Mechanisms for using NAT at a session border controller

US 7,860,098 B1
Filed: 08/28/2006
Issued: 12/28/2010
Est. Priority Date: 08/28/2006
Status: Active Grant

First Claim

Patent Images

1. A method for managing session data sent between nodes, comprising:

(a) in an intermediary node, receiving a first register packet for setting up a call between endnodes sent from a first node to the intermediary node, wherein the first register packet includes a header having a first inside address that identifies the first node and a payload having a first private address that also identifies the first node and differs from the first inside address, wherein the first inside address was supplied by another intermediary node that translated the first register packet before such packet is received by a first intermediary node and the first private address is an Internet Protocol (IP) address of a private network of the first node;

(b) in the intermediary node, translating each of the first inside address of the header and a first private address of the payload into a same first outside address;

(c) in the intermediary node, translating a first proxy address of the header into a second proxy address, wherein the first proxy address is associated with the intermediary node and the second proxy address is associated with a registrar node for managing sessions between endnodes, wherein a binding between the first and second proxy addresses is configured at the intermediary node; and

(d) without terminating and generating a session for such first register packet at the intermediary node, forwarding the first register packet from the intermediary node towards the registrar node after translating the header and translating the payload.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are apparatus and methods for managing session data in a session border controller (SBC), where the session data is sent from a first node, such as a first phone, to a second node, such as a registrar or second phone. In general, embodiments of the present invention support SBC functionality by managing sessions through the SBC without implementing a terminate and regenerate of the sessions, but rather by intercepting packets destined to the second node and efficiently handling such functionality in the forwarding-path. Also in deployments where the endnodes require NAT (network address translation), mechanisms are provided in the SBC to perform NAT on the addresses embedded in the payload of the session data. In other aspects, mechanisms for keeping the sessions or NAT entries alive are facilitated at the SBC, even when an endnode has a expiration time that differs an expiration time of another device, such as a registar device. Other embodiments allow the actual media packets to flow through the SBC (e.g., for security, accounting, etc) while allowing two endnodes to utilize a same private address or domain.

Citations

19 Claims

1. A method for managing session data sent between nodes, comprising:
- (a) in an intermediary node, receiving a first register packet for setting up a call between endnodes sent from a first node to the intermediary node, wherein the first register packet includes a header having a first inside address that identifies the first node and a payload having a first private address that also identifies the first node and differs from the first inside address, wherein the first inside address was supplied by another intermediary node that translated the first register packet before such packet is received by a first intermediary node and the first private address is an Internet Protocol (IP) address of a private network of the first node;
  
  (b) in the intermediary node, translating each of the first inside address of the header and a first private address of the payload into a same first outside address;
  
  (c) in the intermediary node, translating a first proxy address of the header into a second proxy address, wherein the first proxy address is associated with the intermediary node and the second proxy address is associated with a registrar node for managing sessions between endnodes, wherein a binding between the first and second proxy addresses is configured at the intermediary node; and
  
  (d) without terminating and generating a session for such first register packet at the intermediary node, forwarding the first register packet from the intermediary node towards the registrar node after translating the header and translating the payload.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method as recited in claim 1, wherein an untranslated portion of the payload of the first register packet remains unaltered when forwarded from the intermediary node to the registrar node.
  - 3. The method as recited in claim 1, wherein the intermediary node is a session border controller (SBC).
  - 4. The method as recited in claim 1, wherein a source address of the header of the first register packet is translated from the first inside address to the same first outside address whereby the first inside address was generated by a network address translation (NAT) device associated with the first node and the first outside address was obtained from a public address pool associated with the intermediary node and wherein a destination address of the header is translated from the first proxy address to the second proxy address, the method further comprising storing, at the intermediary node, a binding between the first private address, the first outside address, and the first inside address.
  - 5. The method as recited in claim 4, further comprising:
    - (e) in the intermediary node, receiving an acknowledgement packet sent from the registrar node to the first node in response to the first register packet;
      
      (f) in the intermediary node, translating a destination address of a header of the acknowledgement packet from the first outside address to the first inside address and a source address of the header of the acknowledgement packet from the second proxy address to the second proxy address;
      
      (g) in the intermediary node, translating the first outside address in a payload of the acknowledgement packet into the first private address; and
      
      (h) without terminating and generating a session for such acknowledgement packet at the intermediary node, forwarding the acknowledgement packet from the intermediary node towards the first node after translating the header and the payload of the acknowledgement packet.
  - 6. The method as recited in claim 5, further comprising:
    - in the intermediary node, receiving a second register packet sent from a second node to the intermediary node;
      
      in the intermediary node, translating a second inside address of a header of the second register packet into a second outside address and translating the first proxy address of the header of the second register packet into the second proxy address;
      
      in the intermediary node, translating a second private address of a payload of the second register packet into the second outside address, and wherein the second private address differs from the second outside address and the second inside address and the second private address, second outside address, and second inside address correspond to the second node; and
      
      without terminating and generating a session for such second register packet at the intermediary node, forwarding the second register packet from the intermediary node towards the registrar node after translating the header and the payload of the second register packet.
  - 7. The method as recited in claim 5, wherein the first register packet includes an inside expiration field indicating an expiration time for the first node, the method further comprising:
    - at the intermediary node, providing an outside expiration time for the registrar node;
      
      at the intermediary node, caching the acknowledgement packet;
      
      when a subsequent register packet from the first node is received at the intermediary node, repeating operations (a) through (d) and only performing operation (e) for forwarding such subsequent register packet to the registrar node if a duration of time that has expired approaches the outside expiration time; and
      
      sending the cached acknowledgement packet back to the first node if operation (e) is not being performed for the subsequent register packet, wherein the outside expiration time of the cached acknowledgement is replaced with the inside expiration time prior to sending it to the first node.
  - 8. The method as recited in claim 6, further comprising:
    - at the intermediary node, receiving a call flow packet that is being sent between the first and second nodes;
      
      when the call flow packet is received into an inside interface of the intermediary node and destined for an outside interface of the intermediary node, translating a destination address of a header of the call flow packet from the first proxy address to the second proxy address and translating a source address of the call flow packet'"'"'s header from a first or second inside address into a corresponding first or second outside address;
      
      when the intermediary node is configured for flow around mode and the call flow packet is received into the inside interface of the intermediary node and destined for the outside interface of the intermediary node, translating a first and/or second private address of the call flow packet'"'"'s payload into the corresponding first and/or second outside address;
      
      when the intermediary node is configured for the flow around mode and the call flow packet is received into the outside interface of the intermediary node and destined for the inside interface of the intermediary node, translating a first and/or second outside address of the call flow packet'"'"'s payload into the corresponding first and/or second private address;
      
      when the intermediary node is configured for flow through mode and the call flow packet is received into the inside interface of the intermediary node and destined for the outside interface of the intermediary node, translating the first and/or second private address of the call flow packet'"'"'s payload into a corresponding first and/or second outside address; and
      
      when the intermediary node is configured for the flow through mode and the call flow packet is received into the outside interface of the intermediary node and destined for the inside interface of the intermediary node, translating each of the first and/or second outside address of the call flow packet'"'"'s payload into a corresponding first and/or second private address if a creator of the each address does not equal a sender of the call flow packet.
  - 9. The method as recited in claim 1, wherein the first register packet is received via a network address translation (NAT) devices configured to translate an address of the header but not an address of the payload of such first register packet so as to result in the first inside address of the header differing from the first private address of the payload.

10. A computer system operable to manage session data sent between nodes, the computer system comprising:
- one or more processors;
  
  one or more memory, wherein at least one of the processors and memory are operable to perform the following operations;
  
  (a) in an intermediary node, receiving a first register packet for setting up a call between endnodes sent from a first node to the intermediary node, wherein the first register packet includes a header having a first inside address that identifies the first node and a payload having a first private address that also identifies the first node and differs from the first inside address, wherein the first inside address was supplied by another intermediary node that translated the first register packet before such packet is received by a first intermediary node and the first private address is an Internet Protocol (IP) address of a private network of the first node;
  
  (b) in the intermediary node, translating each of the first inside address of the header and the first private address of the payload into a same first outside address;
  
  (c) in the intermediary node, translating a first proxy address of the header into a second proxy address, wherein the first proxy address is associated with the intermediary node and the second proxy address is associated with a registrar node for managing sessions between the endnodes, wherein a binding between the first and second proxy addresses is configured at the intermediary node; and
  
  (d) without terminating and generating a session for such first register packet at the intermediary node, forwarding the first register packet from the intermediary node towards the registrar node after translating the header and translating the payload.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The computer system as recited in claim 10, wherein an untranslated portion of the payload of the first register packet remains unaltered when forwarded from the computer system to the registrar node.
  - 12. The computer system as recited in claim 10 in the form of a session border controller (SBC).
  - 13. The computer system as recited in claim 10, wherein a source address of the header of the first register packet is translated from the first inside address to the first outside address whereby the first inside address was generated by a network address translation (NAT) device associated with the first node and the first outside address was obtained from a public address pool associated with the computer system and wherein a destination address of the header of the first register packet is translated from the first proxy address to the second proxy address, wherein at least one of the processors and memory are further operable to store, at the computer system, a binding between the first private address, the first outside address, and the first inside address.
  - 14. The computer system as recited in claim 13, wherein at least one of the processors and memory are further operable to:
    - (e) receiv[ing]e an acknowledgement packet sent from the registrar device to the first node in response to the first register packet;
      
      (f) translat[ing]e a destination address of a header of the acknowledgement packet from the first outside address to the first inside address and a source address of the header of the acknowledgement packet from the second proxy address to the second proxy address;
      
      (g) translating the first outside address in a payload of the acknowledgement packet into the first private address; and
      
      (h) without terminating and generating a session for such acknowledgement packet at the computer system, forward[ing] the acknowledgement packet from the computer system towards the first node after translating the header and the payload of the acknowledgement packet.
  - 15. The computer system as recited in claim 14, wherein at least one of the processors and memory are further operable to:
    - receiv[ing]e a second register packet sent from a second node to the computer system;
      
      translat[ing]e a second inside address of a header of the second register packet into a second outside address and translating the first proxy address of the header of the second register packet into the second proxy address;
      
      translat[ing]e a second private address of a payload of the second register packet into the second outside address, and wherein the second private address differs from the second outside address and the second inside, public address and the second private address, second outside address, and second inside address correspond to the second node; and
      
      without terminating and generating a session for such second register packet at the computer system, forward[ing] the second register packet from the computer system towards the registrar node after translating the header and the payload of the second register packet.
  - 16. The computer system as recited in claim 14, wherein the first register packet includes an inside expiration field indicating an expiration time for the first node, wherein at least one of the processors and memory are further operable to:
    - provid[ing]e an outside expiration time for the registrar node;
      
      cach[ing] the acknowledgement packet;
      
      when a subsequent register packet is received at the computer system, repeat[ing] operations (a) through (d) and only performing operation (e) for forwarding such subsequent register packet to the registrar node if a duration of time that has expired approaches the outside expiration time; and
      
      send[ing] the cached acknowledgement packet back to the first node if operation (e) is not being performed for the subsequent register packet, wherein the outside expiration time of the cached acknowledgement is replaced with the inside expiration time prior to sending it to the first node.
  - 17. The computer system as recited in claim 15, wherein at least one of the processors and memory are further operable to adapted for:
    - receiv[ing] a call flow packet that is being sent between the first and second nodes;
      
      when the call flow packet is received into an inside interface of the computer system and destined for an outside interface of the computer system, translat[ing]e a destination address of a header of the call flow packet from the first proxy address to the second proxy address and translating a source address of the call flow packet'"'"'s header from a first or second inside address into a corresponding first or second outside address;
      
      when the computer system is configured for flow around mode and the call flow packet received is received into the inside interface of the computer system and destined for the outside interface of the computer system, translat[ing]e a first and/or second private address of the call flow packet'"'"'s payload into a corresponding first and/or second outside address;
      
      when the computer system is configured for the flow around mode and the call flow packet received is received into the outside interface of the computer system and destined for the inside interface of the computer system, translat[ing]e a first and/or second outside address of the call flow packet'"'"'s payload into the corresponding first and/or second private address;
      
      when the computer system is configured for flow through mode and the call flow packet is received into the inside interface of the computer system and destined for the outside interface of the computer system, translat[ing]e the first and/or second private address of the call flow packet'"'"'s payload into a corresponding first and/or second outside address; and
      
      when the computer system is configured for the flow through mode and the call flow packet is received into the outside interface of the computer system and destined for the inside interface of the computer system, translat[ing]e each of the first and/or second outside address of the call flow packet'"'"'s payload into a corresponding first and/or second private address if a creator of the each address does not equal a sender of the call flow packet.
  - 18. The computer system as recited in claim 10, wherein the first register packet is received via a network address translation (NAT) devices configured to translate an address of the header but not an address of the payload of such first register packet so as to result in the first inside address of the header differing from the first private address of the payload.

19. A computer program product for managing session data sent between nodes, the computer program product comprising:
- at least one non-transitory computer readable storage medium in the form of magnetic media, optical media, or magneto-optical media;
  
  computer program instructions stored within the at least one computer readable product configured for;
  
  in an intermediary node, receiving a first register packet sent for setting up a call between endnodes from a first node to the intermediary node, wherein the first register packet includes a header having a first inside address that identifies the first node and a payload having a first private address that also identifies the first node and differs from the first inside address, wherein the first inside address was supplied by another intermediary node that translated the first register packet before such packet is received by the first intermediary node and the first private address is an Internet Protocol (IP) address of a private network of the first node;
  
  in the intermediary node, translating each of the first inside address of the header and the first private address of the payload into a same first outside address;
  
  in the intermediary node, translating a first proxy address of the header into a second proxy address, wherein the first proxy address is associated with the intermediary node and the second proxy address is associated with a registrar node for managing sessions between endnodes, wherein a binding between the first and second proxy addresses is configured at the intermediary node; and
  
  without terminating and generating a session for such first register packet at the intermediary node, forwarding the first register packet from the intermediary node towards the registrar node after translating the header and translating the payload.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Chokshi, Jayesh, Biswas, Kaushik P., Pande, Vinay Jayant, Jayasenan, Siva S., Butaney, Vikas
Primary Examiner(s)
Phan; Man
Assistant Examiner(s)
Mansoury; Nourali

Application Number

US11/511,629
Time in Patent Office

1,583 Days
Field of Search

370/392, 370/395.2, 370/389, 370/401, 370/352, 370/400
US Class Current

370/392
CPC Class Codes

H04L 61/2514   between local and global IP...

H04L 61/2585   through application level g...

H04L 65/1073   Registration or de-registra...

Mechanisms for using NAT at a session border controller

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Mechanisms for using NAT at a session border controller

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links