A. Technical Field
The present invention relates generally to network address translation, and more particularly, to address translation of voice packets within a Voice over Internet Protocol (VoIP) connection.
B. Background of the Invention
The popularity of VoIP as a method for providing telephone service across networks is continually increasing. VoIP systems provide telephone connections by transmitting audio packets between two telephone devices via a packet-switched network (e.g., TCP/IP network). This increase in VoIP popularity is primarily due to two reasons: the relatively inexpensive cost of a VoIP telephone call and recent networking advancements causing an increase in the quality of VoIP communication.
VoIP lets service providers offer long-distance services to clients at much lower rates than traditional phone companies. VoIP also uses networks more efficiently than the traditional public switched telephone network used by the traditional phone companies. One reason for this increase in efficiency is the ability of VoIP to time-division multiplex voice data (i.e., telephone connections) together on a single line within a network. Thus, the bandwidth utilization increases within a packet switched network allowing more telephone connections to occur simultaneously.
A few years ago, the quality of a VoIP connection was lacking due primarily to packet delay occurring as voice packets traveled across these networks. This problem was primarily caused by the inefficiency of the Internet over which the VoIP connections occurred. Internet events such as bottlenecks, jitters and discarding packets reduced the quality of a VoP telephone conversation occurring across the Internet. However, the increase of large private networks, more controlled Internet backbones, and more efficient routing protocols have greatly reduced these problems. Accordingly, the quality of a VoIP telephone conversation today has drastically improved. Some providers have also chosen to avoid the public Internet because of the difficulty in ensuring end-to-end control of service quality. These providers have created managed networks on which VoIP connections may be easily controlled and new VoIP technology may be more easily implemented. As the popularity of VoIP continues to grow, other issues need to be addressed, such as security, network interoperability and compatibility, to ensure the future success of VoIP.
FIG. 1 illustrates a traditional VoIP connection using the public Internet 130. A first telephone 105 is coupled to a first gateway 110 via a first analog connection 107. A second telephone 115 is coupled to a second gateway 120 via a second analog connection 117. A computer or other computing device (not shown) may reside between the telephones 105, 115 and the gateways 110, 120. Accordingly, the analog signal from the telephone 105, 115 is converted to a digital format by these computers (not shown). The first gateway 110 and the second gateway 120 are coupled to each other via the Internet 130. Additionally, the telephones 105, 115 may be digital telephones, such as ISDN phones or VoIP phones, that convert an audible signal to a digital signal prior to transmission to a gateway. A gatekeeper 140 may be used to set up the telephone connection.
The telephone connection is established by the first gateway 110 receiving a connection request from the first telephone 105 that includes a destination telephone number. This destination telephone number may be a ten-digit telephone number similar to those used over traditional publicly switched telephone networks. In response, the first gateway 110 requests a destination network address from the gatekeeper 140 corresponding to the destination telephone number. This conversion allows the first gateway 110 to locate the second gateway 120 on the Internet 130. Typically, this conversion results in a network address, such as an IP address that differentiates the second gateway 120 from other gateways on the Internet 130.
A set-up procedure is initiated by the first gateway 110 in which the second gateway 120 is provided the address of the first gateway 110. This set-up procedure results in a connection on which data, particularly voice packets and control data, are transmitted between the gateways 110, 120. This data may travel through multiple networks and multiple routers/switches within these networks in order to reach the correct destination. As described above, oftentimes the quality of this connection is lacking due to the characteristics of the Internet 130. Congestion and failures, within these networks, may drastically reduce the rate at which this data travels in an established connection and may increase the number of packets that are lost or discarded prior to reaching a particular destination address.
The established connection between the first gateway 110 and the second gateway 120 presents various security concerns. A large number of these issues are caused by the visibility of the gateways 110, 120 within the connection. Specifically, the IP addresses of the gateways 110, 120 are known by each other. This visibility compromises the security of all of the devices attached to a network having a visible gateway. Accordingly, a hacker may access devices on the network, other than the telephone or computer participating in the connection, through the gateways 110, 120. For example, after gaining access to the network through a gateway 110, 120, a hacker may access an unauthorized networked device through techniques such as IP spoofing or other commonly used hacking methods. Accordingly, network providers prefer to mask their gateway addresses from outside devices in order to further secure the network against hacking and other unauthorized access to their networks.
FIG. 2 illustrates the use of prior art proxies 235, 240 to mask gateway addresses within a VoIP connection. An example of these types of proxies would be a firewall such as the Cisco PIX firewall. Other network devices such as proxy servers and SOCK (TCP/IP Socket) servers may be used to build firewalls or other masking devices. Network security problems (e.g., hacking) are amplified when a publicly accessible or visible gateway is connected as part of a larger private network. The visibility of a gateway may allow individuals to hack into the large private network and cause a large amount of damage by accessing other devices connected to the network. Oftentimes, a device on a network, such as storage and computing devices, is not sufficiently protected from access within the network. Thus, if a hacker gains access to a network through a gateway, then other devices on that network may be extremely vulnerable and easily accessed by the hacker. Accordingly, private network operators prefer that internal gateway addresses be hidden from external network devices, such as external gateways. Proxies are used to accomplish this goal.
The first telephone 105 is connected to a first network gateway 212(a) via first analog connection 107. This first network gateway 212(a) resides in a large private network 210 that contains multiple gateways 212(a)-(d). The second telephone 115 is connected to a second network gateway 222(a) via second analog connection 117. This second network gateway 222(a) resides in a second large private network 220 that also contains multiple gateways 222(a)-(d). The first gateway 212(a) is coupled to a first proxy 235 and the second gateway 222(a) is coupled to a second proxy 240.
The first and second proxies 235, 240 hide the addresses of the first and second gateways 212(a), 222(a) from each other. Specifically, the first proxy 235 is aware of the network addresses of the first gateway 212(a) and the second proxy 240, but not the second gateway 222(a). The second proxy 240 is aware of the network addresses of the second gateway 222(a) and the first proxy 235, but not the first gateway 212(a). Thus, communication between devices on the first network 210 and the second network 220 occur through the proxies 235, 240 while maintaining a level of privacy from each other.
The first and second proxies 235, 240 require that packets traveling through the VoIP connection may be modified multiple times. Specifically, in order for the first and second proxies 235, 240 to extract and analyze information from a packet header (e.g., port number). Once this information is extracted, a new header is usually put on the packet and it is compressed. Thereafter, the packet is transmitted from a proxy. Because voice packets travel through multiple proxies 235, 240, the number of packet manipulation operations increases. Thus, there is a need to reduce the number of proxy devices within a VoIP connection. This need is further highlighted by the high cost of networking devices such as proxy devices.
Communication between the first proxy 235 and the second proxy 240 may occur using an IP suite protocol implementing either TCP or UDP depending on the type of data within packets. UDP is generally used for VoIP telephone connections due to the time sensitivity of the VoIP connection. Accordingly, sockets are established between the first and second proxies 235, 240. A socket is a combination of an IP address and a port that creates a device-to-device path on which packets may be transmitted and received. Thus, a proxy or other networking device may have numerous ports that provide communication paths on which packets may travel.
Oftentimes, a simple packet translation method will not properly switch a voice packet along a VoIP connection. For example, this switching process may be complicated if the networks on which the first and second gateways 212(a), 222(a) are not directly compatible. Generally, voice traffic is transmitted according to the H.323 standard, an ITU real-time standard for transmission of voice over networks. However, there are variations in the implementation of the H.323 standard by network providers that may cause incompatibilities between networks. These variations often require packet modification operations to occur within a proxy to provide smooth voice traffic between the incompatible networks.
In order to perform packet translation and switching operations in connections between to directly incompatible networks, a proxy must be able to identify the type of network from which the packet was sent and to which the packet is destined. Also, the proxy must be able to identify the packet type (e.g., RTP) in order to perform packet translation and switching operations. Once this information is identified, the proxy may modify the packet so that it is able to effectively travel through a network to a destination gateway.
As previously described above, it is important to try and reduce the number of switches, routers and other networking devices within a VoIP connection for two primary reasons. First, networking devices are expensive and the initial cost as well as the management cost may be significant. Second, each networking device increases the possibility of errors such as packets being discarded or failure as well as causes an additional delay within a VoIP connection. As a result, researchers have been developing technology that reduces the number of networking devices within a network.
Accordingly it is desirable to provide network address translation within a network device that masks both ends of a VoIP connection from each other. Additionally, it is desirable to provide network address translation within a network device that facilitates VoIP connections between different types of networks and that processes different types of packets within a VoIP connection. Furthermore, it is desirable to provide network address translation within a network device that increases the number of VoIP connections that may be served by the network device.