The present invention relates to communications in data networks. More specifically, it relates to a method for processing a media flow through a tunneling association in a data network.
Computer users are becoming increasingly concerned about the privacy of their communications over the Internet. Privacy concerns are an important factor in the continued growth and acceptance of the Internet by society. As the use of the Internet increases, more and more sensitive information is being transmitted over this global network. Companies who cannot afford a private network often transfer sensitive corporate information over the Internet. Also, private citizens are increasingly relying on the Internet for banking and commercial transactions and frequently have to transfer private or personal information over the Internet, such as credit card numbers, social security numbers, or medical information.
Unfortunately, the Internet is not a very secure network. Information is transmitted over the Internet inside Internet Protocol (xe2x80x9cIPxe2x80x9d) packets. These packets typically pass through several routers between transmission by a source computer and reception by a destination computer. At each leg of their journey the packets can be intercepted and inspected. Moreover, the Internet Protocol that is used on global computer networks (such as the Internet) and on many private networks (such as intranets) is not a highly secure protocol. For example, because IP packets include a source address in a header, a hacker or cracker may intercept all IP packets from a particular source IP address. Consequently, the hacker may be able to accumulate all transmissions from the source.
Typically, it is easy to map users to source IP addresses. A determined hacker may extract the source IP address from an IP packet and deduce that they are coming from a computer whose IP address is already known. Knowing the location of the source, the hacker may then be able to deduce the identity of the user who sent the IP packet. Even if the hacker cannot exactly identify the user or computer, he may glean sufficient information as to its approximate physical or virtual location. In globally addressed IP subnets it is easy to determine the location or organization of the source computer. For example, an appropriate Domain Name Server (xe2x80x9cDNSxe2x80x9d) inquiry may correlate the IP address with a domain name, and domain names are typically descriptive of the user, location, or the user""s organization.
Of course, the sender may encrypt the information inside the IP packets before transmission, e.g. with IP Security (xe2x80x9cIPSecxe2x80x9d). However, accumulating all the packets from one source address may provide the hacker with sufficient information to decrypt the message. Moreover, encryption at the source and decryption at the destination may be infeasible for certain data formats. For example, streaming data flows, such as multimedia or Voice-over-Internet-Protocol (xe2x80x9cVoIPxe2x80x9d), may require a great deal of computing power to encrypt or decrypt the IP packets on the fly. The increased strain on computer power may result in jitter, delay, or the loss of some packets. The expense of added computer power might also dampen the customer""s desire to invest in VoIP equipment.
Nonetheless, even if the information inside the IP packets could be concealed, the hacker is still capable of reading the source address of the packets. Armed with the source IP address, the hacker may have the capability of tracing any VoIP call and eavesdropping on all calls from that source. One method of thwarting the hacker is to establish a Virtual Private Network (xe2x80x9cVPNxe2x80x9d) by initiating a tunneling connection between edge routers on the public network. For example, tunneling packets between two end-points over a public network is accomplished by encapsulating the IP packet to be tunneled within the payload field for another packet that is transmitted on the public network. The tunneled IP packets, however, may need to be encrypted before the encapsulation in order to hide the source IP address. Once again, due to computer power limitations, this form of tunneling may be inappropriate for the transmission of multimedia or VoIP packets.
Another method for tunneling is network address translation (see e.g., xe2x80x9cThe IP Network Address Translatorxe2x80x9d, by P. Srisuresh and K. Egevang, Internet Engineering Task Force (xe2x80x9cIETFxe2x80x9d), Internet Draft  less than draft-rfced-info-srisuresh-05.txt greater than , February 1998). However, this type of address translation is also computationally expensive, causes security problems by preventing certain types of encryption from being used, or breaks a number of existing applications in a network that cannot provide network address translation (e.g., File Transfer Protocol (xe2x80x9cFTPxe2x80x9d)). What is more, network address translation interferes with the end-to-end routing principal of the Internet that recommends that packets flow end-to-end between network devices without changing the contents of any packet along a transmission route (see e.g., xe2x80x9cRouting in the Internet,xe2x80x9d by C. Huitema, Prentice Hall, 1995, ISBN 0-131-321-927). Once again, due to computer power limitations, this form of tunneling may be inappropriate for the transmission of multimedia or VoIP packets.
It is therefore desirable to process a media flow through a tunneling association that hides the identity of the originating and terminating ends of the tunneling association from other users of a public network. Hiding the identities may prevent a hacker from intercepting all media flow between the ends.
In accordance with preferred embodiments of the present invention, some of the problems associated with processing a media flow through a tunneling association are overcome. A method and system for processing a media flow through a network device is provided. An aspect of the invention includes a method for processing the media flow at an end of a tunneling association through the network device. One method includes receiving a first message on the network device on a public network associated with a first layer of a protocol stack for the network device. The first message includes a first payload. A determination is made as to whether the first payload includes an indicator that the first payload is associated with a second layer of the protocol stack, and if so, a private network address is obtained from the first payload in the second layer of the protocol stack. The first payload includes the private network address and a second payload. A determination is made as to whether the private network address is recorded on the network device, and if so, a forwarding network address is associated with the private network address. The forwarding network address is associated with a third layer of the protocol stack and is associated with the end of the tunneling association. The third layer is requested to encapsulate and transmit a second message to the end of the tunneling association. The second message includes the forwarding network address and the second payload.
Another method includes receiving a first message in a first layer of a protocol stack for the network device from the end of the tunneling association. The first message includes a first payload. A determination is made as to whether the first payload includes an indicator that the first payload is associated with a second layer of the protocol stack, and if so, a private network address is obtained from the first payload in the second layer of the protocol stack. The first payload includes the private network address and a second payload. A determination is made as to whether the private network address is recorded on the network device, and if so, a public network address is associated with the private network address. The public network address is associated with a third layer of the protocol stack. The third layer is requested to encapsulate and transmit a second message on a public network associated with the third layer. The second message includes the public network address, the private network address, and the second payload.
For example, the method and system of the present invention may provide for the processing of a Voice-over-Internet-Protocol media flow between an originating telephony device and a terminating telephony device. The method and system described herein may help ensure that the addresses of the ends of the tunneling association are hidden on the public network and may increase the security of communication without an increased computational burden.
The foregoing and other features and advantages of preferred embodiments of the present invention will be more readily apparent from the following detailed description, which proceeds with references to the accompanying drawings.