe other features and advantages of the present invention, they form the subordinate part of claims of the present invention.Those of ordinary skill in the art should realize, and they can be easily be used to revise or design other structure that realizes the identical purpose of the present invention as disclosed notion in basis and specific embodiment.Those of ordinary skill in the art it should further be appreciated that such equivalent constructions does not depart from the spirit and scope of the present invention under its summary form.
Setting about carrying out following " detailed description of the present invention " before, illustrate that some vocabulary that is used in from start to finish in this patent document and the definition of phrase are favourable: term " comprise " and " by ... form ", and their derivative refers to and includes, and unrestricted; Term " or " include, refer to " and/or "; Phrase " with ... interrelate " and " interrelating with it ", and their derivative can refer to comprise, be included in ... in, with ... interconnect, comprise, be included in ... in, with ... connect, with ... the coupling, can with ... communication, with ... cooperate, interweave, side by side, be similar to, with ... in conjunction with, have, have ... characteristic etc.; And term " controller " refers to any equipment, system and their parts of at least a operation of control, and such equipment can be realized with the form of hardware, firmware or software or their certain combination of two kinds at least.Should be noted that no matter the function that interrelates with any specific controller is local or long-range, can be that concentrate or distributed.Being defined in this patent document of some vocabulary and phrase is effective from start to finish, those of ordinary skill in the art should be understood that, even be not in most of the cases, also be in many cases, such definition can be applicable to prior art, so that the vocabulary of such definition and the usage in future of phrase.
Description of drawings
For a more complete understanding of the present invention, and advantage, be described below description now in conjunction with the accompanying drawings, in the accompanying drawings, identical label is represented identical object, wherein:
Fig. 1 has shown according to an embodiment of the invention, can realize the exemplary communication network that VoIP uses;
Fig. 2 shown according to the present invention second execute example, can realize the exemplary communication network that VoIP uses; With
Fig. 3 shown according to an embodiment of the invention, can realize as the communication network of distributed load sharing group's network address translation function and firewall functionality in the selected portion of exemplary soft switch device.
Detailed description of the present invention
Fig. 1 to 3 of following discussion and being used in this patent document describes the just explanation for example of various embodiment of principle of the present invention, in no case should be interpreted as limitation of the scope of the invention those of ordinary skill in the art and should be understood that principle of the present invention can realize in the communication network of any suitable arrangement.
Fig. 1 has shown according to an embodiment of the invention, can realize the exemplary communication network 100 that VoIP uses.Communication network 100 is by forming as lower member: one or more soft switch devices 105, router one 50, Internet Protocol (IP) packet network 160, one or more session initiation protocol (SIP)/H.323 phone 170, media gateway 175, the basic transceiver subsystem (BTS) 180 of wireless network (WN) and bill server 185.Soft switch device 105 is by forming as lower member: call proceeding application node (CAN) 115A, 115B and 115C (are denoted as CAN1, CAN2 and CAN3), communication server node (CSN) 120A and 120B (being denoted as CSN1 and CSN2), operation, management, safeguard and supply (OAMP) pattern 125A and 125B (being denoted as OAMP1 and OAMP2), with network address translation (nat) and firewall node 110A, 110B, 110C, 110D and 110E (are denoted as NAT1, NAT2, NAT3, NAT4 and NAT5).CAN1-CAN3, CSN1 and CSN2, OAMP1 and OAMP2 and NAT1-NAT5 be by 130 couplings of inner Ethernet, and passes inner Ethernet 130 and communicate by letter.
Soft switch device 105 and other similar soft switch device (not shown) offer SIP/H.323 phone 170, media gateway 175, WN BTS 180 and bill server 185 to exchange and other service.These services can comprise phone to phone, phone to PC (personal computer), fax to Email, e-mail-to-fax, fax to fax, call-center application, VPN (VPN), IP phone etc.Media gateway 175 converts the medium (promptly, voice, video, audio frequency, fax) that are provided in a kind of type network (being public switch telephone network (PSTN)) in the interchanger 105 required form of voip network.For example, media gateway 175 can stop from switched circuit network (for example, bearer channel SS7) and from the Media Stream of packet network.SIP/H.323 phone 170 can send to other SIP/H.323 phone to calling and from other SIP/H.323 phone receipt of call by soft switch device 105.In addition, SIP/H.323 phone 170 can also send to calling by soft switch device 105 and be connected to the phone of the public switch telephone network (PSTN) of media gateway 175 coupling with from such phone receipt of call.And SIP/H.323 phone 170 can send to the telephone of communicating by letter with wireless network BTS180 and other wireless access terminal to calling and from they there receipt of call by soft switch device 105.
Call applications node 115A, 115B and 115C (CAN1-CAN3) carry out many call proceedings (CP) server that is organized into master and backup process and use, and these masters and backup process are suitable for being used for SIP/H.323 phone 170, media gateway 175, the basic transceiver subsystem 180 of wireless network and bill server 185 as distributed group's service.The computing node that the call applications node is made up of processor and memory, these computing nodes are by more call applications nodes, and at most nearly the simple addition of N node provides scalability and redundancy.
Control signal and message that each management of the call proceeding of carrying out on CAN1-CAN3 sends to SIP/H.323 phone 170, media gateway 175, WN BTS 180 and bill server 185 or receives from them there.Each of SIP/H.323 phone 170, media gateway 175, WN BTS 180 and bill server 185 all load sharing group is set up session, and the load sharing group is assigned to specific one that the master carried out-backup groupcall process server is used to each calling on CAN1-CAN3.Selected call proceeding server is used and is in fact carried out the call proceeding services/functionalities that the call proceeding client application is asked.
Similarly, NAT1-NAT5 carries out many network address translation and the firewall applications that is organized into master and backup process, these masters and backup process are suitable for being used for SIP/H.323 phone 170, media gateway 175, the basic transceiver subsystem 180 of wireless network and bill server 185 as distributed (that is load sharing) group service. Communication server node 120A and 120B (CSN1 and CSN2) stop SS7 link and management MTP layer 1-3.CSN1 and CSN1 also can be organized into master and the backup process that is suitable for as distributed (that is load sharing) group service.
Fig. 3 shown in accordance with the principles of the present invention, can utilize group service realize as the communication network of distributed load sharing group's network address translation function and firewall functionality in the selected portion of exemplary soft switch device 150.In an illustrated embodiment, carrying out 3 exemplary call process servers and using, that is, and CP1, CP2 and CP3.Each of these processes exists with master-backup group form.Therefore, CP1 exists with master process CP1 (P) and backup process CP1 (B) form.Equally, CP2 exist with master process CP2 (P) and backup process CP2 (B) form and CP3 with master process CP3 (P) and the existence of backup process CP3 (B) form.
In the embodiment shown, CP1 (P) is present on the different call applications nodes (that is, CAN1 and CAN2) with CP1 (B).This is not strict with: CP1 (P) and CP1 (B) also may reside in same call applications node (for example, CAN1) on, and the software fault that still is provided as master process CP1 (P) provides reliability and redundancy.But in a preferred embodiment of the invention, the master process is present on the different call applications nodes with backup process, thereby, software redundancy not only is provided, and hardware redundancy is provided.Therefore, CP1 (P) and CP1 (B) are present on CAN 1 and the CAN2, and CP2 (P) and CP2 (B) are present on CAN2 and the CAN3, and CP3 (P) and CP3 (B) are present on CAN3 and the CAN1.In a word, for the purpose of load sharing, CP1, CP2 and CP3 form together one preeminent.Therefore, CP1 (P) and CP1 (B), CP2 (P) and CP2 (B) and CP3 (P) and CP3 (B) are the parts of the first load sharing group (LSG1) shown in dashed boundaries.
Similarly, carrying out 5 demonstration network address translation process (NATP) server and using, that is, and NATP1, NATP2, NATP3, NATP4 and NATP5.Each of these processes all exists with master-backup group's form.Therefore, NATP1 exists with the form of master process NATP1 (P) and backup process NATP1 (B).Equally, NATP2 exists with the form of master process NATP2 (P) and backup process NATP2 (B), NATP3 exists with the form of master process NATP3 (P) and backup process NATP3 (B), NATP4 exist with the form of master process NATP4 (P) and backup process NATP4 (B) and NATP5 with the form existence of master process NATP5 (P) and backup process NATP5 (B).
In addition, in a preferred embodiment of the invention, master NAT process and backup NAT process be present in heterogeneous networks address transition node (that is, and NAT1-NAT5) on, thereby, software redundancy not only is provided, and hardware redundancy is provided.NATP1 (P) and NATP1 (B) are present on NAT1 and the NAT2, NATP2 (P) and NATP2 (B) are present on NAT2 and the NAT3, NATP3 (P) and NATP3 (B) are present on NAT3 and the NAT4, NATP4 (P) and NATP4 (B) are present on NAT4 and the NAT5, and NATP5 (P) and NATP5 (B) are present on NAT5 and the NAT1.In a word, for the purpose of load sharing, NATP1, NATP2, NATP3, NATP4 and NATP5 form together one preeminent.Therefore, NATP1 (P) and NATP1 (B), NATP2 (P) and NATP2 (B), NATP3 (P) and NATP3 (B), NATP4 (P) and NATP4 (B) and NATP5 (P) and NATP5 (B) are the parts of the second load sharing group (LSG2) shown in dashed boundaries.
At last, carrying out 5 exemplary firewall processes (FWP) server and using, that is, and FWP1, FWP2, FWP3, FWP4 and FWP5.Each of these processes all exists with master-backup group's form.Therefore, FWP1 exists with the form of master process FWP1 (P) and backup process FWP1 (B).Equally, FWP2 exists with the form of master process FWP2 (P) and backup process FWP2 (B), FWP3 exists with the form of master process FWP3 (P) and backup process FWP3 (B), FWP4 exist with the form of master process FWP4 (P) and backup process FWP4 (B) and FWP5 with the form existence of master process FWP5 (P) and backup process FWP5 (B).
FWP1 (P) and FWP1 (B) are present on NAT1 and the NAT2, FWP2 (P) and FWP2 (B) are present on NAT2 and the NAT3, FWP3 (P) and FWP3 (B) are present on NAT3 and the NAT4, FWP4 (P) and FWP4 (B) are present on NAT4 and the NAT5, and FWP5 (P) and FWP5 (B) are present on NAT5 and the NAT1.In a word, for the purpose of load sharing, FWP1, FWP2, FWP3, FWP4 and FWP5 form together one preeminent.Therefore, FWP1 (P) and FWP1 (B), FWP2 (P) and FWP2 (B), FWP3 (P) and FWP3 (B), FWP4 (P) and FWP4 (B) and FWP5 (P) and FWP5 (B) are the parts of the 3rd load sharing group (LSG2) shown in dashed boundaries.
Group's service provides the framework of organizing a group distributed software object in computing network.Each software object provides a kind of service (for example, network address translation or firewall protection).In addition, the running status of group's service framework for determining that group membership, decision exist the member that takes what action and the broadcasting of control single-point, multicast, group under the situation of fault and the group's broadcast communication between the client computer to provide to improve.Group utilizes a kind of policy to improve the running status of the service that this group provide.Some of these policies comprise the master of relevant high-speed service applicability-back up and the be used for load sharing of the load of distribution services in network.
Server is used, and for example, CP1-CP3, NATP1-NATP5 and FWP1-FWP5 provide by client application, for example, and SIP/H.323 phone 170, media gateway 175, WN BTS 180 and bill server 185 requested service.As shown in Figure 3, server is used and is organized into the master-backup group who is configured to 1+1 type master-backup group.Have many these masters-backup group, and definite number can increase and decrease with the process of using and/or the number of computing node (CAN) and network address translation node (NAT1-NAT5).They itself are single load sharing group's member (for example, LSG1, LSG2, LSG3) for all masters-backup groups.
Importantly, should be noted that, though client application, for example, SIP/H.323 phone 170 and media gateway 175 are to use the client computer of CP1-CP3, NATP1-NATP5 and FWP1-FWP5 with respect to server, but it also can be the client computer of using with respect to another server that a server is used.Especially, call proceeding server application CP1-CP3 can be a client computer of using NATP1-NATP5 and SOCKS server application FWP1-FWP5 with respect to the network address translation services device.
Client application is set up the interface with the load sharing group.When new call indicator was received by client application, client application was set up the session with the load sharing group according to client-side load sharing policy.Initial policy is that circulation (round-robin) (that is, is distributed to each of NAT1-NAT5 to new calling from router one 60 in order, still, also can be used other policy of the actual loading of considering different masters-backup group.Client application interrelates session and new the calling, and sends and call out the message that interrelates on session object.Client application is the session by setting up with master-backup group also, receives the message from master-backup group.Have only master-backup group's master process (for example, NATP1 (P)) just add the load sharing group (for example, LSG2) because a variety of causes can be deleted the application that comprises master from service.Server is used and can be selected not accept any new calling by abandoning the load sharing group.But client application can still keep they and master-backup group's session for existing call.If unit collection master is also out of joint, so,, therefore take this action because new call business can have been lost.If discard the load sharing group, so, do not give master-backup group new call distribution.
If the master as the master of load sharing group members-backup group is out of joint, so, notice backup member master member has been gone wrong (or being dropped), and then, the backup member bears master member's role.Responsibility to these behaviors must should be used for bearing by server.Notice backup member master member gone wrong (or being dropped) be the responsibility of group's service.
Fig. 1 shown be used to be derived from IP packet network 160 or, for example, from the load sharing structure of the calling of the SS7 network that is connected with media gateway 175.The calling that is derived from IP packet network 160 is that SIP/H.323 calls out and may be the MEGACO/MGCP notification message from the calling of media gateway 175.Should be noted that CAN1-CAN3, CSN1 and CSN2, OAMP1 and OAMP2 and NAT1-NAT5 all have the unique home address on the inner Ethernet 130.OAMP1 and OAMP2 have implicit IP address 10.1.1.1 and 10.1.1.2 respectively.CAN1-CAN3 has implicit IP address 10.1.1.3,10.1.1.4 and 10.1.1.5 respectively.CSN1 and CSN2 have implicit IP address 10.1.1.6 and 10.1.1.7 respectively.Best, NAT1-NAT5 has implicit IP address 10.1.1.50,10.1.1.51,10.1.1.52,10.1.1.53 and 10.1.1.54 respectively.
In addition, each of NAT1-NAT5 has the outside ip address that router one 50 is seen.NAT1-NAT5 has outside ip address 123.62.8.1,123.62.8.2,123.62.8.3,123.62.8.4 and 123.62.8.5 respectively.NAT server among the NAT1-NAT5 is used (NATP1-NATP5) all IP calling related protocols for 105 management of soft switch device, and for example, MGCP, SIP, H323, MEGACO provide network address translation (nat) and load sharing function.Network address translation function provides the open IP address that is exposed to external IP packet network 160 and carries out implicit IP address from Ethernet 130 to the conversion of public address and conversely.For the agreement such as TCP, UDP, FTP, HTTP, Telnet etc., the SOCKS server among the NAT1-NAT5 is used the visit of (FWP1-FWP2) control to soft switch device 105.
IP call distribution mechanism
1) packet call-NAT/ firewall node provides the open IP address of using for external equipment, so that addressing soft switch device 105.
2) SIP calls out-allows all sip messages and transmits the outside ip address that is addressed to NAT1-NAT5.In NAT, exist thin sip agent device and use.The purposes of thin proxy server is to hide the inside IP structure of soft switch device 105 and realize effective load allocating in call proceeding CAN.When receiving invitation message on the NAT on port 5060, the SIP storehouse on NAT transmits the information to thin sip agent device.
The work of sip agent device is to utilize group's service to set up the session id that is associated with the calling ID that receives from invitation message on each of NAT1-NAT5.Session id is the inner marker of a calling in the unique identification soft switch device 105.It makes proxy server guide master process in one of CAN1-CAN3 by obtaining the session id administer calls into calling out related news.Utilize interface manager, the sip agent device then can be forwards to the master call proceeding, as the sip message that is wrapped in DTN (data transmission network) big envelope.Answer to sip message sent back to the proxy server among the NAT that initiates a message, so that can represent outside ip address in the mode that goes out the net response.
All invitation message that are derived from soft switch device 105 are all passed through thin proxy server, so that hide inner addressing information.Thin proxy server on the firewall node also is load sharing group's a part, causes when originating terminal master process is sent invitation message, and it will at first inquire that to the load sharing client computer which proxy server has the ability that net is called out of managing out.Proxy server carries out necessary address in going out network information replaces, and forwards is arrived the destination.Then, same proxy server can be managed all networking message.
3) H.323 call out-similar, allow H.323 call out be addressed to NAT1NAT5 from external client with the SIP calling.H.323 advertisement in soft switch device 105 will receive the fixed number port of message Q.931 in the above and will receive H.245 another group port of message in the above.The service provider sets up H.323 port at subscription time.If one is used, perhaps, so, can defends in (gatekeeper) at net and set up port as each user's default setting.With receive the H.245 pre-stator pack port of message above each call proceeding among the H.323 relevant load sharing group is supported in.
When SETUP (foundation) message arrived the NAT node, H.323 thin proxy server was determined the position of master group members, so that after the LSC of the applicability of determining CP group, and administer calls.Affairs are quoted by the calling label in the message Q.931.Message to this group sends by CRV (Call Reference Value) definite subsequently.In case Q.931 this calling has been set up and called out, this group just utilizes its H.245 one of predetermined port to the external client open logical channel.Thin proxy server utilizes outside ip address to transmit that message.On that port subsequently H.245 message be forwarded to the management that calling call proceeding.
4) MGCP message transmission-MGCP follows to SIP and goes out the similar strategy of net calling.When media gateway 175 receives notification message, message can be routed to any one of available master/backup process.The master process can produce CRCX (reading while write) message then, and sends it to the available agent device in the mode similar to the mode of describing in the SIP paragraph.Session id in this case is associated with hyphen and end points/MG combination.According to the answer of returning from media gateway 175, this message is routed to the master backup group who controls end points.Any Notify subsequently (notice) message that has been in the end points among the use all is to distribute to first load of master/backup process, if among determining using, so, gives master/backup that positive control that end points group the Notify forwards.
According to one exemplary embodiment of the present invention, be the domain name of each call treatment type advertisement soft switch device 105.For example, SIP, MGCP can be addressed " sip.domain-name.com ", " mgcp.domainname.com " and " h323.domainname.com " respectively with call treatment H.323.DNS (domain name system) server resolves into the IP address to these titles, and the original load Distribution of taking endless form usually is provided.A kind of method of alternative domain name is the single ip address of the router one 50 of advertisement between NAT/ fire compartment wall and external IP packet network 160.Then, set up router one 50, so as in a looping fashion from of NAT1-NAT5 to the other end assignment messages.
Fire compartment wall on the NAT1-NAT5 and NAT proxy server process are moved as the load group.Go out the net branch road for what call out, CP utilizes the load sharing client computer to determine to forward which fire compartment wall to.If fire compartment wall receives from the message of external network and it can not be associated with any session id in its load sharing client computer, so, it just utilizes the multicast ability, from DTN to all the other fire compartment wall multicasts.Then, the fire compartment wall of managing that calling is handled that message.If there is fire compartment wall to know calling is not arranged, so, this message has just been lost.
Fig. 1 has shown connection from the soft switch device 105 of its domain name to native ip network that broadcast.Work as external entity, for example, when SIP phone, media gateway etc. were passed through the domain name addressing, domain name was converted into by NAT/ fire compartment wall (that is outside ip address of, NAT1-NAT5) depositing.Loading on being equilibrated between the NAT1-NAT5 utilizes on the dns server of round-robin algorithm and finishes.The number of required NAT can send the business load increase and decrease by desired message.
Fig. 2 shown according to the present invention second execute example, can realize the exemplary communication network 200 that VoIP uses.Communication network 100 is all similar to communication network 100 aspect most of.But Fig. 2 has shown on ATM(Asynchronous Transfer Mode) network 255 connection to the soft switch device 105 of external IP packet network 160 its domain names of advertisement.Router with DNA ability is an exit point of going up the atm network 255 that transmits IP at ATM Adaption Layer Type 5 (AAL5).Work as external entity, for example, when SIP phone, media gateway etc. were passed through the domain name addressing, domain name was converted into the outside ip address of being deposited by the NAT/ fire compartment wall.Loading on being equilibrated between the NAT1-NAT5 utilizes on the dns server of round-robin algorithm and finishes.The number of required NAT can send the business load increase and decrease by desired message.In alternative embodiment of the present invention, NAT1-NAT5 can directly be connected with atm network 255.Carry out in entrance or the somewhere of DNS service in atm network 255.
The details of SIP application proxy device
The essential structure statement
1) router one 50 is addressed into the domain name of soft switch device 105 and will be considered to the IP address of the IP address of soft switch device 105.
2) the OAMP functional separation of the maintenance of router one 50 and configuration and soft switch device 105 carries out.
3) router one 50 can be used other load allocation method except round-robin method.Load sharing (or distribution) algorithm can be by the maintenance interface configuration of router one 50.
4) each of NAT1-NAT5 comprises the proxy server process that can search sip message and therefrom extract callID.
5) move as master/backup group in the backup of proxy server process on another program on the NAT1-NAT5.
6) NAT1-NAT5 utilizes networking INVITE (invitation) message to set up SessionID and that message and the master of selecting by allocation algorithm/backup call proceeding (CP) process faciation are got in touch.
7) any sip message that receives from external IP packet network 160 on NAT1-NAT5 extracts from the IP transmission, and is repacked the DTN transmission that will be forwarded to master/backup call proceeding server application.
8) CP master process is utilized internal stack decoding sip message.
9) CP master process form dissolves the net sip invite message and utilizes LSG to select which of NAT1-NAT5 to send it by.
10) CP master process is utilized pocket transmission transmission that all are gone out the net sip message and is forwarded to suitable of NAT1-NAT5.
11) NAT1-NAT5 can operate header information, before message is issued to external IP packet network 160, points out that self is as terminal point.
12) enter or leave each load sharing group time when suitable master/backup process, all load sharing groups (LSG) that move in CAN1-CAN3 and NAT1-NAT5 obtain notice.
13) in case calling stops, no matter be fair termination or abnormal end, LSG deletes session.
IP address function on fire compartment wall
When receiving SIP INVITE from external network, it will get in touch header field and add in the response that it sends it back, and when it sends INVITE, it also will get in touch header field and add in the message, and during ACK (acknowledge message) adding responded at last.Except the domain name of soft switch device 105, it also adds VIA (general-purpose interface adapter) field, to reflect its IP address.
When on one of NAT1-NAT5, receiving request message, SOCKS server use seek can processing messages suitable master/backup group and by group's service forwards to that master backup group.According to response, each of NAT1-NAT5 adds its IP address in VIA field and the contact head.
For going out the net request, master/backup is group according to proxy server load sharing client computer, one of NAT1-NAT5 that selection will forward to and in group's service message request is sent to that node.Then, each of NAT1-NAT5 adds its IP address in VIA field and the contact head, so that all responses can be drawn correct one that gets back to NAT1-NAT5.
The master of proxy server/backup fault on fire compartment wall
As mentioned above, each proxy server process is as master/backup group operation.Backup process should be always moves in the processor that does not just have at the master of bootup window oneself.Although the dual processor fault may occur, possibility is very little, if, so, show to have occurred in the network than passing through the big problem of problem that redundancy scheme can solve.Therefore, under the situation that the proxy server double faults occurs, that fire compartment wall that receives message from network will be given all CAN the message multicast.Equally, if CAN detects the double faults of fire compartment wall proxy server, so, it will rebulid sessionID for each of other master/backup group, and proceed its processing.Perhaps, it has to resend some message.
For go out the message of net to external network from CAN, master proxy server fault will make message pass through route stand-by.Backup process will carry out aforesaid SIP head operation.For going into network information, the fault of master proxy server will make backup process that message is sent to all sessions among the LSG, so that resend the CP process just in all message of wait-for-response.This makes backup process can operate header information and message is resend far-end.
Another kind of may situation be,, so, can notify outside router on one of NAT1-NAT5, business is redirected to next IP address in the tabulation if processor fault takes place.When message arrives that NAT, if it does not find out getting in touch between the session in callID and the LSC table, so, it will be given all the other proxy servers on all the other NAT the message multicast and know that the master of sessionID manages this message.
In case the master process has been through with and control is passed to backup process in another processor of the master of having lodged, backup process will take out from the load sharing group and self go to receive new calling, with before entering resting state or withdrawing from, the calling that it is being handled will only be managed.In case new master proxy server is rebulid into the single process on the NAT, so, it can add this group again and remove receipt of call.
The master of CP process/backup fault on CAN
All CP processes among the CAN are all as the right part of master/backup, and as load sharing group's part operation.When master process extinction time, its backup process just becomes master.All right message are redirected to new master (old backup) to group's service being directed to that master/backup.Therefore, in fire compartment wall/NAT proxy server, all message relevant with specific master/backup group's a session are directed to correct process.
The adding of CAN/NAT in same load/remove
As mentioned above, when adding new CAN in the soft switch device 105 and carry out the call treatment process on that CAN, the call treatment master just adds among the call treatment load sharing group.Each load sharing client computer is newly added load sharing group's notice, and adjusts its load sharing algorithm in view of the above, so that comprise new process.If the application cycle pattern, so, this may cause initially unbalance in distribution.But along with calling is eliminated and new calling arrival, this situation will be of short duration.
Although described the present invention in detail,, those of ordinary skill in the art should be understood that they can make various changes, substitute and change, and does not depart from the spirit and scope of the present invention under its summary form.

Claims (24)

  1. One kind can administer calls equipment and called device between the professional interchanger of internet protocol voice (VoIP), described interchanger comprises:
    Can carry out several call applications nodes that the call proceeding server is used, wherein, the first call proceeding server use to be to carry out on first of described several call applications nodes, and interrelate with the similar second call proceeding server application of on second of described several call applications nodes that separate with the described first call applications node, carrying out, thereby the described first and second call proceeding servers are used and are formed the application of the first load sharing group server; With
    Can carry out several network address translation nodes that SOCKS server is used, wherein, first SOCKS server use to be to carry out on first of described several network address translation nodes, and interrelate with similar second SOCKS server application of on second of described several network address translation nodes that separate with the described first network address translation node, carrying out, thereby, described first and second SOCKS servers are used and are formed the application of the second load sharing group server, wherein, the professional application by the described second load sharing group server of VoIP that interrelates with voip call receives, one of use with described first and second SOCKS servers of the described second load sharing group server application choice, so that according to load sharing algorithm, examine that described VoIP business and whether be authorized to visit at least one that the described call proceeding server in the described call applications node is used.
  2. 2. interchanger according to claim 1, wherein, described load sharing algorithm distributes described VoIP business in an alternating manner between described first and second SOCKS servers are used.
  3. 3. interchanger according to claim 1, wherein, the described VoIP business of current business load allocating that described load sharing algorithm is used according to the current business load and described second SOCKS server of described first SOCKS server application.
  4. 4. interchanger according to claim 3, wherein, described load sharing algorithm distributes described VoIP business, is substantially equal to the described current business load that described second SOCKS server is used on the order of magnitude so that the described current business that keeps described first SOCKS server to use loads on.
  5. 5. interchanger according to claim 1, wherein, described first SOCKS server is used and is comprised first master-backup group server application, wherein, described first master-backup group server is used and is included in first master firewall processes of carrying out on the described first network address translation node and the first backup firewall processes that interrelates with the described first master firewall processes.
  6. 6. interchanger according to claim 5, wherein, the state information that interrelates with the described first master firewall processes is reflected into the described first backup firewall processes that interrelates with the described first master firewall processes.
  7. 7. interchanger according to claim 6, wherein, the described first backup firewall processes is present on the described first network address translation node.
  8. 8. interchanger according to claim 6, wherein, the described first backup firewall processes is present on the network address translation node that separates with the described first network address translation node.
  9. 9. interchanger according to claim 1, wherein, described second SOCKS server is used and is comprised second master-backup group server application, wherein, described second master-backup group server is used and is included in second master firewall processes of carrying out on the described second network address translation node and the second backup firewall processes that interrelates with the described second master firewall processes.
  10. 10. interchanger according to claim 9, wherein, the state information that interrelates with the described second master firewall processes is reflected into the described second backup firewall processes that interrelates with the described second master firewall processes.
  11. 11. interchanger according to claim 10, wherein, the described second backup firewall processes is present on the described second network address translation node.
  12. 12. interchanger according to claim 10, wherein, the described second backup firewall processes is present on the call applications node that separates with the described second network address translation node.
  13. 13. a communication network comprises:
    Can administer calls equipment and called device between several professional interchangers of internet protocol voice (VoIP), each of described several interchangers comprises:
    Can carry out several call applications nodes that the call proceeding server is used, wherein, the first call proceeding server use to be to carry out on first of described several call applications nodes, and interrelate with the similar second call proceeding server application of on second of described several call applications nodes that separate with the described first call applications node, carrying out, thereby the described first and second call proceeding servers are used and are formed the application of the first load sharing group server; With
    Can carry out several network address translation nodes that SOCKS server is used, wherein, first SOCKS server use to be to carry out on first of described several network address translation nodes, and interrelate with similar second SOCKS server application of on second of described several network address translation nodes that separate with the described first network address translation node, carrying out, thereby, described first and second SOCKS servers are used and are formed the application of the second load sharing group server, wherein, the professional application by the described second load sharing group server of VoIP that interrelates with voip call receives, one of use with described first and second SOCKS servers of the described second load sharing group server application choice, so that according to load sharing algorithm, examine that described VoIP business and whether be authorized to visit at least one that the described call proceeding server in the described call applications node is used;
    Internet Protocol (IP) packet network of described several interchangers is used to interconnect; With
    At least one media gateway with described IP packet network coupling.
  14. 14. communication network according to claim 13, wherein, described load sharing algorithm distributes described VoIP business in an alternating manner between described first and second SOCKS servers are used.
  15. 15. communication network according to claim 13, wherein, the described VoIP business of current business load allocating that described load sharing algorithm is used according to the current business load and described second SOCKS server of described first SOCKS server application.
  16. 16. communication network according to claim 15, wherein, described load sharing algorithm distributes described VoIP business, is substantially equal to the described current business load that described second SOCKS server is used on the order of magnitude so that the described current business that keeps described first SOCKS server to use loads on.
  17. 17. communication network according to claim 13, wherein, described first SOCKS server is used and is comprised first master-backup group server application, wherein, described first master-backup group server is used and is included in first master firewall processes of carrying out on the described first network address translation node and the first backup firewall processes that interrelates with the described first master firewall processes.
  18. 18. communication network according to claim 17, wherein, the state information that interrelates with the described first master firewall processes is reflected into the described first backup firewall processes that interrelates with the described first master firewall processes.
  19. 19. communication network according to claim 18, wherein, the described first backup firewall processes is present on the described first network address translation node.
  20. 20. communication network according to claim 18, wherein, the described first backup firewall processes is present on the network address translation node that separates with the described first network address translation node.
  21. 21. communication network according to claim 13, wherein, described second SOCKS server is used and is comprised second master-backup group server application, wherein, described second master-backup group server is used and is included in second master firewall processes of carrying out on the described second network address translation node and the second backup firewall processes that interrelates with the described second master firewall processes.
  22. 22. communication network according to claim 21, wherein, the state information that interrelates with the described second master firewall processes is reflected into the described second backup firewall processes that interrelates with the described second master firewall processes.
  23. 23. communication network according to claim 22, wherein, the described second backup firewall processes is present on the described second network address translation node.
  24. 24. communication network according to claim 22, wherein, the described second backup firewall processes is present on the call applications node that separates with the described second network address translation node.
CN 02132365 2001-09-27 2002-09-24 Flexible exchanger for separatedly carrying internet protocol voice service by distributed fire wall Expired - Fee Related CN1250017C (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US32524701P 2001-09-27 2001-09-27
US60/325,247 2001-09-27
US10/085,926 2002-02-28

Publications (2)

Publication Number Publication Date
CN1411287A true CN1411287A (en) 2003-04-16
CN1250017C CN1250017C (en) 2006-04-05

Family

ID=23267058

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 02132365 Expired - Fee Related CN1250017C (en) 2001-09-27 2002-09-24 Flexible exchanger for separatedly carrying internet protocol voice service by distributed fire wall

Country Status (1)

Country Link
CN (1) CN1250017C (en)

Cited By (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113381994A (en) * 2015-04-07 2021-09-10 安博科技有限公司 Multi-boundary firewall at cloud

Cited By (2)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN113381994A (en) * 2015-04-07 2021-09-10 安博科技有限公司 Multi-boundary firewall at cloud
CN113381994B (en) * 2015-04-07 2023-05-02 安博科技有限公司 Multi-boundary firewall in cloud

Also Published As

Publication number Publication date
CN1250017C (en) 2006-04-05

Similar Documents

Publication Publication Date Title
KR100450944B1 (en) Soft switch using distributed firwalls for load sharing voice-over-ip traffic in an ip network
US7787459B2 (en) Method and system for implementing traversal through network address translation
US8130766B2 (en) System and method for implementing multimedia calls across a private network boundary
EP1832069B1 (en) Voip network infrastructure components
EP1582046B1 (en) Method and apparatus for codec selection
US6925076B1 (en) Method and apparatus for providing a virtual distributed gatekeeper in an H.323 system
CN103634490B (en) The gateway that a kind of enterprise network being provided for use SIP can be survived
US7773580B2 (en) Apparatus and method for voice processing of voice over internet protocol (VoIP)
CN1879357A (en) Serverless and switchless internet protocol telephony system and method
CN1941783B (en) Intelligent border element
EP2363997A1 (en) Method for processing messages at a session border controller
CN1633100A (en) Method of multimedia service NAT traversing and system thereof
WO2003030463A1 (en) A method and system for realizing ip voice service at private network
KR101606142B1 (en) Apparatus and method for supporting nat traversal in voice over internet protocol system
CN1645861A (en) Flexible exchanging network method for passing fire wall
CN1764172A (en) Multimedia communication proxy system and method capable of crossing network address conversion and firewall
CN100348008C (en) Method for making calling treatment in VoIP gateway and link test and its system
CN1960289A (en) Method and device for implementing network call after network failure
CN1250017C (en) Flexible exchanger for separatedly carrying internet protocol voice service by distributed fire wall
CN1309230C (en) System and method for delivery of telecom signalling messages by passing private net boundary
CN1838615A (en) Media stream shunting system and media stream shunting method
US7995561B2 (en) Techniques for implementing logical trunk groups with session initiation protocol (SIP)
KR100986768B1 (en) Method for bear traffic classifying of dual backbone network
CN101335659A (en) Method for call establishment, signaling control apparatus, network unit and system
KR20030097004A (en) Converged LAN structure for converged service based IP

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C17 Cessation of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20060405

Termination date: 20091026