IMS (IP Multimedia Subsystem) communication method based on superposition of public network and private network
A communication method and technology for a private network, applied in the field of communication, can solve the problem that public network users cannot directly access the private network, and achieve the effects of reducing the pressure of network resource allocation, improving network security, and protecting privacy.
Pending Publication Date: 2022-05-13
IPLOOK NETWORKS CO LTD
0 Cites 0 Cited by
AI-Extracted Technical Summary
Problems solved by technology
[0008] The embodiment of this application provides an IMS communication solution based on the superposition of public netw...
Method used
[0103] It can be understood that through multiple matching checks and user information authentication, invalid messages can be screened out to reduce the pressure on network resource allocation. At the same time, multiple matching checks and user information authentication can also check the legitimacy of the calling UE to improve network security.
[0107] It can be understood that the first VXLAN device replaces the IP address of the calling UE in the registration request with the IP address of the first VXLAN device, essentially protecting the IP address information of the calling UE, This avoids leakage of the real IP address information of the calling UE, thereby improving network security.
[0109] Of course, the aforementioned hiding of the real IP address information of the calling UE is to improve network security from the perspective of the registration request sender. An embodiment of protecting the registration request message body is introduced below.
[0115] Encapsulating the registration request with the GTP protocol essentially encrypts the registration request, thereby protecting the registration request message body and improving network security.
[0122] It can be understood that, the second VXLAN device replaces the IP address of the first VXLAN device in the first protection message with the IP address of the second VXLAN device, essentially replacing the IP address of the first VXLAN device The information is protected to avoid leakage of the IP address information of the first VXLAN device, thereby further improving network security.
[0180] It can be understood that through multiple matching checks and user information authentication, invalid messages can be screened out to reduce the pressure on network resource allocation. At the same time, multiple matching checks and user information authentication can also check the legitimacy of the calling UE to improve network security.
[0184] It can be understood that the first VXLAN device replaces the IP address ...
Abstract
The invention discloses an IMS (IP Multimedia Subsystem) communication method based on superposition of a public network and a private network, which is used for solving the technical problem that a public network user cannot directly access the private network. Specifically, according to the IMS communication scheme based on superposition of the public network and the private network, VXLAN devices are arranged on a public network side and a private network side respectively, and a UDP tunnel used for transmitting communication messages is established, so that an operator can switch and access a public network environment and a private network environment without manually switching an SIM (Subscriber Identity Module) card. And when communication message interaction is carried out in different network environments, through multiple times of matching verification and user information authentication, the network resource distribution pressure is reduced, and the network security is improved. And the communication message is encrypted by replacing a real IP for the communication message, so that the privacy of an operator is protected, and the network security is further improved.
Application Domain
Networks interconnectionSecuring communication
Technology Topic
Resource distributionEngineering +8
Image
Examples
- Experimental program(1)
Example Embodiment
[0079] In order to make the objectives, technical solutions and advantages of the present application clearer, the technical solutions of the present application will be clearly and completely described below with reference to the specific embodiments of the present application and the corresponding drawings. Obviously, the described embodiments are only a part of the embodiments of the present application, but not all of the embodiments. Based on the embodiments in the present application, all other embodiments obtained by those of ordinary skill in the art without creative efforts shall fall within the protection scope of the present application.
[0080] Please refer to figure 1 , the present application provides an IMS communication method based on the superposition of a public network and a private network, comprising the following steps:
[0081] S110: Deploy the first VXLAN device on the public network side.
[0082] S120: Deploy a second VXLAN device connected to the first VXLAN device through a UDP tunnel on the private network side.
[0083] It can be understood that the VXLAN (Virtual eXtensible Local Area Network, virtual extended local area network) is a tunnel technology. The VXLAN technology adopts the L2 over L4 (MAC-in-UDP) packet encapsulation mode, and encapsulates the Layer 2 packets with the Layer 3 protocol, which can realize the expansion of the Layer 2 network within the scope of Layer 3, while meeting the requirements of the data center. Large second-tier virtual migration and multi-tenancy requirements. Simply put, VXLAN is a technology that uses UDP to connect multiple Layer 2 networks to make it a larger Layer 2 network. Further, the layer 2 network usually refers to a network that can directly use the Mac address for process communication, that is, a simple local area network. The Layer 3 network is usually a network composed of several Layer 2 networks and routers, that is, a relatively large local area network.
[0084] The UDP tunnel is to establish a Layer 2 Ethernet network tunnel on the basis of a Layer 3 network, so as to realize Layer 2 interconnection across regions. To implement the establishment of the UDP tunnel, the first VXLAN device needs to be deployed on the public network side, and the second VXLAN device needs to be deployed on the private network side. The first VXLAN device and the second VXLAN device are connected through a UDP tunnel, so as to realize the interconnection between the public network and the private network.
[0085] S130: The calling UE initiates an IMS service request to the core network.
[0086] S140: The core network sends the IP address and port of the first VXLAN device to the calling UE.
[0087] In this application, the calling UE may be understood as a calling terminal. The core network may adopt an SBA architecture (Service Based Architecture), that is, a service-based architecture design. Specifically, the core network divides a whole with multiple functions into multiple individuals with independent functions. The individual here can be understood as a network element.
[0088] It should be understood by those skilled in the art that IMS (IP Multimedia Subsystem, IP Multimedia Subsystem) is a description of a Next Generation Network (NGN) architecture that implements IP-based telephony and multimedia services. IMS defines a complete architecture and framework that allows the aggregation of voice, video, data and mobile network technologies over an IP-based infrastructure. Specifically, the IP multimedia subsystem IMS can be understood as a system architecture that unifies the core network into an all-IP network structure and realizes the integration of the fixed network and the mobile communication network.
[0089] Please refer to figure 2 and image 3 , in a specific implementation provided in this application, the calling UE is located in a public network environment. In order for the calling UE to page the called UE located in the private network environment, the calling UE needs to register with the IMS network element located in the private network environment.
[0090] After the first VXLAN device is deployed on the public network side and the second VXLAN device is deployed on the private network side, when the calling UE needs IMS services, the calling UE needs to initiate an IMS service request to the core network located in the public network environment.
[0091] Further, in the step S130, the calling UE initiates an IMS service request to the core network, which is represented in a specific application scenario as follows:
[0092] The calling UE requests the 5GC core network for the link of the IMS network element.
[0093] In the step S140, the core network sends the IP address and port of the first VXLAN device to the calling UE, which is shown in the specific application scenario as:
[0094] The 5GC core network selects and checks according to different conditions such as the PLMN of the calling UE, the subscription service information of the calling UE, the address pool of the calling UE, and the slice ID of the calling UE, and then delivers the IP address of the first VXLAN device. and port information to the calling UE.
[0095] S150: The calling UE sends a registration request to the first VXLAN device.
[0096] S160: The first VXLAN device forwards the registration request to the second VXLAN device.
[0097] In the step S160, the first VXLAN device forwards the registration request to the second VXLAN device, which is represented in a specific application scenario as follows:
[0098] The first VXLAN device performs matching verification on the IP address involved in the calling UE in the registration request according to the preset IP address pool, and discards the message that is not the IP address configured by the first VXLAN device.
[0099] It can be understood that, according to the preset IP address pool, the IP information of the registration request is screened, and the essence is to perform management authentication on the calling UE. Only the IP address of the calling UE involved in the registration request is successfully matched with the preset IP address pool, and the first VXLAN device allows the calling UE in the public network environment to exchange messages with the network element or UE in the private network environment. In this way, invalid messages in many registration requests can be filtered, and certain traffic attacks can also be prevented.
[0100] When the IP address of the calling UE involved in the registration request is successfully matched with the preset IP address pool, the first VXLAN device performs matching verification on the destination base station information in the registration request according to the destination base station information configured by the current base station.
[0101] When the target base station information in the registration request is successfully matched with the target base station information configured by the current base station, the first VXLAN device performs user information authentication on the calling UE to verify the validity of the calling UE.
[0102] When the user information authentication of the calling UE is passed, the first VXLAN device forwards the registration request to the second VXLAN device.
[0103] It can be understood that invalid messages can be screened out through multiple matching checks and user information authentication, so as to reduce the pressure of network resource allocation. At the same time, multiple matching verification and user information authentication can also verify the validity of the calling UE to improve network security.
[0104] Further, in a specific implementation manner provided by the present application, the step S160 that the first VXLAN device forwards the registration request to the second VXLAN device may also be expressed as:
[0105] The first VXLAN device replaces the IP address of the calling UE involved in the registration request with the IP address of the first VXLAN device, and generates a first protection message.
[0106] The first VXLAN device sends the first protection message to the second VXLAN device.
[0107] It can be understood that the first VXLAN device replaces the IP address of the calling UE in the registration request with the IP address of the first VXLAN device, which is essentially to protect the IP address information of the calling UE to avoid calling. The real IP address information of the UE is leaked, thereby improving network security.
[0108] In addition, before replacing the IP address of the calling UE involved in the registration request with the IP address of the first VXLAN device, the first VXLAN device may further establish a relationship between the IP address of the calling UE and the IP address of the first VXLAN device. A mapping relationship, so that after the first VXLAN device subsequently receives a related message that carries the IP address of the first VXLAN device sent by other UEs or network elements, it can pass the mapping relationship with the IP address of the first VXLAN device. The IP address of the calling UE, and send related messages to the calling UE.
[0109] Of course, the above-mentioned hiding of the real IP address information of the calling UE is to improve network security from the perspective of the sender of the registration request. The following introduces an embodiment for protecting the registration request message body.
[0110] Further, in another specific implementation manner provided by this application, in step S160, the first VXLAN device forwards the registration request to the second VXLAN device, which is represented in a specific application scenario as follows:
[0111] The first VXLAN device uses the GTP protocol to encapsulate the registration request sent by the calling UE to generate an encrypted message;
[0112] the first VXLAN device sends the encrypted message to the second VXLAN device;
[0113]The second VXLAN device uses the GTP protocol to parse the encrypted message sent by the first VXLAN device, so as to restore the registration request of the calling UE.
[0114] It can be understood that, in a specific application scenario, the GTP (GPRS Tunnelling Protocol, GPRS Tunneling Protocol) is expressed as a GTP-U routing encapsulation protocol, which is used to encapsulate communication messages. Further, after the communication message is encapsulated, a GTP data packet is generated, and the packet header of the GTP data packet records the encapsulated GTP protocol version number, protocol type, and message type.
[0115] Encapsulating the registration request by using the GTP protocol essentially encrypts the registration request, thereby protecting the body of the registration request message and improving network security.
[0116] Correspondingly, when the first VXLAN device encapsulates the registration request sent by the calling UE using the GTP protocol to generate an encrypted message, the second VXLAN device needs to use the GTP protocol for the encrypted message sent by the first VXLAN device. Perform parsing to restore the registration request of the calling UE.
[0117] It should be emphasized that the above-mentioned technical means for improving network security may be implemented individually, may also be implemented in combination, or may be implemented selectively. This application does not improperly limit the implementation of the above-mentioned technical means for improving network security.
[0118] S170: The second VXLAN device forwards the registration request to the IMS network element.
[0119] Further, the S170 second VXLAN device forwards the registration request to the IMS network element, which is expressed as follows in a specific application scenario:
[0120] The second VXLAN device replaces the IP address related to the first VXLAN device in the first protection message with the IP address of the second VXLAN device to generate a second protection message;
[0121] The second VXLAN device sends the second protection message to the IMS network element.
[0122] It can be understood that the second VXLAN device replaces the IP address related to the first VXLAN device in the first protection message with the IP address of the second VXLAN device, essentially protecting the IP address information of the first VXLAN device. , preventing the IP address information of the first VXLAN device from leaking, and further improving network security.
[0123] In addition, before replacing the IP address of the first VXLAN device in the first protection message with the IP address of the second VXLAN device, the second VXLAN device may further establish the IP address of the first VXLAN device and the second VXLAN device. The mapping relationship between the IP addresses, so that after the second VXLAN device subsequently receives related messages sent by other UEs or network elements that carry the IP address of the second VXLAN device, the second VXLAN device can pass the IP address of the second VXLAN device. The first VXLAN device IP address in the mapping relationship sends the related message to the first VXLAN device.
[0124] Then S180: The IMS network element responds to the registration request, and sends the response to the second VXLAN device.
[0125] S190: The second VXLAN device forwards the response to the first VXLAN device.
[0126] S200: The first VXLAN device replies the answering response to the calling UE.
[0127] So far, the calling UE located in the public network environment completes the registration at the IMS network element located in the private network environment, and the calling UE located in the public network environment can page the called UE located in the private network environment.
[0128] S210: The calling UE and the called UE selectively establish a first communication channel through the first VXLAN device and the second VXLAN device and a UDP tunnel therebetween.
[0129] S220: The calling UE and the called UE perform IMS communication through the first communication channel.
[0130] It can be understood that when the UDP tunnel established between the first VXLAN device and the second VXLAN device is connected, it means that the network element or device in the public network environment can communicate with the UDP tunnel in the private network environment through the UDP tunnel. Network elements or devices exchange communication messages. Therefore, the UDP tunnel can be regarded as a first communication channel for transmitting communication messages between the private network side and the public network side.
[0131] Specifically, the first VXLAN device and the second VXLAN device described in this application and the UDP tunnel connection between the two are mainly used to implement a calling UE located in a public network environment to page a called UE located in a private network environment. Therefore, the communication message transmitted in the first communication channel is represented as an IMS communication message in a specific application scenario. Wherein, the IMS communication message may be classified into a SIP-type message or an RTP-type message according to different services required by the calling UE. The SIP (Session Initiation Protocol, signaling control protocol) is used to create, modify and release sessions of one or more participants. These sessions can be Internet multimedia conferencing, IP telephony or multimedia distribution. The RTP (Real-time Transport Protocol, real-time transport protocol) is used for real-time voice or video data transmission.
[0132] Further, in step S220, the calling UE and the called UE perform IMS communication through the first communication channel, which is represented in a specific application scenario as follows:
[0133] The calling UE sends an IMS communication message to the first VXLAN device. The first VXLAN device performs a matching check on the IP address related to the calling UE in the IMS communication message according to the preset IP address pool, and discards the message that is not an IP configured by the first VXLAN device.
[0134] Since the base station information configured by the current base station and the target base station information have been matched and verified when the calling UE registers the IMS network element, the first VXLAN device can selectively perform matching verification on the target base station information.
[0135] Similarly, the first VXLAN device may set multiple security levels, and selectively perform user information authentication on the calling UE to verify the validity of the calling UE.
[0136] Afterwards, the first VXLAN device replaces the IP address of the calling UE involved in the communication message sent by the calling UE with the IP address of the first VXLAN device, and uses the GTP protocol for encapsulation to generate an encrypted communication message.
[0137] The first VXLAN device sends the encrypted communication message to the second VXLAN device.
[0138] The second VXLAN device uses the GTP protocol to parse the encrypted communication message sent by the first VXLAN device, so as to restore the communication message whose IP address is the first VXLAN device.
[0139] Afterwards, the second VXLAN device replaces the IP address of the first VXLAN device in the communication message whose IP address is the first VXLAN device with the IP address of the second VXLAN device to generate a protection communication message.
[0140] Specifically, the second VXLAN device first performs message type verification on the communication message from the first VXLAN device.
[0141] When the message type of the communication message is SIP, the second VXLAN device selectively performs matching check according to the destination base station information carried in the first protection message and the content of the destination base station configured by the current base station.
[0142] Of course, the second VXLAN device may also be provided with multiple security levels, and the user information authentication of the first VXLAN device may be selectively performed to verify the legitimacy of the first VXLAN device.
[0143] Afterwards, the second VXLAN device replaces the IP address of the first VXLAN device in the communication message whose IP address is the first VXLAN device with the IP address of the second VXLAN device to generate a protection communication message. The second VXLAN device sends the protected communication message to the IMS network element. The IMS network element forwards the protected communication message to the called UE.
[0144] When the message type of the communication message is RTP, the second VXLAN device directly replaces the IP address of the first VXLAN device involved in the communication message whose IP address is the first VXLAN device with the IP address of the second VXLAN device to generate a protection communication information. The second VXLAN device sends the protected communication message to the IMS network element. After the IMS network element has processed the relevant RTP process, it forwards the protection communication message to the called UE.
[0145] After receiving the protection communication message, the called UE located in the private network environment responds according to the protection communication message, and generates a response message.
[0146] The called UE replies with a response message to the IMS network element on the private network side. The IMS network element on the private network side forwards the response message to the second VXLAN device according to the registration status of the called UE.
[0147] After filtering the response message according to the preset IP pool, the second VXLAN device performs matching verification on the destination base station information in the response message. And perform user information authentication on the called UE to verify the legitimacy of the called UE.
[0148] Then the second VXLAN device replaces the IP address of the called UE involved in the response message sent to the called UE with the IP address of the second VXLAN device, and encapsulates it using the GTP protocol to generate an encrypted response message.
[0149] The second VXLAN device sends the encrypted response message to the first VXLAN device.
[0150] The first VXLAN device parses the encrypted response message sent by the second VXLAN device using the GTP protocol, so as to restore the IP address as the response message of the second VXLAN device.
[0151] Then, the first VXLAN device replaces the IP address of the second VXLAN device with the IP address of the first VXLAN device in the response message that the IP address is the second VXLAN device, and generates a protection response message.
[0152] Finally, the first VXLAN device sends the protection response message to the calling UE to complete the SIP interaction.
[0153] In the above embodiment, the calling UE and the core network are located in the public network environment, and the called UE and the IMS network elements are located in the private network environment.
[0154] Please refer to Figure 4 and Figure 5 , considering that there is a communication requirement that the calling UE, the core network, and the called UE are located in the public network environment, and the IMS network element is located in the private network environment, in another specific implementation provided by this application, the The process of registering the calling UE in the IMS network element located in the private network environment remains unchanged, that is, steps S110-S210 remain unchanged. In step S220, the process of the calling UE sending the IMS communication message to the IMS network element remains unchanged, and the detailed process of the IMS network element forwarding the protection communication message to the called UE is as follows:
[0155] The IMS network element forwards the protected communication message to the second VXLAN device. The second VXLAN device performs parsing, verification and encapsulation processing on the protected communication message, and forwards it to the first VXLAN device. The first VXLAN device then forwards to the called UE.
[0156] The detailed process of the called UE replying the response message to the IMS network element on the private network side is as follows:
[0157] The called UE replies with a response message to the first VXLAN device. The first VXLAN device performs parsing, verification and encapsulation processing on the response message, and forwards it to the second VXLAN device. The second VXLAN device then forwards to the IMS network element.
[0158] In the above embodiment, the calling UE, the core network, and the called UE are located in the public network environment, and the IMS network element is located in the private network environment.
[0159] Please refer to Image 6 , considering that there is a communication requirement that the calling UE and the core network are located in a private network environment, and the called UE and IMS network elements are located in a public network environment. The application also provides another IMS communication method based on the superposition of a public network and a private network, comprising the following steps:
[0160] S310: Deploy the first VXLAN device on the private network side.
[0161] S320: Deploy a second VXLAN device connected to the first VXLAN device through a UDP tunnel on the public network side.
[0162] It can be understood that the VXLAN (Virtual eXtensible Local Area Network, virtual extended local area network) is a tunnel technology. The VXLAN technology adopts the L2 over L4 (MAC-in-UDP) packet encapsulation mode, and encapsulates the Layer 2 packets with the Layer 3 protocol, which can realize the expansion of the Layer 2 network within the scope of Layer 3, while meeting the requirements of the data center. Large second-tier virtual migration and multi-tenancy requirements. Simply put, VXLAN is a technology that uses UDP to connect multiple Layer 2 networks to make it a larger Layer 2 network. Further, the layer 2 network usually refers to a network that can directly use the Mac address for process communication, that is, a simple local area network. The Layer 3 network is usually a network composed of several Layer 2 networks and routers, that is, a relatively large local area network.
[0163] The UDP tunnel is to establish a Layer 2 Ethernet network tunnel on the basis of a Layer 3 network, so as to realize Layer 2 interconnection across regions. To implement the establishment of the UDP tunnel, the first VXLAN device needs to be deployed on the private network side, and the second VXLAN device needs to be deployed on the public network side. The first VXLAN device and the second VXLAN device are connected through a UDP tunnel, thereby realizing the interconnection between the private network and the public network.
[0164] S330: The calling UE initiates an IMS service request to the core network.
[0165] S340: The core network sends the IP address and port of the first VXLAN device to the calling UE.
[0166] Please refer to Figure 7 and Figure 8 , in a specific implementation provided in this application, the calling UE may be understood as a calling terminal, and the calling UE is located in a private network environment. In order for the calling UE to page the called UE located in the public network environment, the calling UE needs to register with the IMS network element located in the public network environment.
[0167] After the first VXLAN device is deployed on the private network side and the second VXLAN device is deployed on the public network side, when the calling UE needs IMS services, the calling UE needs to initiate an IMS service request to the core network in the private network environment.
[0168] Further, in the step S330, the calling UE initiates an IMS service request to the core network, which is represented in a specific application scenario as follows:
[0169] The calling UE requests the 5GC core network for the link of the IMS network element.
[0170] In the step S340, the core network sends the IP address and port of the first VXLAN device to the calling UE, which is shown in the specific application scenario as:
[0171] The 5GC core network selects and checks according to different conditions such as the PLMN of the calling UE, the subscription service information of the calling UE, the address pool of the calling UE, and the slice ID of the calling UE, and then delivers the IP address of the first VXLAN device. and port information to the calling UE.
[0172] S350: The calling UE sends a registration request to the first VXLAN device.
[0173] S360: The first VXLAN device forwards the registration request to the second VXLAN device.
[0174] In the step S360, the first VXLAN device forwards the registration request to the second VXLAN device, which is represented in a specific application scenario as follows:
[0175] The first VXLAN device performs matching verification on the IP address involved in the calling UE in the registration request according to the preset IP address pool, and discards the message that is not the IP address configured by the first VXLAN device.
[0176] It can be understood that, according to the preset IP address pool, the IP information of the registration request is screened, and the essence is to perform management authentication on the calling UE. Only the IP address of the calling UE involved in the registration request is successfully matched with the preset IP address pool, and the first VXLAN device allows the calling UE in the private network environment to exchange messages with the network element or UE in the public network environment. In this way, invalid messages in many registration requests can be filtered, and certain traffic attacks can also be prevented.
[0177] When the IP address of the calling UE involved in the registration request is successfully matched with the preset IP address pool, the first VXLAN device performs matching verification on the destination base station information in the registration request according to the destination base station information configured by the current base station.
[0178] When the target base station information in the registration request is successfully matched with the target base station information configured by the current base station, the first VXLAN device performs user information authentication on the calling UE to verify the validity of the calling UE.
[0179] When the user information authentication of the calling UE is passed, the first VXLAN device forwards the registration request to the second VXLAN device.
[0180] It can be understood that invalid messages can be screened out through multiple matching checks and user information authentication, so as to reduce the pressure of network resource allocation. At the same time, multiple matching verification and user information authentication can also verify the validity of the calling UE to improve network security.
[0181] Further, in a specific implementation manner provided by this application, the step S360 that the first VXLAN device forwards the registration request to the second VXLAN device may also be expressed as:
[0182] The first VXLAN device replaces the IP address of the calling UE involved in the registration request with the IP address of the first VXLAN device, and generates a first protection message.
[0183] The first VXLAN device sends the first protection message to the second VXLAN device.
[0184] It can be understood that the first VXLAN device replaces the IP address of the calling UE in the registration request with the IP address of the first VXLAN device, which is essentially to protect the IP address information of the calling UE to avoid calling. The real IP address information of the UE is leaked, thereby improving network security.
[0185] In addition, before replacing the IP address of the calling UE involved in the registration request with the IP address of the first VXLAN device, the first VXLAN device may further establish a relationship between the IP address of the calling UE and the IP address of the first VXLAN device. A mapping relationship, so that after the first VXLAN device subsequently receives a related message that carries the IP address of the first VXLAN device sent by other UEs or network elements, it can pass the mapping relationship with the IP address of the first VXLAN device. The IP address of the calling UE, and send related messages to the calling UE.
[0186] Of course, the above-mentioned hiding of the real IP address information of the calling UE is to improve network security from the perspective of the sender of the registration request. The following introduces an embodiment for protecting the registration request message body.
[0187] Further, in another specific implementation manner provided by this application, in step S360, the first VXLAN device forwards the registration request to the second VXLAN device, which is represented in a specific application scenario as follows:
[0188] The first VXLAN device uses the GTP protocol to encapsulate the registration request sent by the calling UE to generate an encrypted message;
[0189] the first VXLAN device sends the encrypted message to the second VXLAN device;
[0190] The second VXLAN device uses the GTP protocol to parse the encrypted message sent by the first VXLAN device, so as to restore the registration request of the calling UE.
[0191] It can be understood that, in a specific application scenario, the GTP (GPRS Tunnelling Protocol, GPRS Tunneling Protocol) is expressed as a GTP-U routing encapsulation protocol, which is used to encapsulate communication messages. Further, after the communication message is encapsulated, a GTP data packet is generated, and the packet header of the GTP data packet records the encapsulated GTP protocol version number, protocol type, and message type.
[0192] Encapsulating the registration request by using the GTP protocol essentially encrypts the registration request, thereby protecting the body of the registration request message and improving network security.
[0193] Correspondingly, when the first VXLAN device encapsulates the registration request sent by the calling UE using the GTP protocol to generate an encrypted message, the second VXLAN device needs to use the GTP protocol for the encrypted message sent by the first VXLAN device. Perform parsing to restore the registration request of the calling UE.
[0194] It should be emphasized that the above-mentioned technical means for improving network security may be implemented individually, may also be implemented in combination, or may be implemented selectively. This application does not improperly limit the implementation of the above-mentioned technical means for improving network security.
[0195] S370: The second VXLAN device forwards the registration request to the IMS network element.
[0196] Further, the second VXLAN device of S370 forwards the registration request to the IMS network element, which is expressed as follows in a specific application scenario:
[0197] The second VXLAN device replaces the IP address related to the first VXLAN device in the first protection message with the IP address of the second VXLAN device to generate a second protection message;
[0198] The second VXLAN device sends the second protection message to the IMS network element.
[0199] It can be understood that the second VXLAN device replaces the IP address related to the first VXLAN device in the first protection message with the IP address of the second VXLAN device, essentially protecting the IP address information of the first VXLAN device. , preventing the IP address information of the first VXLAN device from leaking, and further improving network security.
[0200] In addition, before replacing the IP address of the first VXLAN device in the first protection message with the IP address of the second VXLAN device, the second VXLAN device may further establish the IP address of the first VXLAN device and the second VXLAN device. The mapping relationship between the IP addresses, so that after the second VXLAN device subsequently receives related messages sent by other UEs or network elements that carry the IP address of the second VXLAN device, the second VXLAN device can pass the IP address of the second VXLAN device. The first VXLAN device IP address in the mapping relationship sends the related message to the first VXLAN device.
[0201] Then S380: The IMS network element responds to the registration request, and sends the response to the second VXLAN device.
[0202] S390: The second VXLAN device forwards the response to the first VXLAN device.
[0203] S400: The first VXLAN device replies the answering response to the calling UE.
[0204] So far, the calling UE located in the private network environment completes the registration at the IMS network element located in the public network environment, and the calling UE located in the private network environment can page the called UE located in the public network environment.
[0205] S410: The calling UE and the called UE selectively establish a first communication channel through the first VXLAN device and the second VXLAN device and the UDP tunnel therebetween.
[0206] S420: The calling UE and the called UE perform IMS communication through the first communication channel.
[0207] It can be understood that when the UDP tunnel established between the first VXLAN device and the second VXLAN device is connected, it means that the network element or device in the private network environment can communicate with the public network environment through the UDP tunnel. Network elements or devices exchange communication messages. Therefore, the UDP tunnel can be regarded as a first communication channel for transmitting communication messages between the private network side and the public network side.
[0208] Specifically, the first VXLAN device and the second VXLAN device described in this application and the UDP tunnel connection between the two are mainly used to implement a calling UE located in a private network environment to page a called UE located in a public network environment. Therefore, the communication message transmitted in the first communication channel is represented as an IMS communication message in a specific application scenario. Wherein, the IMS communication message may be classified into a SIP-type message or an RTP-type message according to different services required by the calling UE. The SIP (Session Initiation Protocol, signaling control protocol) is used to create, modify and release sessions of one or more participants. These sessions can be Internet multimedia conferencing, IP telephony or multimedia distribution. The RTP (Real-time Transport Protocol, real-time transport protocol) is used for real-time voice or video data transmission.
[0209] Further, in step S420, the calling UE and the called UE perform IMS communication through the first communication channel, which is represented in a specific application scenario as follows:
[0210] The calling UE sends an IMS communication message to the first VXLAN device. The first VXLAN device performs a matching check on the IP address related to the calling UE in the IMS communication message according to the preset IP address pool, and discards the message that is not an IP configured by the first VXLAN device.
[0211] Since the base station information configured by the current base station and the target base station information have been matched and verified when the calling UE registers the IMS network element, the first VXLAN device can selectively perform matching verification on the target base station information.
[0212] Similarly, the first VXLAN device may set multiple security levels, and selectively perform user information authentication on the calling UE to verify the validity of the calling UE.
[0213] Afterwards, the first VXLAN device replaces the IP address of the calling UE involved in the communication message sent by the calling UE with the IP address of the first VXLAN device, and uses the GTP protocol for encapsulation to generate an encrypted communication message.
[0214] The first VXLAN device sends the encrypted communication message to the second VXLAN device.
[0215] The second VXLAN device uses the GTP protocol to parse the encrypted communication message sent by the first VXLAN device, so as to restore the communication message whose IP address is the first VXLAN device.
[0216] Afterwards, the second VXLAN device replaces the IP address of the first VXLAN device in the communication message whose IP address is the first VXLAN device with the IP address of the second VXLAN device to generate a protection communication message.
[0217] Specifically, the second VXLAN device first performs message type verification on the communication message from the first VXLAN device.
[0218] When the message type of the communication message is SIP, the second VXLAN device selectively performs matching check according to the destination base station information carried in the first protection message and the content of the destination base station configured by the current base station.
[0219] Of course, the second VXLAN device may also be provided with multiple security levels, and the user information authentication of the first VXLAN device may be selectively performed to verify the legitimacy of the first VXLAN device.
[0220] Afterwards, the second VXLAN device replaces the IP address of the first VXLAN device in the communication message whose IP address is the first VXLAN device with the IP address of the second VXLAN device to generate a protection communication message. The second VXLAN device sends the protected communication message to the IMS network element. The IMS network element forwards the protected communication message to the called UE.
[0221] When the message type of the communication message is RTP, the second VXLAN device directly replaces the IP address of the first VXLAN device involved in the communication message whose IP address is the first VXLAN device with the IP address of the second VXLAN device to generate a protection communication information. The second VXLAN device sends the protected communication message to the IMS network element. After the IMS network element has processed the relevant RTP process, it forwards the protection communication message to the called UE.
[0222] After receiving the protection communication message, the called UE located in the public network environment responds according to the protection communication message, and generates a response message.
[0223] The called UE replies with a response message to the IMS network element on the public network side. The IMS network element on the public network side forwards the response message to the second VXLAN device according to the registration status of the called UE.
[0224] After filtering the response message according to the preset IP pool, the second VXLAN device performs matching verification on the destination base station information in the response message. And perform user information authentication on the called UE to verify the legitimacy of the called UE.
[0225] Then the second VXLAN device replaces the IP address of the called UE involved in the response message sent to the called UE with the IP address of the second VXLAN device, and encapsulates it using the GTP protocol to generate an encrypted response message.
[0226] The second VXLAN device sends the encrypted response message to the first VXLAN device.
[0227] The first VXLAN device parses the encrypted response message sent by the second VXLAN device using the GTP protocol, so as to restore the IP address as the response message of the second VXLAN device.
[0228] Then, the first VXLAN device replaces the IP address of the second VXLAN device with the IP address of the first VXLAN device in the response message that the IP address is the second VXLAN device, and generates a protection response message.
[0229] Finally, the first VXLAN device sends the protection response message to the calling UE to complete the SIP interaction.
[0230] In the above embodiment, the calling UE and the core network are located in the private network environment, and the called UE and the IMS network elements are located in the public network environment.
[0231] Please refer to Figure 9 and Figure 10 , considering that there is a communication requirement that the calling UE, the core network, and the called UE are located in the private network environment, and the IMS network element is located in the public network environment.
[0232] In another specific implementation manner provided in this application, the process of registering the calling UE located in the private network environment with the IMS network element located in the public network environment remains unchanged, that is, steps S310-S410 remain unchanged. In step S420, the flow of the calling UE sending the IMS communication message to the IMS network element remains unchanged, and the flow of the IMS network element forwarding the protected communication message to the called UE is detailed as follows:
[0233] The IMS network element forwards the protected communication message to the second VXLAN device. The second VXLAN device performs parsing, verification and encapsulation processing on the protected communication message, and forwards it to the first VXLAN device. The first VXLAN device then forwards to the called UE.
[0234] The detailed process of the called UE replying the response message to the IMS network element on the public network side is as follows:
[0235] The called UE replies with a response message to the first VXLAN device. The first VXLAN device performs parsing, verification and encapsulation processing on the response message, and forwards it to the second VXLAN device. The second VXLAN device then forwards to the IMS network element.
[0236] To sum up, the IMS communication solution based on the superposition of the public network and the private network provided by the present application establishes a UDP tunnel for transmitting communication messages by setting VXLAN devices on the public network side and the private network side, so that the operator can You can switch access to the public network environment and the private network environment without manually switching the SIM card. And when the communication message is exchanged in different network environments, multiple matching verifications and user information authentication are performed to reduce the pressure of network resource allocation and improve network security. Also, by replacing the real IP and encrypting the communication message for the communication message, the privacy of the operator is protected and the network security is further improved.
[0237] It should be noted that the terms "comprising", "comprising" or any other variation thereof are intended to encompass a non-exclusive inclusion such that a process, method, article or device comprising a series of elements includes not only those elements, but also no Other elements expressly listed, or which are also inherent to such a process, method, article of manufacture or apparatus. Without further limitation, the phrase "comprising a..." qualifying an element does not preclude the presence of additional identical elements in a process, method, article of manufacture, or apparatus that includes the element.
[0238] It will be appreciated by those skilled in the art that the embodiments of the present application may be provided as a method, a system or a computer program product. Accordingly, the present application may take the form of an entirely hardware embodiment, an entirely software embodiment, or an embodiment combining software and hardware aspects. Furthermore, the present application may take the form of a computer program product embodied on one or more computer-usable storage media (including, but not limited to, disk storage, CD-ROM, optical storage, etc.) having computer-usable program code embodied therein.
[0239] The above descriptions are merely examples of the present application, and are not intended to limit the present application. Various modifications and variations of this application are possible for those skilled in the art. Any modification, equivalent replacement, improvement, etc. made within the spirit and principle of the present application shall be included within the scope of the claims of the present application.
PUM
Description & Claims & Application Information
We can also present the details of the Description, Claims and Application information to help users get a comprehensive understanding of the technical details of the patent, such as background art, summary of invention, brief description of drawings, description of embodiments, and other original content. On the other hand, users can also determine the specific scope of protection of the technology through the list of claims; as well as understand the changes in the life cycle of the technology with the presentation of the patent timeline. Login to view more.
Similar technology patents
Low-speed DDoS attack defense method and system
ActiveCN109450873AImprove network security
Owner:盾盟(上海)网络科技有限公司
Method for accessing intelligent home appliance into wireless network, and system and terminal and authentication server
Owner:湖州帷幄知识产权运营有限公司
Ad-hoc network method of industrial equipment, industrial equipment, gateway and medium
Owner:JACK SEWING MASCH CO LTD
Traffic detection method and device, electronic equipment and computer readable storage medium
Owner:BEIJING ANTIY NETWORK SAFETY TECH CO LTD
Forward transmission architecture based on CRAN and construction method thereof
PendingCN114374437ASave fiber resourcesImprove network security
Owner:CHINA MOBILE GROUP ZHEJIANG +1
Classification and recommendation of technical efficacy words
- Improve network security
Packet filtering method for firewall
InactiveCN103746996AImprove network securityReduce networking costs
Owner:OPZOON TECH
Method and device for remaining IP address unchanged
InactiveCN105592062AImprove network security
Owner:NEW H3C TECH CO LTD
Method, apparatus and system for WLAN withdraw
InactiveCN101340343Aeasy exitImprove network security
Owner:HUAWEI TECH CO LTD
User-equipment information monitoring method, device and system
ActiveCN103716833AReduce the likelihood of an attackImprove network security
Owner:HUAWEI TECH CO LTD
Network risk assessment method and device, electronic equipment and storage medium
ActiveCN110557393AImprove network securityGet rid of the dependence of manual intervention
Owner:TENCENT TECH (SHENZHEN) CO LTD