Secure media address learning for endpoints behind NAPT devices

US 8,984,110 B1
Filed: 02/14/2012
Issued: 03/17/2015
Est. Priority Date: 02/14/2012
Status: Active Grant

First Claim

Patent Images

1. A method of operating a media device, comprising:

transmitting an UPDATE request or a reINVITE request corresponding to a user session having a first endpoint that uses a first IP address and port combination of the media device as part of said user session;

negotiating, during the user session, a second IP address and port combination for the media device to receive future media packets from the first endpoint during said user session;

receiving on the second IP address and port combination of the media device, during the user session, a second media packet from a second endpoint, the second media packet including a second source IP address and port combination identifying the second endpoint;

receiving, by the media device between the core network and the access network, a plurality of media packets on the second IP address and port combination, the plurality of media packets including the second media packet from the second endpoint;

comparing a first IP address of a first source IP address and port combination to a second IP address of the second source IP address and port combination for the second media packet received on the second IP address and port combination;

taking an action based on the result of said comparing;

categorizing, by the media device, source addresses for the plurality of media packets in a trusted category or a suspect category; and

if the first IP address does not match the second IP address and if the second IP address matches an entry in the suspect category, relaying, by the media device between the core network and the access network, media packets from the core network to the first endpoint on the access network using a third source IP address and port combination of a third media packet, received on the second IP address and port combination, wherein the third media packet is a packet of the plurality of media packets and the third media packet has a third IP address that is not in the suspect category.

View all claims

10 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A first media packet from a first endpoint of an access network behind a NAPT device is received by a media device between a core network and the access network. The first media packet includes a first source IP address and port combination identifying the first endpoint. An UPDATE request or a reINVITE request is transmitted by the media device. A second IP address and port combination for the media device to receive future media packets from the first endpoint is negotiated. The media device compares a first IP address of the first source IP address and port combination to a second IP address of a second source address and port combination for a second media packet received on the second IP address and port combination. If the first and second IP addresses match, the media device relays media packets from the core network to the first endpoint.

Citations

26 Claims

1. A method of operating a media device, comprising:
- transmitting an UPDATE request or a reINVITE request corresponding to a user session having a first endpoint that uses a first IP address and port combination of the media device as part of said user session;
  
  negotiating, during the user session, a second IP address and port combination for the media device to receive future media packets from the first endpoint during said user session;
  
  receiving on the second IP address and port combination of the media device, during the user session, a second media packet from a second endpoint, the second media packet including a second source IP address and port combination identifying the second endpoint;
  
  receiving, by the media device between the core network and the access network, a plurality of media packets on the second IP address and port combination, the plurality of media packets including the second media packet from the second endpoint;
  
  comparing a first IP address of a first source IP address and port combination to a second IP address of the second source IP address and port combination for the second media packet received on the second IP address and port combination;
  
  taking an action based on the result of said comparing;
  
  categorizing, by the media device, source addresses for the plurality of media packets in a trusted category or a suspect category; and
  
  if the first IP address does not match the second IP address and if the second IP address matches an entry in the suspect category, relaying, by the media device between the core network and the access network, media packets from the core network to the first endpoint on the access network using a third source IP address and port combination of a third media packet, received on the second IP address and port combination, wherein the third media packet is a packet of the plurality of media packets and the third media packet has a third IP address that is not in the suspect category.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 12, 13, 15, 16, 17, 18)
- - 2. The method of claim 1, wherein said media device is located between a core network and an access network, the method further comprising:
    - receiving, prior to transmitting said UPDATE request or said reINVITE request, on a first IP address and port combination of the media device, during said user session, a first media packet from said first endpoint, said first endpoint being located on said access network behind a network address and port translation (NAPT) device of the access network, said first media packet including said first source IP address and port combination identifying the first endpoint.
  - 3. The method of claim 2, further comprising:
    - storing, in memory included in said media device, information associating said first IP address and port combination with said user session.
  - 4. The method of claim 2, wherein taking an action based on the result of said comparing includes, if the first IP address matches the second IP address, relaying the second media packet from the core network to the first endpoint on the access network using the second source IP address and port combination.
  - 5. The method of claim 2, wherein the first source IP address and port combination of the first media packet is an IP address and port combination assigned to the first endpoint by the NAPT device.
  - 6. The method of claim 2, further comprising:
    - if the first IP address does not match the second IP address, determining, by the media device between the core network and the access network, if the first media packet and the second media packet include the same configurable IPv4 subnet value or IPv6 subnet value; and
      
      if the same configurable IPv4 subnet value or IPv6 subnet value is present in both the first media packet and the second media packet, relaying media packets from the core network to the first endpoint on the access network using the second source IP address and port combination.
  - 7. The method of claim 6, further comprising:
    - if a same configurable IPv4 subnet value or the IPv6 subnet value is not present in the first media packet and the second media packet, determining, by the media device between the core network and the access network, if the second IP address is in a trusted category or a suspect category for source IP addresses; and
      
      if the second IP address is in the trusted category, relaying, by the media device, media packets from the core network to the first endpoint on the access network using the second source IP address and port combination.
  - 8. The method of claim 7, further comprising:
    - if the second IP address is not in the trusted category and if the second IP address is not in the suspect category, relaying, by the media device, media packets from the core network to the first endpoint on the access network using the second source IP address and port combination.
  - 9. The method of claim 7, further comprising:
    - if the second IP address is in the suspect category, relaying, by the media device, media packets from the core network to the first endpoint on the access network using a third source IP address and port combination of a third media packet received on the second IP address and port combination.
  - 10. The method of claim 1, further comprising:
    - if the first source IP address and port combination does not match the second source IP address and port combination and if either (i) the second IP address is in the trusted category or (ii) the second IP address is not in the trusted category and is not in the suspect category, relaying, by the media device between the core network and the access network, media packets from the core network to the first endpoint on the access network using the second IP address and port combination.
  - 12. The method of claim 1, further comprising:
    - deactivating, by the media device between the core network and the access network, at least one port of the media device;
      
      receiving, by the media device, at least one media packet on the deactivated port; and
      
      classifying, by the media device, the source of the at least one media packet received on the deactivated port as not trusted.
  - 13. The method of claim 1, further comprising:
    - receiving, by the media device between the core network and the access network, during a first time period, a first plurality of media packets from the first endpoint on the first IP address and port combination, the first plurality of media packets including the first media packet;
      
      receiving, by the media device, during a second time period, the second plurality of media packets on the second IP address and port combination;
      
      comparing, by the media device, the first time period and the second time period; and
      
      determining, by the media device, whether the first plurality of media packets or the second plurality of media packets are transmitted by an attacker outside the network address and port translation device.
  - 15. The method of claim 1, further comprising transmitting media packets using a media transport protocol.
  - 16. The method of claim 15, wherein the media transport protocol is Real Time Transport Protocol (RTP).
  - 17. The method of claim 1, further comprising negotiating the IP address and port combination using a signaling protocol.
  - 18. The method of claim 17, wherein the signaling protocol is Session Initiation Protocol (SIP) with Session Description Protocol (SDP) bodies attached.

11. A method of operating a media device, comprising:
- transmitting an UPDATE request or a reINVITE request corresponding to a user session having a first endpoint that uses a first IP address and port combination of the media device as part of said user session;
  
  negotiating, during the user session, a second IP address and port combination for the media device to receive future media packets from the first endpoint during said user session;
  
  receiving on the second IP address and port combination of the media device, during the user session, a second media packet from a second endpoint, the second media packet including a second source IP address and port combination identifying the second endpoint;
  
  receiving, by the media device between the core network and the access network, a plurality of media packets on the second IP address and port combination, the plurality of media packets including the second media packet from the second endpoint;
  
  comparing a first IP address of a first source IP address and port combination to a second IP address of the second source IP address and port combination for the second media packet received on the second IP address and port combination;
  
  taking an action based on the result of said comparing;
  
  categorizing, by the media device, source addresses for the plurality of media packets in a trusted category or a suspect category;
  
  determining, by the media device, an amount of time for a duration of a call associated with the plurality of media packets; and
  
  performing at least one of the following actions based on the determined amount of time of the duration of the call associated with the plurality of media packets;
  
  (i) if the duration is shorter than a first predetermined amount of time, categorizing the source addresses for the plurality of media packets in the suspect category,(ii) if the duration is longer than a second predetermined amount of time, removing the source addresses for the plurality of media packets from the suspect category, or(iii) if the duration is longer than a third predetermined amount of time and the first source IP address and port combination and the second source IP address and port combination have a same configurable IPv4 subnet value or IPv6 subnet value, categorizing the source addresses for the plurality of media packets in the suspect category.

14. A method of operating a media device, comprising:
- transmitting an UPDATE request or a reINVITE request corresponding to a user session having a first endpoint that uses a first IP address and port combination of the media device as part of said user session;
  
  negotiating, during the user session, a second IP address and port combination for the media device to receive future media packets from the first endpoint during said user session;
  
  receiving on the second IP address and port combination of the media device, during the user session, a second media packet from a second endpoint, the second media packet including a second source IP address and port combination identifying the second endpoint;
  
  comparing a first IP address, of a first source IP address and port combination, to a second IP address, of the second source IP address and port combination, for the second media packet received on the second IP address and port combination;
  
  taking an action based on the result of said comparing;
  
  receiving, by the media device between the core network and the access network, a first plurality of media packets from the first endpoint on the first IP address and port combination, the first plurality of media packets including a first media packet, said first media packet including said first source IP address and port combination identifying the first endpoint;
  
  receiving, by the media device between the core network and the access network, a second plurality of media packets on the second IP address and port combination, the second plurality of media packets including the second media packet;
  
  if (i) the time from receipt of the first media packet to receipt of the last media packet of the first plurality of media packets exceeds (ii) (a) the time from receipt of the first media packet to the UPDATE request or the reINVITE request plus (b) the time from receipt of the second media packet to receipt of the last media packet of the second plurality of media packets plus (c) the time between sending of the UPDATE request or the reINVITE request and receipt of the second media packet, then (iii) terminating collection of the first plurality of media packets.

19. A media device, the media device being configured to:
- transmit an UPDATE request or a reINVITE request corresponding to a user session having a first endpoint that uses a first IP address and port combination of the media device as part of said user session;
  
  negotiate, during the user session, a second IP address and port combination for the media device to receive future media packets from the first endpoint during said user session;
  
  receive, on the second IP address and port combination of the media device, during the user session, a second media packet from a second endpoint, the second media packet including a second source IP address and port combination identifying the second endpoint;
  
  receive, on the second IP address and port combination of the media device, a plurality of media packets, the plurality of media packets including the second media packet from the second endpoint;
  
  compare a first IP address of a first source IP address and port combination to a second IP address of the second source IP address and port combination for the second media packet received on the second IP address and port combination;
  
  take an action based on the result of said comparing;
  
  categorize source addresses for the plurality of media packets in a trusted category or a suspect category;
  
  determine an amount of time for a duration of a call associated with the plurality of media packets; and
  
  perform at least one of the following actions based on the determined amount of time of the duration of the call associated with the plurality of media packets;
  
  (i) if the duration is shorter than a first predetermined amount of time, categorizing the source addresses for the plurality of media packets in the suspect category,(ii) if the duration is longer than a second predetermined amount of time, removing the source addresses for the plurality of media packets from the suspect category, or(iii) if the duration is longer than a third predetermined amount of time and the first source IP address and port combination and the second source IP address and port combination have a same configurable IPv4 subnet value or IPv6 subnet value, categorizing the source addresses for the plurality of media packets in the suspect category.
- View Dependent Claims (20, 21, 22, 23)
- - 20. The media device of claim 19, wherein said media device is located between a core network and an access network, the media device being further configured to:
    - receive, prior to transmitting said UPDATE request or said reINVITE request, on a first IP address and port combination of the media device, during said user session, a first media packet from said first endpoint, said first endpoint being located on said access network behind a network address and port translation (NAPT) device of the access network, said first media packet including the first source IP address and port combination identifying the first endpoint.
  - 21. The media device of claim 20, wherein the media device is further configured to:
    - store, in memory included in said media device, information associating said first IP address and port combination with said user session.
  - 22. The media device of claim 20, wherein said media device is configured to, relay the second media packet from the core network to the first endpoint on the access network using the second source IP address and port combination, if the first IP address matches the second IP address, as part of being configured to take an action based on the result of said comparing includes.
  - 23. The media device of claim 20, wherein the first source IP address and port combination of the first media packet is an IP address and port combination assigned to the first endpoint by the NAPT device.

24. A computer program product, tangibly embodied in a computer readable storage device of a media device, the computer program product including instructions which when executed by a processor cause said processor to:
- transmit an UPDATE request or a reINVITE request corresponding to a user session having a first endpoint that uses a first IP address and port combination of the media device as part of said user session;
  
  negotiate, during the user session, a second IP address and port combination for the media device to receive future media packets from the first endpoint during said user session;
  
  receive, on the second IP address and port combination of the media device, during the user session, a second media packet from a second endpoint, the second media packet including a second source IP address and port combination identifying the second endpoint;
  
  receive, on the second IP address and port combination of the media device, a plurality of media packets, the plurality of media packets including the second media packet from the second endpoint;
  
  compare a first IP address of a first source IP address and port combination to a second IP address of the second source IP address and port combination for the second media packet received on the second IP address and port combination; and
  
  take an action based on the result of said comparing;
  
  categorize source addresses for the plurality of media packets in a trusted category or a suspect category;
  
  determine an amount of time for a duration of a call associated with the plurality of media packets; and
  
  perform at least one of the following actions based on the determined amount of time of the duration of the call associated with the plurality of media packets;
  
  (i) if the duration is shorter than a first predetermined amount of time, categorizing the source addresses for the plurality of media packets in the suspect category,(ii) if the duration is longer than a second predetermined amount of time, removing the source addresses for the plurality of media packets from the suspect category, or(iii) if the duration is longer than a third predetermined amount of time and the first source IP address and port combination and the second source IP address and port combination have a same configurable IPv4 subnet value or IPv6 subnet value, categorizing the source addresses for the plurality of media packets in the suspect category.
- View Dependent Claims (25, 26)
- - 25. The computer program product of claim 24, wherein said media device is located between a core network and an access network, the computer program product further comprises instructions which when executed by said processor cause said processor to:
    - receive, prior to transmitting said UPDATE request or said reINVITE request, on a first IP address and port combination of the media device, during said user session, a first media packet from said first endpoint, said first endpoint being located on said access network behind a network address and port translation (NAPT) device of the access network, said first media packet including the first source IP address and port combination identifying the first endpoint.
  - 26. The computer program product of claim 25, wherein the computer program product further comprises instructions which when executed by said processor cause said processor to:
    - store, in memory included in said media device, information associating said first IP address and port combination with said user session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Ribbon Communications Operating Company, Inc. (Ribbon Communications, Inc.)
Original Assignee
Sonus Networks Incorporated (Ribbon Communications, Inc.)
Inventors
Asveren, Tolga
Primary Examiner(s)
Daftuar, Saket K

Application Number

US13/372,738
Time in Patent Office

1,127 Days
Field of Search

709/220, 709/221, 709/222, 709/223, 709/224, 709/225, 709/226, 709/227, 709/228, 709/229, 709/245, 709/246, 709/249, 709/250
US Class Current

709/223
CPC Class Codes

H04L 2101/677   Multiple interfaces, e.g. m...

H04L 45/08   Learning-based routing, e.g...

H04L 61/25   of the same type

H04L 61/2514   between local and global IP...

H04L 61/2517   using port numbers

H04L 61/2535   Multiple local networks, e....

H04L 61/2557   Translation policies or rules

H04L 61/256   NAT traversal

H04L 61/2564   for a higher-layer protocol...

H04L 61/50   Address allocation

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 65/1069   Session establishment or de...

H04L 65/1083   In-session procedures

H04L 65/1104   Session initiation protocol...

H04W 12/06   Authentication

Secure media address learning for endpoints behind NAPT devices

First Claim

10 Assignments

0 Petitions

Accused Products

Abstract

Citations

26 Claims

Specification

Solutions

Use Cases

Quick Links

Secure media address learning for endpoints behind NAPT devices

First Claim

10 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

26 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links