1. Statement of the Technical Field
The invention concerns packet-switched network signaling, and more particularly, concerns a method for selectively bypassing signaling protocols around a cryptographic device.
2. Description of the Related Art
There has been a growing demand for improved communication applications provided by packet-switching communications networks. As a result, signaling has been employed to improve the abilities of the packet-switching communications networks. Such signaling includes the transmission of packets including signaling protocol data and/or user data (for example, voice data and/or video data) between nodes and/or terminals of the packet-switching networks. To enable the transmission of the packets between a set of nodes or terminals, the packets are typically encapsulated between one or more layer headers and trailers (for example, a data link layer header, a data link layer trailer, a network layer header, a network layer trailer, a transport layer header, a transport layer trailer, an application layer header, and an application layer trailer). The encapsulation architecture depends on the network's protocol model (such as an open system interconnection model or Department of Defense protocol model).
Various users require encryption of user data prior to transmission over a network to preserve the data's secrecy. In this regard, networks often include a cryptographic device at each node or terminal to perform encryption/decryption of the data prior to or after its transmission over the network. Such a network configuration suffers from certain drawbacks. For example, a packet including signaling protocol data is encrypted at an end node/terminal prior to transmission over the network. Consequently, signaled network services fail because intermediate network nodes/terminals are unable to recognize the encrypted signaling information.
In view of the forgoing, the industry recognized a need to modify the network architecture. In this regard, a device is placed on the end user side of the cryptographic device for a network signaling bypass around the cryptographic device. As a result, signaled network services do not fail because the intermediate network nodes/terminals are able to recognize the encrypted signaling information.
Despite the vast array of signaled network services provided by packet-switching networks, there is a growing demand for even more signaled network services. See NSIS: A New Extensible IP Signaling Protocol Suite, IEEE Communications Magazine, October 2005, written by Xiaoming Fu, Attila Bader, Cornelia Kappler, and Hannes Tschofenig. For example, various users desire quality of service guarantee (QoS), configuring firewall hole services, and network address translator (NAT) services. See Id. In this regard, the Internet Engineering Task Force (IETF) developed a resource reservation protocol (RSVP) for supporting QoS flows (i.e., requests for specific QoS from the network, delivery of QoS requests to all nodes or terminals along a transmission path, and establishing and maintaining state to provide a requested service). See Id. However, RSVP has only been applied to resource reservations for integrated services (IntServ) and differentiated services (DiffServ). See Id. As such, a Next Step In Signaling (NSIS) Group was formed to standardize a signaling framework to support a more general array of signaled network services. See Id.
The NSIS signaling framework includes two layers. These layers include a NSIS Transport Level Protocol (NTLP) and a NSIS Signaling Layer Protocol (NSLP). See Id. The NSLP layer is higher in the NSIS protocol stack as compared to the NTLP layer. In this regard, it should be understood that the term “NSLP layer” is generally understood to be a generic term for an NSIS protocol component that supports a specific signaling application. In this regard, an NSLP is not a generic layer but is designed to operate in conjunction with functionality associated with a particular signaling application. From the foregoing, it will be understood that the NSLP layer interacts with the NTLP layer below and a signaling application layer above that it is designed to support. The NSLP can define message formats (protocol data units), message sequences, and so on which are associated with a particular signaling application.
Each signaling application requires the assignment of one or more NSLP Identifiers (NSLPIDs). Different NSLPIDs may be used to distinguish different classes of signaling applications, for example to handle different aggregation levels or different processing subsets). The NSLPID is typically a 16 bit integer and must be associated with a unique RAO value.
The NTLP is below the NSLP layer in the NSIS protocol stack. The NTLP layer interacts with the transport layer below it. It is also designed to interact with various different NSLPs that can exist above it in the NSIS protocol stack. An important function of the NTLP is transporting of signaling messages from the NSLP layer to an adjacent NSIS node. In this regard, the NTLP is generally understood to include two sub-layers. The sub-layers include: the General Internet Signaling Transport Protocol (GIST) layer and the existing network transport layers such as TCP and UDP. From the foregoing if will be understood that GIST is a primary part of the NTLP protocol stack. The NTLP layer determines whether received message from the next lower layer should be forwarded to the NSLP layer, it can also determine whether the message should be forwarded to the next GIST node.
Each signaling application requires the assignment of one or more NTLP Identifiers (NTLPIDs). The value of an NTLPID depends on an underlying transport protocol (for example, UDP, TCP, and SCTP). For example, if the underlying transport protocol is a UDP, then the NTLPID is a well known port number assigned by the Internet Assigned Numbers Authority (IANA) at the request of the NSIS Group, if the underlying transport protocol is a TCP or a SCTP, then the NTLPID is contained in a header option field and is a value typically assigned by the IANA at another business entity's request.
This recent development of the NTLP and NSLP has presented new problems in network signaling. For example, if QoS services, configuring firewall hole services, and NAT services are to be provided by packet-switching networks, NTLP packets need to be recognized by intermediate network nodes/terminals. As such, there is a need to once again modify the packet-switching networks configuration. Specifically, a bypass component residing before a cryptographic device needs to be upgraded to accommodate the new signaling protocols so that intermediate nodes in the packet switching networks can receive unencrypted signaling protocol packets that are needed for proper operation.