Method and system for managing a SIP server

US 9,191,414 B2
Filed: 07/11/2012
Issued: 11/17/2015
Est. Priority Date: 07/11/2011
Status: Active Grant

First Claim

Patent Images

1. A system comprising an access control component for managing network communications to a Session Initiation Protocol (SIP) server, the access control component being communicatively coupled to a SIP processing component capable of SIP processing based on a received data packet using a SIP stack, the access control component being arranged to:

receive a data packet sent from a network device to the SIP server, the data packet comprising data indicative of fragmentation information, transport protocol information and SIP data;

determine, from the data packet, whether the network device is recognized by the SIP server, wherein the access control component is arranged to;

determine a network address of the network device;

determine if the network address matches a permitted network address from a set of permitted network addresses; and

if it is determined that the network address matches the permitted network address, pass the received data packet for SIP processing; and

responsive to a determination that the network device is a device that is not recognized by the SIP server and before SIP processing using the SIP stack, determine whether the data packet conforms to a permitted configuration, the permitted configuration comprising at least that data indicative of fragmentation information and transport protocol information indicates an unfragmented User Datagram Protocol (UDP) packet and that at least a portion of data indicative of SIP data in the received data packet matches a parsing rule based on data indicative of a REGISTER request,wherein the access control component is arranged to;

discard the received data packet if it determines that the data packet does not conform to the permitted configuration and pass the received data packet to the SIP processing component if the data packet conforms to the permitted configuration; and

wherein the access control component is further arranged to;

remove the network address of the network device from the set of permitted network addresses.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method, system and computer program product are described for managing network communications to a Session Initiation Protocol (SIP) server capable of SIP processing using a SIP stack. A data packet is received from a network device. It is determined, from the data packet, whether the network device is a device recognized by the SIP server. Responsive to this determination, and before SIP processing using the SIP stack, it is determined whether the data packet conforms to a permitted configuration. The permitted configuration includes that data of the data packet indicates an unfragmented User Datagram Protocol (UDP) packet and that data indicative of SIP data in the received data packet matches a parsing rule. If the data packet conforms to the permitted configuration, it is passed to the SIP stack, if not it is discarded.

23 Citations

View as Search Results

12 Claims

1. A system comprising an access control component for managing network communications to a Session Initiation Protocol (SIP) server, the access control component being communicatively coupled to a SIP processing component capable of SIP processing based on a received data packet using a SIP stack, the access control component being arranged to:
- receive a data packet sent from a network device to the SIP server, the data packet comprising data indicative of fragmentation information, transport protocol information and SIP data;
  
  determine, from the data packet, whether the network device is recognized by the SIP server, wherein the access control component is arranged to;
  
  determine a network address of the network device;
  
  determine if the network address matches a permitted network address from a set of permitted network addresses; and
  
  if it is determined that the network address matches the permitted network address, pass the received data packet for SIP processing; and
  
  responsive to a determination that the network device is a device that is not recognized by the SIP server and before SIP processing using the SIP stack, determine whether the data packet conforms to a permitted configuration, the permitted configuration comprising at least that data indicative of fragmentation information and transport protocol information indicates an unfragmented User Datagram Protocol (UDP) packet and that at least a portion of data indicative of SIP data in the received data packet matches a parsing rule based on data indicative of a REGISTER request,wherein the access control component is arranged to;
  
  discard the received data packet if it determines that the data packet does not conform to the permitted configuration and pass the received data packet to the SIP processing component if the data packet conforms to the permitted configuration; and
  
  wherein the access control component is further arranged to;
  
  remove the network address of the network device from the set of permitted network addresses.
- View Dependent Claims (2, 3, 4, 5, 6)
- - 2. The system according to claim 1, wherein the access control component is arranged to apply a Bloom filter configured with the set of permitted network addresses to determine whether the network device is recognized by the SIP server.
  - 3. The system according to claim 2, wherein the access control component is arranged to add the network address of the network device to the Bloom filter if the network device successfully registers after being passed to the SIP processing component.
  - 4. The system according to claim 2, wherein the access control component is arranged to provide a network address of a network device that results in one or more false positive matches when the Bloom filter is applied.
  - 5. The system according to claim 2, wherein the access control component is arranged to remove a network address of a network device from the Bloom filter.
  - 6. The system according to claim 1, wherein the access control component is arranged to determine whether the transport protocol information indicates that the received data packet is destined for a UDP port associated with the SIP processing component.

7. A computer program product comprising a non-transitory computer-readable storage medium having computer readable instructions stored thereon, the computer readable instructions being executable by a computerized device to cause the computerized device to perform a method of managing network communications to a Session Initiation Protocol (SIP) server capable of SIP processing using a SIP stack based on a received data packet, the method comprising:
- receiving a data packet from a network device, the data packet comprising data indicative of fragmentation information, transport protocol information and SIP data;
  
  determining, from the data packet, whether the network device is a device recognized by the SIP server, wherein the step of determining whether the network device is recognized by the SIP server comprises;
  
  determining a network address of the network device;
  
  determining if the network address matches a permitted network address from a set of permitted network addresses; and
  
  if it is determined that the network address matches the permitted network address, passing the received data packet for SIP processing; and
  
  responsive to a determination that the network device is a device that is not recognized by the SIP server and before SIP processing using the SIP stack;
  
  determining whether the data packet conforms to a permitted configuration, the permitted configuration comprising at least that data indicative of fragmentation information and transport protocol information indicates an unfragmented User Datagram Protocol (UDP) packet and that at least a portion of data indicative of SIP data in the received data packet matches a parsing rule based on data indicative of a REGISTER request;
  
  discarding the received data packet if it is determined that the data packet does not conform to the permitted configuration; and
  
  passing the received data packet for SIP processing by the SIP stack if it is determined that the data packet does conform to the permitted configuration;
  
  wherein the method further comprises;
  
  removing the network address of the network device from the set of permitted network addresses.

8. A method of managing network communications to a Session Initiation Protocol (SIP) server capable of SIP processing using a SIP stack based on a received data packet, the method comprising:
- receiving a data packet from a network device, the data packet comprising data indicative of fragmentation information, transport protocol information and SIP data;
  
  determining, from the data packet, whether the network device is a device recognized by the SIP server, wherein the step of determining whether the network device is recognized by the SIP server comprises;
  
  determining a network address of the network device;
  
  determining if the network address matches a permitted network address from a set of permitted network addresses; and
  
  if it is determined that the network address matches the permitted network address, passing the received data packet for SIP processing; and
  
  responsive to a determination that the network device is a device that is not responsive by the SIP server and before SIP processing using the SIP stack;
  
  determining whether the data packet conforms to permitted configuration, the permitted configuration comprising at least that data indicative of fragmentation information and transport protocol information indicates an unfragmented User Datagram Protocol (UDP) packet and that at least a portion of data indicative of SIP data in the received data packet matches a parsing rule based on data indicative of a REGISTER request;
  
  discarding the received data packet if it is determined that the data packet does not conform to the permitted configuration; and
  
  passing the received data packet for SIP processing by the SIP stack if it is determined that the data packet does conform to the permitted configuration,wherein the method further comprises;
  
  removing the network address of the network device from the set of permitted network addresses.
- View Dependent Claims (9, 10, 11, 12)
- - 9. The method according to claim 8, wherein the step of determining if the network address matches the permitted network address comprises:
    - applying a Bloom filter configured with the set of permitted network addresses.
  - 10. The method according to claim 9, further comprising:
    - adding the network address of the network device to the Bloom filter if the network address does not match the permitted network address and the network device successfully registers following SIP processing.
  - 11. The method according to claim 9, further comprising:
    - determining a network address of a network device that results in one or more false positive matches when applying the Bloom filter; and
      
      discarding data packets from the determined network address of the network device that results in one or more false positive matches when applying the Bloom filter.
  - 12. The method according to claim 8, wherein the step of determining whether the data packet conforms to the permitted configuration comprises:
    - determining whether the transport protocol information indicates that the received data packet is destined for a UDP port associated with the SIP processing.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Metaswitch Networks Limited (Microsoft Corporation)
Original Assignee
Metaswitch Networks Limited (Microsoft Corporation)
Inventors
Larkin, Nicholas Peter
Primary Examiner(s)
Miah, Razu A

Application Number

US13/546,541
Publication Number

US 20130185445A1
Time in Patent Office

1,224 Days
Field of Search

709/228
US Class Current

1/1
CPC Class Codes

H04L 47/323   Discarding or blocking cont...

H04L 65/1016   IP multimedia subsystem [IMS]

H04L 65/1045   Proxies, e.g. for session i...

H04L 65/1069   Session establishment or de...

H04L 65/1073   Registration or de-registra...

H04L 65/1104   Session initiation protocol...

H04L 69/329   in the application layer [O...

H04L 9/40   Network security protocols

H04Q 2213/13204   Protocols

H04Q 2213/13348   Channel/line reservation

H04Q 2213/13389   LAN, internet

Method and system for managing a SIP server

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

23 Citations

12 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for managing a SIP server

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

23 Citations

12 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links