Secure media address learning for endpoints behind NAPT devices
First Claim
1. A method of operating a media device, comprising:
- transmitting an UPDATE request or a reINVITE request corresponding to a user session having a first endpoint that uses a first IP address and port combination of the media device as part of said user session;
negotiating, during the user session, a second IP address and port combination for the media device to receive future media packets from the first endpoint during said user session;
receiving on the second IP address and port combination of the media device, during the user session, a second media packet from a second endpoint, the second media packet including a second source IP address and port combination identifying the second endpoint;
receiving, by the media device between the core network and the access network, a plurality of media packets on the second IP address and port combination, the plurality of media packets including the second media packet from the second endpoint;
comparing a first IP address of a first source IP address and port combination to a second IP address of the second source IP address and port combination for the second media packet received on the second IP address and port combination;
taking an action based on the result of said comparing;
categorizing, by the media device, source addresses for the plurality of media packets in a trusted category or a suspect category; and
if the first IP address does not match the second IP address and if the second IP address matches an entry in the suspect category, relaying, by the media device between the core network and the access network, media packets from the core network to the first endpoint on the access network using a third source IP address and port combination of a third media packet, received on the second IP address and port combination, wherein the third media packet is a packet of the plurality of media packets and the third media packet has a third IP address that is not in the suspect category.
10 Assignments
0 Petitions
Accused Products
Abstract
A first media packet from a first endpoint of an access network behind a NAPT device is received by a media device between a core network and the access network. The first media packet includes a first source IP address and port combination identifying the first endpoint. An UPDATE request or a reINVITE request is transmitted by the media device. A second IP address and port combination for the media device to receive future media packets from the first endpoint is negotiated. The media device compares a first IP address of the first source IP address and port combination to a second IP address of a second source address and port combination for a second media packet received on the second IP address and port combination. If the first and second IP addresses match, the media device relays media packets from the core network to the first endpoint.
-
Citations
26 Claims
-
1. A method of operating a media device, comprising:
-
transmitting an UPDATE request or a reINVITE request corresponding to a user session having a first endpoint that uses a first IP address and port combination of the media device as part of said user session; negotiating, during the user session, a second IP address and port combination for the media device to receive future media packets from the first endpoint during said user session; receiving on the second IP address and port combination of the media device, during the user session, a second media packet from a second endpoint, the second media packet including a second source IP address and port combination identifying the second endpoint; receiving, by the media device between the core network and the access network, a plurality of media packets on the second IP address and port combination, the plurality of media packets including the second media packet from the second endpoint; comparing a first IP address of a first source IP address and port combination to a second IP address of the second source IP address and port combination for the second media packet received on the second IP address and port combination; taking an action based on the result of said comparing; categorizing, by the media device, source addresses for the plurality of media packets in a trusted category or a suspect category; and if the first IP address does not match the second IP address and if the second IP address matches an entry in the suspect category, relaying, by the media device between the core network and the access network, media packets from the core network to the first endpoint on the access network using a third source IP address and port combination of a third media packet, received on the second IP address and port combination, wherein the third media packet is a packet of the plurality of media packets and the third media packet has a third IP address that is not in the suspect category. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 12, 13, 15, 16, 17, 18)
-
-
11. A method of operating a media device, comprising:
-
transmitting an UPDATE request or a reINVITE request corresponding to a user session having a first endpoint that uses a first IP address and port combination of the media device as part of said user session; negotiating, during the user session, a second IP address and port combination for the media device to receive future media packets from the first endpoint during said user session; receiving on the second IP address and port combination of the media device, during the user session, a second media packet from a second endpoint, the second media packet including a second source IP address and port combination identifying the second endpoint; receiving, by the media device between the core network and the access network, a plurality of media packets on the second IP address and port combination, the plurality of media packets including the second media packet from the second endpoint; comparing a first IP address of a first source IP address and port combination to a second IP address of the second source IP address and port combination for the second media packet received on the second IP address and port combination; taking an action based on the result of said comparing; categorizing, by the media device, source addresses for the plurality of media packets in a trusted category or a suspect category; determining, by the media device, an amount of time for a duration of a call associated with the plurality of media packets; and performing at least one of the following actions based on the determined amount of time of the duration of the call associated with the plurality of media packets; (i) if the duration is shorter than a first predetermined amount of time, categorizing the source addresses for the plurality of media packets in the suspect category, (ii) if the duration is longer than a second predetermined amount of time, removing the source addresses for the plurality of media packets from the suspect category, or (iii) if the duration is longer than a third predetermined amount of time and the first source IP address and port combination and the second source IP address and port combination have a same configurable IPv4 subnet value or IPv6 subnet value, categorizing the source addresses for the plurality of media packets in the suspect category.
-
-
14. A method of operating a media device, comprising:
-
transmitting an UPDATE request or a reINVITE request corresponding to a user session having a first endpoint that uses a first IP address and port combination of the media device as part of said user session; negotiating, during the user session, a second IP address and port combination for the media device to receive future media packets from the first endpoint during said user session; receiving on the second IP address and port combination of the media device, during the user session, a second media packet from a second endpoint, the second media packet including a second source IP address and port combination identifying the second endpoint; comparing a first IP address, of a first source IP address and port combination, to a second IP address, of the second source IP address and port combination, for the second media packet received on the second IP address and port combination; taking an action based on the result of said comparing; receiving, by the media device between the core network and the access network, a first plurality of media packets from the first endpoint on the first IP address and port combination, the first plurality of media packets including a first media packet, said first media packet including said first source IP address and port combination identifying the first endpoint; receiving, by the media device between the core network and the access network, a second plurality of media packets on the second IP address and port combination, the second plurality of media packets including the second media packet; if (i) the time from receipt of the first media packet to receipt of the last media packet of the first plurality of media packets exceeds (ii) (a) the time from receipt of the first media packet to the UPDATE request or the reINVITE request plus (b) the time from receipt of the second media packet to receipt of the last media packet of the second plurality of media packets plus (c) the time between sending of the UPDATE request or the reINVITE request and receipt of the second media packet, then (iii) terminating collection of the first plurality of media packets.
-
-
19. A media device, the media device being configured to:
-
transmit an UPDATE request or a reINVITE request corresponding to a user session having a first endpoint that uses a first IP address and port combination of the media device as part of said user session; negotiate, during the user session, a second IP address and port combination for the media device to receive future media packets from the first endpoint during said user session; receive, on the second IP address and port combination of the media device, during the user session, a second media packet from a second endpoint, the second media packet including a second source IP address and port combination identifying the second endpoint; receive, on the second IP address and port combination of the media device, a plurality of media packets, the plurality of media packets including the second media packet from the second endpoint; compare a first IP address of a first source IP address and port combination to a second IP address of the second source IP address and port combination for the second media packet received on the second IP address and port combination; take an action based on the result of said comparing; categorize source addresses for the plurality of media packets in a trusted category or a suspect category; determine an amount of time for a duration of a call associated with the plurality of media packets; and perform at least one of the following actions based on the determined amount of time of the duration of the call associated with the plurality of media packets; (i) if the duration is shorter than a first predetermined amount of time, categorizing the source addresses for the plurality of media packets in the suspect category, (ii) if the duration is longer than a second predetermined amount of time, removing the source addresses for the plurality of media packets from the suspect category, or (iii) if the duration is longer than a third predetermined amount of time and the first source IP address and port combination and the second source IP address and port combination have a same configurable IPv4 subnet value or IPv6 subnet value, categorizing the source addresses for the plurality of media packets in the suspect category. - View Dependent Claims (20, 21, 22, 23)
-
-
24. A computer program product, tangibly embodied in a computer readable storage device of a media device, the computer program product including instructions which when executed by a processor cause said processor to:
-
transmit an UPDATE request or a reINVITE request corresponding to a user session having a first endpoint that uses a first IP address and port combination of the media device as part of said user session; negotiate, during the user session, a second IP address and port combination for the media device to receive future media packets from the first endpoint during said user session; receive, on the second IP address and port combination of the media device, during the user session, a second media packet from a second endpoint, the second media packet including a second source IP address and port combination identifying the second endpoint; receive, on the second IP address and port combination of the media device, a plurality of media packets, the plurality of media packets including the second media packet from the second endpoint; compare a first IP address of a first source IP address and port combination to a second IP address of the second source IP address and port combination for the second media packet received on the second IP address and port combination; and take an action based on the result of said comparing; categorize source addresses for the plurality of media packets in a trusted category or a suspect category; determine an amount of time for a duration of a call associated with the plurality of media packets; and perform at least one of the following actions based on the determined amount of time of the duration of the call associated with the plurality of media packets; (i) if the duration is shorter than a first predetermined amount of time, categorizing the source addresses for the plurality of media packets in the suspect category, (ii) if the duration is longer than a second predetermined amount of time, removing the source addresses for the plurality of media packets from the suspect category, or (iii) if the duration is longer than a third predetermined amount of time and the first source IP address and port combination and the second source IP address and port combination have a same configurable IPv4 subnet value or IPv6 subnet value, categorizing the source addresses for the plurality of media packets in the suspect category. - View Dependent Claims (25, 26)
-
Specification