In a multimedia network compatible with the IP protocol, in the context of the setting up of a multimedia connection (during which for example multimedia contents are exchanged) between a given terminal and a destination apparatus, the given terminal first of all exchanges signaling messages, for example messages compatible with the “Session Initiation Protocol” referenced here below as the SIP protocol (or with any other signaling protocol) with a signaling flow control apparatus (here below designated as an SFC (signaling flow control) apparatus. These exchanges are a step of signaling between the terminal and the signaling flow control apparatus.
Thus, this SFC apparatus is an apparatus that enables the setting up of signaling between a given terminal and an operator's network. AN SFC apparatus embeds for example the P-CSCF (Proxy Call Session Control Function) defined according to the 3GPP IMS (Third Generation Partnership Project, IP Multimedia Subsystem) described in the document referenced 3GPP TS 23.228 and the ETSI TISPAN (European Telecommunication Standards Institute Telecommunications and Internet converged Services and Protocols for Advanced Networks) standard described in the document referenced ETSI ES 282007.
During the processing of these signaling messages, the SFC apparatus communicates with a multimedia flow control here below called MFC (Multimedia Flow Control) apparatus to reserve the necessary resources and authorize the flows of multimedia contents between the given terminal and the destination apparatus.
Thus, this MFC apparatus is an apparatus used to control multimedia flows from the terminals. An example of an MFC apparatus is the C-BGF (Cone Border Gateway Function) presented in the ETSI TISPAN standard.
Should there be no NAT apparatus connected to the multimedia contents transmission path between the given terminal and the MFC apparatus as well as the given terminal and SFC apparatus, it is not necessary to implement the HNT procedure because the MFC apparatus has access to the IP/Port addresses used by the given terminal for the reception of contents and the given terminal has access to the IP/Port addresses allocated for the MFC apparatus for sending contents.
FIG. 1 illustrates the kept table of correspondence 100 of IP/Port addresses at the level of the MFC apparatus 110 for the given terminal should there be no NAT apparatus connected to the multimedia contents transmission path between the terminal 120 and the MFC apparatus 110 as well as between the terminal 120 and the SFC apparatus in the case of compatible communications with the RTP and RTCP (Real-time Transfer Protocol and Real-time Transfer Control Protocol) described in the RFC 1889 standard.
The correspondence table 100 comprises the addresses Src IP-Port 1 and Src IP-Port 2 of the sending ports of the terminal 120, the addresses Dst IP-Port of the reception ports of the destination apparatus (not shown), the addresses Src IP-Port of the sending ports of the destination apparatus and the address Dst IP-Port 3 and Dst IP-Port 4 of the reception ports of the given terminal.
When multimedia flows are sent or received by the terminal 120, the MFC apparatus 110 replaces the IP/Port addresses marked as being unknown 101 on the figure by the IP/port addresses used respectively by the terminal 120 for sending multimedia flows and by the destination apparatus for sending multimedia flows to the terminal 120.
Given that only the given terminal 120 knows the IP/Port address allocated by the MFC apparatus to sending multimedia flows (because this IP/Port address has been preliminarily transmitted to it by the SFC apparatus), there is no risk that another “identity-thief” or “usurper” terminal might take the place of the given terminal which has initiated the connection.
However, when a NAT apparatus is connected between the given terminal and the MFC apparatus as well between the given terminal and the SFC apparatus, there is a risk that an identity-thief terminal will pass itself off as the given terminal that has initiated the connection in order to use its session and deprive the given terminal of the use of the session that it has initiated.
Referring to FIG. 2, an illustration is provided of the correspondence table 200 kept at the level of the MFC apparatus 110 when a NAT apparatus 230 is connected to the multimedia contents transmission path between the given terminal 120 and the MFC apparatus 110 as well as between the given terminal 120 and the SFC apparatus in the case of communications compatible with the RTP/RTCP protocol.
As illustrated in FIG. 2, the MFC apparatus 110 does not know the IP/Port address to which it must redirect the flows sent to the given terminal 120. Nor does it know the address that will be used by the NAT apparatus 230 for sending the flows of the given terminal 120.
In order to resolve these problems, the invention uses the HNT procedure to enable the MFC apparatus 110 to allow the media flows to travel in transit from or to the given terminal 120.
Thus, when the multimedia connection is set up, the SFC apparatus which is not shown in FIG. 2 detects the fact that the given terminal 120 is connected to it through a NAT apparatus 230 because the IP addresses for the media flows specified by the given terminal 120 in the signaling protocol are different from the source IP address of the packet conveying the signaling and received by the SFC apparatus. This apparatus will then:                activate the HNT procedure;        inform the MFC apparatus that for this media connection requested by the given terminal, the IP/Port addresses of the given terminal are unknown;        request the MFC apparatus to execute the HNT procedure.        
The MFC apparatus that has reserved the IP/Port addresses for the media connection waits for the given terminal to send it one or more empty packets (IP packets encapsulating empty media packets) in order to know:                the IP/Port address allocated by the NAT apparatus for the transmission of the media flows sent by the given terminal;        the IP/Port address allocated by the NAT apparatus for the transmission of the media flows to the given terminal.        
Through the empty packets received and for the given terminal and the given connection, the MFC apparatus replaces the unknown fields kept in its table of correspondence by the information (IP/Port address) which it now knows.
The drawback of this prior art technique is the lack of security related to the use of the HNT procedure.
Once the signaling has been set up between the given terminal wishing to initiate a connection and the SFC apparatus, and once the correspondence tables have been set up by the MFC apparatus, a usurper or identity-thief terminal other then the given terminal which has initiated the connection can pass itself off as the given terminal and thus use its connection. This can happen if the identity-thief terminal should initiate the HNT procedure before the given terminal does so.
FIG. 3 illustrates the way in which an identity-thief terminal 340 can pass itself off as the given terminal 120 and use the connection that this terminal has initiated.
In a step reference 301, the given terminal 120 initiates a multimedia connection with SFC apparatus 350 and then the SFC apparatus 350 informs the MFC apparatus 110 that a connection has been initiated.
In a step reference 302, the identity-thief terminal 340 starts the HNT procedure with the MFC apparatus 110 and thus uses the connection set up by the given terminal 120. Then, in a step reference 303, the MFC apparatus 110 authorizes the setting up of the flows between the identity-thief terminal 340 and the destination apparatus not shown in FIG. 3.
Then, in a step referenced 304, the given terminal 120 in turn initiates the HNT procedure with the MFC apparatus 110. The MFC apparatus 110 does not permit the setting up of the flows between the given terminal 120 and the destination apparatus because it has already converted the rules illustrated in FIG. 2 on the basis of the IP/Port addresses given by the identity-thief terminal 340.
Thus, this mechanism can be likened to a denial of service because it prevents the given terminal 120 from transmitting and/or receiving a multimedia content as well as to a theft of service because the flows are invoiced to the initiator of the request, hence to the terminal 120.
There is therefore need for a technique to overcome these drawbacks of the prior art.
At present, there is no technique for securing the HNT procedure.
The inventors have observed that in certain situations it would be desirable, in the case of a given terminal which has initiated the multimedia connection with an MFC apparatus, to reserve the use of this connection for this terminal in order that it may transmit and/or receive multimedia flows.
This is especially the case when an identity-thief terminal other than the given terminal tries to use the connection set up by the given terminal with an MFC apparatus in order to transmit and/or receive the multimedia flows whereas it is not authorized to do so.