基于SIP的分布式VoIP防火墙/NAT穿越架构
|
摘要
随着网络应用的迅猛发展,VoIP技术得到了广泛应用。但是,为解决IP地址不足以及网络安全问题而提出的网络地址翻译(Network Address Translation, NAT)技术和防火墙技术却导致了VoIP的端到端通信问题。如何有效解决信令、媒体流的防火墙/NAT穿越问题,将是VoIP业务能否广泛推广应用的关键。论文主要针对防火墙/NAT穿越展开深入研究,在现今最热门会话边界控制器(Session Border Controller, SBC)方案的基础上提出一种分布式的改进方案。
和其他的防火墙/NAT穿越方案相比,SBC方案不需要对现有网络环境做任何假设和修改,并且提供了更好的QoS(Quality of Service)保障。但是,由于SBC需要同时完成信令中转和媒体转发,SBC有可能成为系统的瓶颈。另外,SBC的安全和QoS保障都是基于逐包分析策略,这更加剧了SBC的负担。最后,SBC的结构注定了它难以依靠动态扩展来提高容量,也难以通过负载均衡进行流量分担。
在充分研究SBC技术优缺点的基础上,本文提出分布式防火墙/NAT穿透方案,从结构上将SBC的信令中转和媒体转发处理分开。信令中转由信令接入网关(Signaling Access Gateway, SAG)完成,媒体转发由媒体通道控制器(Media Channel Controller, MCC)完成,二者之间的服务关系由网管中心(Net Manage Center, NMC)动态定义。在媒体流和信令流分开的基础上,多台MCC通过媒体扩展和负载均衡组成媒体子系统并通过多级媒体通道策略实现QoS优化;多台SAG通过信令扩展和负载均衡策略组成信令子系统。由此构成一个分布式系统,媒体和信令子系统的容量可以根据要求扩展,任何一个服务器故障或者受到攻击都不会对系统性能造成实质的影响。
本文给出了一个基于SIP的分布式防火墙/NAT穿越的实验系统并详细讲述了系统中SAG, MCC, NMC实现结构以及实现过程中所用到的关键技术。
最后对这个实验系统进行了功能和性能测试,通过测试数据可以看到,SAG的通话建立和维护能力比SBC提高了将近两个数量级。在媒体通道控制器数量足够多的情况下,分布式防火墙/NAT穿越系统的容量将比同配置的单台SBC容量有巨大的提升。
Voice over IP technology develops with the rapid development of network applications. However, NAT(Network Address Translation) and firewall technologies, which are brought forward for the insufficiency of IP address and the network security, conduce to issue between end to end communications. Consequently, how to solve the problems mentioned above effectively will greatly affect the promotion and application of VoIP. Developed from a new technology named SBC(Session Border Controller), this paper proposes distributed architecture to resolve firewall/NAT problem.
Compare to other Firewall/NAT traversing solution, SBC technology become popular because it is suitable to be applied in all firewall/NAT environment nowadays and it needs no modification on existing network However, classic SBC system faces serious problems as follows: SBC is the bottle-neck: Being in charge of media and signaling forwarding makes SBC the bottle-neck of the system. Handling packets inspection for security and QoS(Quality of Service) purpose increases SBC’s load. Furthermore, SBC system is hard to extend.
Based on the research on the SBC technology, this paper proposes a distributed architecture to resolve firewall/NAT traversing: SBC is split into two servers: SAG (Signaling Access Gateway) and MCC (Media Channel Controller) to let signaling and media flow pass through separately. The relationship between the SAGs and the MCCs is determined by the NMC(Network Manage Center). The media subsystem which is made up of MCCs and the signaling subsystem which is made up of SAGs can achieve great capacity enhancement that a single SBC can never reach. The greater significance is that: in a fully distributed architecture, every subsystem can be easily extended and dynamically controlled without any modification on the existing system.
This paper also gives a prototype of the architecture based on SIP(Session initial protocol). It contains the main structure and key technology of SAG, MCC and NMC. The test result shows that: the SAG’s ability of call construction is nearly 100 times greater than the SBC; if there are enough MCCs providing media channels, the firewall/NAT traversing system under a distributed architecture can achieve great capacity enhancement than the formal SBC system.
和其他的防火墙/NAT穿越方案相比,SBC方案不需要对现有网络环境做任何假设和修改,并且提供了更好的QoS(Quality of Service)保障。但是,由于SBC需要同时完成信令中转和媒体转发,SBC有可能成为系统的瓶颈。另外,SBC的安全和QoS保障都是基于逐包分析策略,这更加剧了SBC的负担。最后,SBC的结构注定了它难以依靠动态扩展来提高容量,也难以通过负载均衡进行流量分担。
在充分研究SBC技术优缺点的基础上,本文提出分布式防火墙/NAT穿透方案,从结构上将SBC的信令中转和媒体转发处理分开。信令中转由信令接入网关(Signaling Access Gateway, SAG)完成,媒体转发由媒体通道控制器(Media Channel Controller, MCC)完成,二者之间的服务关系由网管中心(Net Manage Center, NMC)动态定义。在媒体流和信令流分开的基础上,多台MCC通过媒体扩展和负载均衡组成媒体子系统并通过多级媒体通道策略实现QoS优化;多台SAG通过信令扩展和负载均衡策略组成信令子系统。由此构成一个分布式系统,媒体和信令子系统的容量可以根据要求扩展,任何一个服务器故障或者受到攻击都不会对系统性能造成实质的影响。
本文给出了一个基于SIP的分布式防火墙/NAT穿越的实验系统并详细讲述了系统中SAG, MCC, NMC实现结构以及实现过程中所用到的关键技术。
最后对这个实验系统进行了功能和性能测试,通过测试数据可以看到,SAG的通话建立和维护能力比SBC提高了将近两个数量级。在媒体通道控制器数量足够多的情况下,分布式防火墙/NAT穿越系统的容量将比同配置的单台SBC容量有巨大的提升。
Voice over IP technology develops with the rapid development of network applications. However, NAT(Network Address Translation) and firewall technologies, which are brought forward for the insufficiency of IP address and the network security, conduce to issue between end to end communications. Consequently, how to solve the problems mentioned above effectively will greatly affect the promotion and application of VoIP. Developed from a new technology named SBC(Session Border Controller), this paper proposes distributed architecture to resolve firewall/NAT problem.
Compare to other Firewall/NAT traversing solution, SBC technology become popular because it is suitable to be applied in all firewall/NAT environment nowadays and it needs no modification on existing network However, classic SBC system faces serious problems as follows: SBC is the bottle-neck: Being in charge of media and signaling forwarding makes SBC the bottle-neck of the system. Handling packets inspection for security and QoS(Quality of Service) purpose increases SBC’s load. Furthermore, SBC system is hard to extend.
Based on the research on the SBC technology, this paper proposes a distributed architecture to resolve firewall/NAT traversing: SBC is split into two servers: SAG (Signaling Access Gateway) and MCC (Media Channel Controller) to let signaling and media flow pass through separately. The relationship between the SAGs and the MCCs is determined by the NMC(Network Manage Center). The media subsystem which is made up of MCCs and the signaling subsystem which is made up of SAGs can achieve great capacity enhancement that a single SBC can never reach. The greater significance is that: in a fully distributed architecture, every subsystem can be easily extended and dynamically controlled without any modification on the existing system.
This paper also gives a prototype of the architecture based on SIP(Session initial protocol). It contains the main structure and key technology of SAG, MCC and NMC. The test result shows that: the SAG’s ability of call construction is nearly 100 times greater than the SBC; if there are enough MCCs providing media channels, the firewall/NAT traversing system under a distributed architecture can achieve great capacity enhancement than the formal SBC system.
引文
[1] 杨昆, 薛宁, 胡绍海等. IP 电话及其增值业务技术. 人民邮电出版社, 北京, 2002 年 1 月: 39-140, 157-205, 356-402
[2] Princy Mehta and Sanjay Udani. Voice over IP. IEEE POTENTIALS, 2001,20(4): 36-40
[3] 糜正琨. IP 网络电话技术. 人民邮电出版社, 北京, 2000 年 6 月: 410-451
[4] Yun Zhang. SIP-based VoIP network and its interworking with the PSTN. Electronics&Communication Engineering Journal, 2002,14(6): 273-282
[5] 杨俊华. IP 电话的关键技术及存在的基本问题.河北师范大学学报(自然科学版), 2002, 26(4): 372-376
[6] 赵慧玲, 叶华等编著.以软交换为核心的下一代网络技术. 人民邮电出版社, 北京, 2002 年 8月: 1-3, 13-23, 111-123
[7] J. Rosenberg, H. Schulzrinne, G. Camarillo, et al. SIP: Session Initiation Protocol. IETF RFC 3261, June 2002
[8] 陈建华. VoIP 穿越 FW/NAT 的方案探讨. 中国有线电视, 2004(22),17-20
[9] K. Egevang, P. Francis. The IP Network Address Translator(NAT). IETF RFC 1631, May 1994
[10] M.Smith, R.Hunt. Network security using NAT and NAPT. Networks,2002. 10th IEEE International Conference, 2002: 355-360
[11] V. Paulsamy, S. Chatterjee. Network Convergence and the NAT/Firewall Problems. Proceedings of the 36th Hawaii International Conference on System Sciences(HICSS’03), Jan 2003:10-20
[12] Xiantai Gou, Weidong Jin. Multi-agent system for multimedia communications traversing NAT/firewall in next generation networks. Communication Networks and Services Research, 2004:99-104
[13] Eunsook Kim, Shin-Gak Kang. QoS support based on IntServ/DiffServ for SIP-based applications. Network Operations and Management Symposium,2004(2): 131-144
[14] Si Duanfeng, Long Qin, Han Xinhui,et al.Security mechanisms for SIP-based multimedia communication infrastructure.Communications,Circuits and Systems,2004.Internatinal Conference,2004(1): 575-578
[15] 杜吉友,董德存. 基于 SIP 的多媒体通信系统安全技术.数据通信, 2004,(2):38-41
[16] 金康双, 王泽兵, 冯雁. SIP 协议的认证机制及其性能分析. 计算机应用研究,2004,(8):110-112
[17] 储泰山,潘雪增. SIP 安全模型研究及实现.计算机应用与软件, 2004,21(12):101-104
[18] 毛燕,何明德.SIP 安全问题:SIP 认证过程和它的负载处理.计算机与现代化,2004,(5):64-67
[19] K.Ono, S.Tachimoto.SIP signaling security for end-to-end communication. Communications, 2003.The 9th Asia-Pacific Conference, 2003(3):1042-1046
[20] E.T.Aire, B.T.Maharaj, L.P.Linde.Implementation considerations in a SIP based secure voice over IP network.7th AFRICON Conference in Africa, 2004(1):167-172
[21] Yuan Jianying, Zhou Jiantao, Wenjiang Pei, et al. An application of network address translation on gateway. Neural Networks and Signal Processing,2003.Proceedings of the 2003 International Conference, 2003(2): 1658-1661
[22] 柯金水, 王芙蓉, 戴彬. 基于软交换的防火墙/NAT 穿越技术研究. 计算机科学与实践, 2004(7): 56-61
[23] Jia-Ning Luo, Shiuh-Pyng Shieh. The multi-layer RSIP framework. Networks,2001. Ninth IEEE International Conference, 2001: 166-171
[24] 李琳, 柴乔林, 袁春阳. H.323 与 SIP 在 VOIP 应用中的实现及比较. 计算机应用, 2002, 22(9): 74-80
[25] B.Chatras, S.Garcin. Service drivers for selecting VoIP protocols.Telecommunications Network Strategy and Planning Symposium. NETWORKS 2004,11th International,2004:131-136
[26] 王雨岗, 徐家恺, 隆志华. SIP 协议的消息过程. 微处理机, 2004(4): 58-60
[27] 王红熳, 邹华, 毛文欣等. SIP 协议栈的实现与应用. 北京邮电大学学报, 2000, 23(4): 74-78
[28] S.Tsang, D.Marples, S.Moyer. Accessing networked appliances using the session initiation protocol. Communications, 2001. IEEE International Conference, 2001(4): 1280-1285
[29] S. Zeadally, F. Siddiqui. Design and Implementation of a SIP-based VoIP Architecture. Proceedings of the 18th International Conference on Advanced Information Networking and Application(AINA’04), 2004, 2: 187-190
[30] M. Handley, V. Jacobson. SDP:Session Description Protocol. IETF RFC2327, April 1998
[31] 徐洪波, 李玲远. SDP 协议的应用分析. 华中师范大学学报(自然科学版), 2002, 36(2): 151-154
[32] Fredrik Thernelius. SIP, NAT, and Firewalls. Master’s thesis, Royal Institute of Technology in Stockholm, May 2000
[33] 吴伟. NGN 业务穿越 NAT/FW 的解决方案. 电信技术, 2004(12): 15-18
[34] 许先斌, 万庆. 一种解决 SIP NAT 的方案的设计与实现. 计算机应用, 2004, 24(4) : 83-85
[35] M.Rahman, C.Akinlar, I.Kamel. On secured end-to-end appliance control using SIP. NetworkedAppliances, 2002.IEEE 5th International Workshop, 2002: 24-28
[36] 柯金水,王芙蓉. 基于 SIP 的防火墙/NAT 穿越研究及 SBC 的设计与实现. 华中科技大学硕博学位论文库. April 2005: 29-50
[37] D.Xiao, H.Li, Wang.Wendong. QoS management network.Communication Technology Proceedings,2003.International Conference, 2003(1): 320-323
[38] 邓志洪, 张治国. 有限状态程序模型及其应用. 五邑大学学报, 2001, 15(4): 66-70
[39] 卢晓南,刘泽. 过程驱动法实现协议栈软件有限状态机的分析. 计算机工程与应用, 2002(24): 81-82
[40] Dawen Zhou, Benxiong Huang and Yijun Mo. Distributed Architecture of VoIP for Firewall/NAT Traversing. IEEE WCNM2005. September 2005: 1-4
[2] Princy Mehta and Sanjay Udani. Voice over IP. IEEE POTENTIALS, 2001,20(4): 36-40
[3] 糜正琨. IP 网络电话技术. 人民邮电出版社, 北京, 2000 年 6 月: 410-451
[4] Yun Zhang. SIP-based VoIP network and its interworking with the PSTN. Electronics&Communication Engineering Journal, 2002,14(6): 273-282
[5] 杨俊华. IP 电话的关键技术及存在的基本问题.河北师范大学学报(自然科学版), 2002, 26(4): 372-376
[6] 赵慧玲, 叶华等编著.以软交换为核心的下一代网络技术. 人民邮电出版社, 北京, 2002 年 8月: 1-3, 13-23, 111-123
[7] J. Rosenberg, H. Schulzrinne, G. Camarillo, et al. SIP: Session Initiation Protocol. IETF RFC 3261, June 2002
[8] 陈建华. VoIP 穿越 FW/NAT 的方案探讨. 中国有线电视, 2004(22),17-20
[9] K. Egevang, P. Francis. The IP Network Address Translator(NAT). IETF RFC 1631, May 1994
[10] M.Smith, R.Hunt. Network security using NAT and NAPT. Networks,2002. 10th IEEE International Conference, 2002: 355-360
[11] V. Paulsamy, S. Chatterjee. Network Convergence and the NAT/Firewall Problems. Proceedings of the 36th Hawaii International Conference on System Sciences(HICSS’03), Jan 2003:10-20
[12] Xiantai Gou, Weidong Jin. Multi-agent system for multimedia communications traversing NAT/firewall in next generation networks. Communication Networks and Services Research, 2004:99-104
[13] Eunsook Kim, Shin-Gak Kang. QoS support based on IntServ/DiffServ for SIP-based applications. Network Operations and Management Symposium,2004(2): 131-144
[14] Si Duanfeng, Long Qin, Han Xinhui,et al.Security mechanisms for SIP-based multimedia communication infrastructure.Communications,Circuits and Systems,2004.Internatinal Conference,2004(1): 575-578
[15] 杜吉友,董德存. 基于 SIP 的多媒体通信系统安全技术.数据通信, 2004,(2):38-41
[16] 金康双, 王泽兵, 冯雁. SIP 协议的认证机制及其性能分析. 计算机应用研究,2004,(8):110-112
[17] 储泰山,潘雪增. SIP 安全模型研究及实现.计算机应用与软件, 2004,21(12):101-104
[18] 毛燕,何明德.SIP 安全问题:SIP 认证过程和它的负载处理.计算机与现代化,2004,(5):64-67
[19] K.Ono, S.Tachimoto.SIP signaling security for end-to-end communication. Communications, 2003.The 9th Asia-Pacific Conference, 2003(3):1042-1046
[20] E.T.Aire, B.T.Maharaj, L.P.Linde.Implementation considerations in a SIP based secure voice over IP network.7th AFRICON Conference in Africa, 2004(1):167-172
[21] Yuan Jianying, Zhou Jiantao, Wenjiang Pei, et al. An application of network address translation on gateway. Neural Networks and Signal Processing,2003.Proceedings of the 2003 International Conference, 2003(2): 1658-1661
[22] 柯金水, 王芙蓉, 戴彬. 基于软交换的防火墙/NAT 穿越技术研究. 计算机科学与实践, 2004(7): 56-61
[23] Jia-Ning Luo, Shiuh-Pyng Shieh. The multi-layer RSIP framework. Networks,2001. Ninth IEEE International Conference, 2001: 166-171
[24] 李琳, 柴乔林, 袁春阳. H.323 与 SIP 在 VOIP 应用中的实现及比较. 计算机应用, 2002, 22(9): 74-80
[25] B.Chatras, S.Garcin. Service drivers for selecting VoIP protocols.Telecommunications Network Strategy and Planning Symposium. NETWORKS 2004,11th International,2004:131-136
[26] 王雨岗, 徐家恺, 隆志华. SIP 协议的消息过程. 微处理机, 2004(4): 58-60
[27] 王红熳, 邹华, 毛文欣等. SIP 协议栈的实现与应用. 北京邮电大学学报, 2000, 23(4): 74-78
[28] S.Tsang, D.Marples, S.Moyer. Accessing networked appliances using the session initiation protocol. Communications, 2001. IEEE International Conference, 2001(4): 1280-1285
[29] S. Zeadally, F. Siddiqui. Design and Implementation of a SIP-based VoIP Architecture. Proceedings of the 18th International Conference on Advanced Information Networking and Application(AINA’04), 2004, 2: 187-190
[30] M. Handley, V. Jacobson. SDP:Session Description Protocol. IETF RFC2327, April 1998
[31] 徐洪波, 李玲远. SDP 协议的应用分析. 华中师范大学学报(自然科学版), 2002, 36(2): 151-154
[32] Fredrik Thernelius. SIP, NAT, and Firewalls. Master’s thesis, Royal Institute of Technology in Stockholm, May 2000
[33] 吴伟. NGN 业务穿越 NAT/FW 的解决方案. 电信技术, 2004(12): 15-18
[34] 许先斌, 万庆. 一种解决 SIP NAT 的方案的设计与实现. 计算机应用, 2004, 24(4) : 83-85
[35] M.Rahman, C.Akinlar, I.Kamel. On secured end-to-end appliance control using SIP. NetworkedAppliances, 2002.IEEE 5th International Workshop, 2002: 24-28
[36] 柯金水,王芙蓉. 基于 SIP 的防火墙/NAT 穿越研究及 SBC 的设计与实现. 华中科技大学硕博学位论文库. April 2005: 29-50
[37] D.Xiao, H.Li, Wang.Wendong. QoS management network.Communication Technology Proceedings,2003.International Conference, 2003(1): 320-323
[38] 邓志洪, 张治国. 有限状态程序模型及其应用. 五邑大学学报, 2001, 15(4): 66-70
[39] 卢晓南,刘泽. 过程驱动法实现协议栈软件有限状态机的分析. 计算机工程与应用, 2002(24): 81-82
[40] Dawen Zhou, Benxiong Huang and Yijun Mo. Distributed Architecture of VoIP for Firewall/NAT Traversing. IEEE WCNM2005. September 2005: 1-4