Local area networks (LANs) are increasingly used for carrying telephony services within an organisation or a corporate environment. For the sake of enhanced security, reliability and guarantee of QoS (quality of service), telephony services in a LAN environment are typically carried by packetized voice data traffic using VoIP (voice-over-internet protocol) technology and are separated from ordinary data traffic by segregation of LANs, for example, by VLAN (virtual LAN). A LAN which is dedicated to VoIP telephony services is referred to as a trusted LAN in this specification because of the more stringent demand on service security, reliability and network robustness. On the other hand, a LAN for carrying ordinary data traffic, including a combination of voice and data traffic, is referred to as an “un-trusted network”. The segregation of voice and data LANs means that devices connected to the segregated LANs cannot communicate among themselves directly via the Data Link Layer (layer 2 of the OSI 7-layer model) and communication between such devices will have to take place via an upper layer, that is, the Network Layer.
To safeguard service integrity of a trusted voice network, devices are admitted into the trusted voice network upon satisfactory authentication. Authentication before admission does not pose a major problem for special IP-phones which have a built-in authentication mechanism. However, pre-admission authentication does pose difficulties for devices without dedicated authentication means, such as, for example, “off-the-shelf” IP phones or soft-phones which are software based VoIP applications running on devices connected to an un-trusted network.
While the segregation of voice and data networks enhances security, reliability and robustness of a trusted voice network by mitigating the risks of spread-over damage due to malicious attack on the un-trusted network, this also poses severe, if not impossible, limitations to communications between voice devices respectively connected to the trusted and un-trusted networks. For example, soft-phones or IP-phones connected to an un-trusted network but without dedicated authentication means will have to go through normal or public internet channels in order to establish voice communication with voice devices connected to the trusted network. However, traffic through normal public internet channels are typically safeguarded by a corporate firewall which is usually configured to block all UDP based media traffic. As a result, there can be no voice communications between such devices without compromise to the security of the trusted network.
To enhance deployment flexibility, it is desirable that telephony devices connected to a trusted network (which will be referred to as “trusted voice devices” (TVDs) below) and telephony devices connected to an un-trusted network (which will be referred to as “un-trusted voice devices” (UVDs) below) can communicate with each other. However, this flexibility must be on the basis that deployment costs are not substantially increased and security of the networks is not compromised by lowering the security thresholds. Compromise in network security is not acceptable and defeats the initial purposes of having segregated networks for trusted and un-trusted devices. This is currently impossible in a segregated VLAN environment mentioned above.
Throughout this specification, the term “Layer” means and refers to a Layer as defined under the OSI (open system interconnection) protocol model, unless the context otherwise requires, the terms “trusted network”, “voice LAN” and “trusted voice network” are equivalent and used interchangeably, and the terms “un-trusted network”, “data LAN” and “data network” are equivalent and used interchangeably. A description of VLAN techniques can be found in, for example, “IEEE Standard for Information technology—Telecommunications and information exchange between systems—IEEE standard for local and metropolitan area networks—Common specifications—Part 3: Media access control (MAC) Bridges, ANSI/IEEE Std 802.1D, 1998 Edition”. This documentation is incorporated herein by reference.