device and method for providing servers and crossing credentials with the use of retransmitters arou

专利摘要:
these are various modalities that include methods and systems for providing credentials and traversal servers with the use of relays around the network address translation (turn) for traversing the network address translation / firewall (nat / fw) through a signaling channel of voice over internet protocol / real-time web communication (voip / webrtc). the method comprises receiving, on a signaling communication port, a signaling message from a first electronic device (ed) when the first electronic device registers with the signaling communication port or sends other signaling messages to request a credential of turn. the signaling message comprises one or more signaling message parameters. the signaling message further comprises a request for the signaling communication port to generate a turn credential for the first electronic device, in which the turn credential is associated with one or more signaling message parameters. the method involves sending the turn credential from the signaling communication port to the first electronic device.
公开号:BR112017002343B1
申请号:R112017002343
申请日:2015-08-13
公开日:2020-01-21
发明作者:Ren Huipeng；Wang Xiaobo；Zhang Xuwu
申请人:Huawei Tech Co Ltd；
IPC主号:

专利说明:

APPLIANCE AND METHOD FOR PROVISION OF SERVERS AND CREDENTIAL OF CROSSING WITH THE USE OF RETRANSMITTERS AROUND THE NETWORK ADDRESS TRANSLATION (TURN)
TECHNICAL FIELD [0001] The present disclosure refers, in general, to the provision of TURN credentials.
BACKGROUND [0002] A Network Address Translation (NAT) device modifies an Internet Protocol (IP) header when a packet passes through the NAT device. NAT devices are widely deployed on home / business networks and the internet. NAT devices, however, interrupt Voice over Internet Protocol (VoIP) calls.
[0003] Some firewalls are configured to block User Datagram Protocol (UDP) and allow only Hypertext Transfer Protocol (HTTP) (TCP 80) or Secure HTTP (HTTPS) (TCP 443) to pass, usually for security reasons . Due to the fact that voice packets are sent over UDP, firewalls that block UDP also block voice traffic. In summary, both NAT and firewalls that block UDP can block media communication over VoIP and result in one-sided or no voice.
[0004] Therefore it would be desirable to provide enhanced NAT / Firewall traversal.
SUMMARY [0005] According to one modality, a method is provided for providing a server and credential for crossing with the use of retransmitters around network address translation (TURN) in a communication system, in which the communication system it comprises a signaling communication port, a TURN server and an electronic device. The method comprises receiving, on the signaling communication port, a signaling message from a first electronic device (ED) when the first electronic device registers with the signaling communication port or sends other signaling messages to request a TURN credential. The signaling message comprises one or more
Petition 870170007785, of 02/03/2017, p. 155/192
2/19 plus signaling message parameters. The signaling message additionally comprises a request for the signaling communication port to generate a TURN credential for the first ED. The TURN credential is associated with one or more authentication message parameters. The method involves sending the TURN credential to the first ED from the signaling communication port.
[0006] In another modality, an electronic device is provided to provide a server and credential for crossing with the use of retransmitters around network address translation (TURN) in a communication system, in which the communication system comprises a signaling communication port and a TURN server. The electronic device comprises a processor and memory attached to the processor. The electronic device is configured to send a signaling message to a signaling communication port. The signaling message comprises one or more signaling message parameters. The signaling message additionally comprises a request for the signaling communication port to generate a TURN credential for the first ED. The TURN credential is associated with one or more signaling message parameters. The electronic device is configured to receive the TURN credential from the signaling communication port.
[0007] In another mode, a signaling communication port is provided. The signaling communication port comprises a processor and memory coupled to the processor. The signaling communication port is configured to receive a signaling message from a first electronic device (ED). The signaling message comprises one or more signaling message parameters. The signaling message additionally comprises a request for the signaling communication port to generate a TURN credential for the first ED. The TURN credential is associated with one or more authentication message parameters. The signaling communication port is configured to send the TURN credential to the first ED.
BRIEF DESCRIPTION OF THE DRAWINGS [0008] For a more complete understanding of the present disclosure, and the advantages of it, reference is now made to the descriptions a
Petition 870170007785, of 02/03/2017, p. 156/192
3/19 below taken in combination with the attached drawings, in which similar numbers designate similar objects, and in which:
[0009] Figure 1 illustrates a NAT device that translates a packet source IP / port to a new value;
[0010] Figures 2A to 2C illustrate diagrams of NAT / Firewall ICE / STUN / TURN crossing solutions for P2P communication;
[0011] Figure 3 illustrates an example of a VoIP call flowchart using ICE / STUN / TURN;
[0012] Figure 4 illustrates a call flow chart of a system for providing TURN credentials and servers for traversing NAT / FW through a VoIP / WebRTC signaling channel according to a modality;
[0013] Figure 5 illustrates a flowchart of a system call for providing a dynamic TURN server or providing a dynamic TURN credential according to a modality;
[0014] Figure 6 illustrates a block diagram of a signaling communication port according to a modality;
[0015] Figure 7 illustrates a block diagram of an electronic device (ED) according to a modality; and [0016] Figure 8 illustrates a flow chart illustrating a NAT traversal method according to a modality.
DETAILED DESCRIPTION [0017] An example of a NAT 102 device is shown in Figure 1 where the NAT 102 device translates the IP / source port of a packet 104 to a new value 106 (for example, 10.0.1.1:6554 -> 1.2.3.4:8877) as the package passes through it. NAT devices can address a missing Internet Protocol version 4 (IPv4) address by reusing private IP addresses. NAT devices also hide internal network topologies from the outside for security protection. NAT devices, however, interrupt voice calls over Internet Protocol (VoIP). NAT interrupts VoIP calls due to the fact that the originating UE sends its private address (without using NAT) as a media address in the signaling message when the call is being established. Due to the fact that private addresses
Petition 870170007785, of 02/03/2017, p. 157/192
4/19 cannot be routed on public networks, media packets sent to a private address will be discarded by routers or switches on the route and do not reach the even UE.
[0018] A solution to solve the above NAT / firewall issue is using ICE / STUN / TURN. Figures 2A to 2C illustrate simplified steps for ICE / STUN / TURN. As illustrated in Figure 2A, during a first step, a first UE 202 collects its public and relay addresses by sending a request to a STUN or TURN server (shown as a TURN 210 server in Figure 2A). As shown in Figure 2B, during a second stage, the first UE 202 sends candidates from collected media to the peer or a second UE 204. The peer or second UE 204 collects its public and relay addresses by sending a request to the TURN 210 server and sends collected media candidates to the first UE 202. As illustrated in Figure 2C, during a third stage, the first and second UEs 202, 204 scan media paths 208 by sending connectivity verification messages for each possible route and select a route that works.
[0019] Figure 3 illustrates an example of a VoIP 300 call flow using ICE / STUN / TURN. In the illustrated example, two UEs 302, 304 collect candidate addresses (public and relay address), exchange media candidates via signaling messages (steps 306, 308), perform a connectivity check (steps 310, 312), and exchange media through a selected media path (step 314). Due to the fact that UEs 302, 304 fall behind symmetric NAT 303, their connectivity check for public addresses fails (step 310). UEs 302, 304 switch to use a TURN 316 relay server for media communication (step 312). The UE registration process is not shown in Figure 3 for simplification.
[0020] ICE / STUN / TURN are among the most common NAT / Firewall crossing solutions for P2P communication and have recently been adopted by the World Web Consortium (W3C) and the IETF for Real-Time Communication via Web (WebRTC) as the required NAT traversal mechanism. WebRTC allows users to make calls
Petition 870170007785, of 02/03/2017, p. 158/192
5/19 voice or video with a web browser. Due to the fact that browsers are readily available on most types of electronic devices (desktop computers, smart phones, tablet / pad computers, etc.), WebRTC is considered a disruptive technology due to its potential for large user bases and its ability to integrate voice / video with web applications. Therefore, a scalable, safe and efficient ICE / TURN / STUN solution is desirable.
[0021] There are several disadvantages with the existing ICE / STUN / TURN solutions. A disadvantage is the provision of a TURN credential. For example, the TURN standard defines a mechanism for user authentication using long-term TURN credentials. When a UE sends a request to the TURN server, the TURN server confronts the UE with a random value and the UE has to send an authentication code computed with the shared credential to authenticate itself. This is critical to security. Otherwise, hackers can send a torrent of requests to exhaust resources on the TURN server, for example, relay addresses or table entries.
[0022] However, current standards do not specify how to provide long-term credentials for UEs. Common practices include:
The. Manual configuration: this approach is not scalable for a large number of users, for example, for WebRTC where credentials need to be configured for millions of users.
B. Use device management channel: This approach works only for devices that support a device management function, for example, smart phones. It does not work for WebRTC due to the fact that browsers do not use device management functions.
ç. Shared user name / password: this approach works only when the number of users is small and is not secure when the number of users is large or for users who frequently join / leave a group, so it is not acceptable for service providers .
d. Reusing other service credentials such as WebRTC username / password: this approach has several disadvantages:
Petition 870170007785, of 02/03/2017, p. 159/192
6/19
i. The TURN server may not know the service credentials (for example, the TURN server belongs to a third party), so it is difficult to use this approach if the TURN server and the service credential belong to different groups or organizations;
ii. Due to the fact that the TURN username and authentication code can be sent in clear text, the use of service credentials increases the risk of username leakage and offline password cracking attacks.
[0023] Several approaches have recently been proposed to the IETF and other standardization bodies in relation to TURN credential management.
The. RFC 7065 “Traversal Using Relays around NAT (TURN) Uniform Resource Identifiers” by M. Petit-Huguenin et al. This RFC defines the format for encoding the TURN server address and protocols in a message, for example, an HTTP response. However, it does not define a mechanism to provide TURN credentials.
B. Retrieve TURN credentials through REST API calls to a web server. In this approach, a UE sends an HTTP request to a URL (API) on a web server to retrieve TURN parameters, which include a user name and password (credentials). However, this mechanism does not specify how the UE can be authenticated by the web server. For example, if the TURN server belongs to a third party, or if the web server does not have a user authentication function (for example, users use IMS identity, not web identity, to access WebRTC services). Therefore, this approach only moves the authentication problem from the TURN server to the web server. Due to the fact that there is no guarantee that the web server will always authenticate a user, its application is limited and depends on the web server functions.
ç. OAuth code approach. In this approach, a TURN server redirects a user to authenticate to a WebRTC server first. The WebRTC server then returns an OAuth code, which is used by the UE to authenticate itself to a TURN server. Some of the disadvantages of this approach are that:
Petition 870170007785, of 02/03/2017, p. 160/192
7/19
I. The TURN protocol needs to be changed to send / process the OAuth code.
II. The OAuth code may not be available in the existing service architecture. For example, for WebRTC service, when a user uses IMS ID to authenticate, there is no OAuth code used according to the service architecture proposed by 3GPP. Therefore, the existing architecture needs to be changed.
III. Code leak. Due to the fact that TURN messages are usually sent without encryption, if the UE sends a code in the TURN message, it is possible for an attacker to intercept or hack TURN messages and capture the OAuth code. This is a serious security issue that can be used by attackers to steal a user's identity or take over sessions, etc.
d. Providing TURN credentials using the VoIP signaling channel. In this approach, a user first authenticates to a VoIP / WebRTC server, and then the server returns a user name and password to the user. This approach has the advantage of being secure due to the fact that the user is authenticated by the WebRTC or VoIP server during registration. This approach is also simple and scalable due to the fact that it uses signaling channel scalability. A disadvantage is that it does not explain how to send the generated credential to the TURN server (from the WebRTC or VoIP server), and it does not support dynamic change of dynamic change, for example, for anonymous calls discussed below.
[0024] Due to the fact that TURN messages are often sent in clear text, it is possible for an attacker or third party to discover user call information by tracking username in TURN messages. This can reveal the user's call time, call destination (IP), call duration, etc. It is possible to reveal user call IDs if attackers use active attack techniques, for example, calling a user first and analyzing the user's TURN message to discover their TURN username, etc. Therefore, it may be desirable to change the TURN username regularly. For example, it is desirable to change the user name of TURN
Petition 870170007785, of 02/03/2017, p. 161/192
8/19 for a different username for anonymous calls. Current approaches do not allow the user to retrieve a new TURN username for anonymous calls or to change usernames regularly to avoid privacy concerns.
[0025] In accordance with the present disclosure, a method for providing TURN credentials (for example, username / password) using a VoIP / WebRTC signaling channel is provided. The method provides a mechanism for managing credentials between the signaling communication port (for example, the VoIP / WebRTC signaling communication port) and the TURN server. The method provides a mechanism for manipulating users for different domains. The method provides a mechanism for controlling credential expiration time and credential revocation. The method provides a mechanism to renew a credential at any time by the ED, for example, before anonymous calls, to protect user privacy. The method provides a mechanism to retrieve TURN servers dynamically, for example, based on network condition or security concerns.
[0026] A modality of a 400 system for providing TURN credentials and traversing servers for NAT / FW through a VoIP / WebRTC signaling channel in accordance with the present disclosure is described with reference to the call flowchart in Figure 4. System 400 includes a first electronic device (ED) 402, a first NAT / Firewall 404, a signaling communication port 406 such as a VoIP / WebRTC signaling communication port, a second NAT / Firewall 409, a TURN server 408 and a second ED 412. Signaling communication port 406 can integrate TURN signaling, media and functions together. The first and second EDs 402, 412 are configured to operate and / or communicate on system 400. For example, EDs 402, 412 are configured to transmit and / or receive wireless signals or wired signals. Each ED 402, 412 represents any suitable end user device and may include such devices (or may be named) as a user device / device (UE), wireless transmit / receive unit (WTRU), mobile station, fixed or mobile subscriber, radio message device, cell phone, personal digital assistant
Petition 870170007785, of 02/03/2017, p. 162/192
9/19 (PDA), smart phone, laptop computer, computer, touch-sensitive device, wireless sensor or consumer electronic device. An example of a signaling protocol used in the system is Session Initiation Protocol over WebSocket (SIP over WS).
[0027] Signaling communication port 406 may include an operating system that provides executable program instructions for the general administration and operation of that communication port, and will typically include computer-readable media that stores instructions that, when executed by a processor of the signaling communication port 406, allows the signaling communication port 406 to perform its intended functions. Deployments suitable for the operating system and general functionality of the signaling communication port are known or commercially available, and are readily deployed by persons of ordinary skill in the art.
[0028] When the first ED 402 registers with signaling communication port 406, such as a VoIP signaling server (for example, Proxy Call Control Function (P-CSCF)) or a signaling server WebRTC (for example, eP-CSCF), it sends a REGISTER (for example, REGISTRER for SIP, SIP over WS) or another registration or authentication message that comprises a request to provide a TURN credential and one or more parameters, such as a “tun-cred” parameter, to request that signaling communication port 406 provide TURN credentials for the first ED 402 (step 405). The format of the “tun-cred” parameter is:
“Tun-cred: [realm = value;] [exp = value;] [revoke;]” where:
(a) a “realm” parameter is optional and, if present, requests a credential for the specific domain; (b) an “exp” parameter is optional and, if present, requests a credential for the specified expiration time; and (c) a “revoke” parameter is optional and, if present, requests that signaling communication port 406 revoke previously generated credentials.
[0029] When signaling communication port 406 receives the registration message with the “tun-cred” parameter, it validates the “tun-cred” parameter and selects the domain and TURN server for the domain. For example, signaling communication port 406 can
Petition 870170007785, of 02/03/2017, p. 163/192
10/19 determine that the format of the domain is recognized, that the domain is recognized, that an expiration time value is not negative or infinite, etc. The domain can be a string of characters used to describe the server or a context within the server and can tell a client device which username and password combination to use for authentication requests. Signaling communication port 406 then generates a user portion of the TURN credential (TURN-USR) (step 410). The user portion of the TURN credential (TURN-USR) can be in the following format:
“Turn-USR = user-name [@ realm-value;] [exp = value;] [revoke;],” where:
(a) “user-name” is the user name portion of the TURN credential;
(b) “realm-value” is optional and specifies the user's domain;
(c) the value “exp” is optional and specifies the expiration time for the credential; and (d) the keyword “revoke” is optional and indicates to the TURN server to revoke all TURN credentials generated before that credential.
[0030] Signaling communication port 406 identifies a pre-shared key (km) for the selected TURN server and generates a password portion of the TURN credential (TURN-PWD) by hashing the user portion of the credential with using the pre-shared key (step 410). The password portion of the TURN credential (TURN-PWD) can be in the following format:
“TURN-PWD = hmac (TURN-USR, pre-shared-key)” [0031] Signaling communication port 406 sends the generated TURN credential (TURN-USR and TURN-PWD) to the first ED 402 in a reply to the registration message (for example, “200 OK” for SIP) (step 415). The result can be encoded as: "tur-cred = usrname @ realm; exp = val; revoke; tur-pwd = turn-password". Those skilled in the art will recognize that other formats can also be used.
[0032] The first ED 402 receives the response for registration with TURN credential from signaling communication port 406 and uses the TURN credential to request a retransmission address for TURN. The first ED 402 uses the entire TURN-USR string as the
Petition 870170007785, of 02/03/2017, p. 164/192
11/19 TURN username (that is, it includes user-name @ realm; expvalue; revoke) in its allocation request (Alloc) and uses TURN-PWD to generate the message authentication code (MAC ) for the Alloc request (step 420).
[0033] The TURN 408 server receives the Alloc request from the first ED 402, analyzes the user string (for example, user-name @ realm; exp-value; revoke), and extracts the TURN username , domain, expiration time and revocation password (step 425). The TURN 408 server validates the extracted values and discards the request if the parameters are invalid (for example, unknown or unrecognized domain format, unknown or unrecognized domain, negative expiration time, etc.). The TURN 408 server identifies the domain's pre-shared key and calculates the TURN-PWD by hashing the TURN user string received in the Alloc request with the pre-shared key (step 425). The TURN 408 server uses the TURN-PWD generated by hashing the TURN user string received in the Alloc request with the pre-shared key to validate the received message. If the user string in the Alloc request includes the revocation keyword, the TURN 408 server revokes the previously expired unexpired credentials (for example, using a local cache to write unexpired credentials for a user and the credential status). If a credential is revoked, it is rejected by the TURN 408 server. After the received message is validated, the TURN 408 server sends an Alloc response that includes a relay address to the first ED 402 (step 430).
[0034] If the first ED receives a relay address from the TURN server, it proceeds to make calls using existing protocols or procedures, for example, the first ED 402 sends an INVITATION request (step 435) to the port signaling communication 406 to initiate a call. Signaling communication port 406 receives the INVITE request from the first ED 402 and checks whether the call can proceed. If the call cannot proceed, for example, the called party (for example, the second ED 412) is not registered or is not online, signaling communication port 406 returns a
Petition 870170007785, of 02/03/2017, p. 165/192
12/19 error code for the first ED 402 (not shown) and ends the call.
[0035] If the call can proceed, signaling communication port 406 forwards the INVITATION message to the called party (for example, the second ED 412) (step 435). The called party (for example, the second ED 412) receives the INVITE message, processes the INVITE message, and sends a reply message (for example, a “200 OK” message) to signaling communication port 406. The port signaling communication 406 forwards the response message to the first ED 402 (step 440). Each of the EDs 402, 412 is behind a corresponding symmetric NAT / Firewall 404, 409.
[0036] The first ED 402 receives the response message and sends a ChannelBind request to the TURN 408 server to reserve a channel (step 445). The TURN 408 server receives the ChannelBind request and sends a ChannelBind response to the first ED 402 (step 450). After the channel is established, the first and second EDs 402, 412 can exchange messages for a connectivity check (for example, using STUN binding requests). For example, the TURN 408 server receives data from the first ED 402 via a connectivity check request message and relays the data to the second ED 412 (step 455). The second ED 412 receives the data and responds via a connectivity check reply message. The TURN 408 server receives the connectivity check reply message and retransmits the data within it to the first ED 402 (step 460). After that, the first and second EDs 402, 412 discover a media path and begin to send media packets to each other, such as through the Real Time Transport Protocol (RTP) (step 465).
[0037] Figure 5 is a call flow diagram that illustrates a system 500 for providing dynamic TURN server or providing dynamic TURN credential. As illustrated in the call flow chart in Figure 5, the first ED 402 requests the TURN credentials in its initial registration message (for example, REGISTER). The registration message can include the “tun-cred” parameter as described above in relation to Figure 4. Signaling communication port 406 identifies the user's domain, selects one or a list of TURN servers, and sends the
Petition 870170007785, of 02/03/2017, p. 166/192
13/19 TURN credential selected for the first ED 402 in its response (for example, “200 OK” for SIP). If the first ED receives a relay address from the TURN 408 server, it proceeds to make calls using existing protocols or procedures, for example, the first ED 402 sends an INVITE request to signaling communication port 406 to initiate a call as explained above in relation to Figure 4.
[0038] Signaling communication port 406 can be configured to dynamically renew a credential, for example, before anonymous calls or to avoid using a credential for a long time, to protect user privacy. To receive a new TURN username and password before the next registration cycle, (for example, before making an anonymous call), the first ED 402 sends an update request such as an OPTION or INFORM request to the gateway. signaling communication 406 which includes a parameter such as the “tur-cred” parameter as described above in relation to Figure 4 (step 505). The format of the “tur-cred” parameter is the same as explained above in relation to Figure 4. Signaling communication port 406 validates the user request and generates a new TURN credential (for example, TURN-USR and TURN- PWD) as explained above in relation to Figure 4. Signaling server 406 sends the new credential back to the first ED 402 in response to the OPTION or INFORM report request (for example, “200 OK” in SIP) (step 510). The first ED 402 receives the new TURN credential from signaling communication port 406 and uses the new TURN credential to make anonymous calls.
[0039] Alternatively or additionally, signaling communication port 406 can be configured to support reselection of a TURN server based on a network condition (eg quality of service (QoS)) or a security condition. For example, if the first ED 402 detects a question on the TURN server (for example, QoS or security) such as the previously received TURN server does not respond to your requests, the first ED 402 can send an update request such as the OPTION or INFORM request for signaling communication port 406 which includes a parameter such as the parameter
Petition 870170007785, of 02/03/2017, p. 167/192
14/19 “tur-serv” in step 505. The update request may contain a reason code that indicates why the first ED needs a new TURN server. Signaling communication port 406 validates the user request, selects a new TURN server or TURN servers based on their knowledge of the operational status of other TURN servers in the communication system and feedback from the first ED 402, and sends a new list of TURN servers back to the first ED 402 in response to the OPTION or INFORM report (for example, “200 OK” in SIP) (step 510). The first ED 402 receives the new TURN server list from signaling communication port 406 and selects a new TURN server.
[0040] Figure 6 illustrates a block diagram of signaling communication port 406. In a particular embodiment, signaling communication port 406 is composed of a server computer such as a SIP server, H.323 server, or similar. As shown in Figure 6, in its hardware configuration, signaling communication port 406 includes, for example, a communication interface 602 coupled to an IP network 604, an operating system (not shown), a storage device 608 for storing programs to serve as a server such as a VoIP server, and a control device 610 (e.g., a processor or CPU) that runs a program on storage device 608 to control all operations.
[0041] Storage device 608 may include, for example, an OS, a communication protocol stack that controls data communication based on IP packets, a database, control programs, for example, call control such as H.323, SIP, or the like that define voice communication procedures (for example, making and receiving calls), and a server program that defines processing procedures for the NAT and firewall traversal method.
[0042] The control device 610 may be a general purpose, special purpose or digital signal processor, and may be a plurality of processors or a combination of such processors. The control device 610 includes functionality to perform encryption of
Petition 870170007785, of 02/03/2017, p. 168/192
15/19 signal, data processing, input / output processing, and / or any other functionality that allows signaling communication port 406 to operate on system 400 or system 500. In addition, control device 610 is coupled to the storage device 608 operable to store and retrieve data. Any suitable type of memory storage device can be included, such as random access memory (RAM), read-only memory (ROM), hard disk, subscriber identity module (SIM) card, a memory card, a secure digital memory card (SD), and the like.
[0043] Figure 7 illustrates a block diagram of an example of an electronic device (ED) or user equipment (UE). The electronic device 710 can be, for example, a portable wireless electronic device. For example, the 710 electronic device can be a cell phone, a wireless media player, a portable computer (sometimes also called a personal digital assistant), a remote controller, a global positioning system device (GPS), a tablet computer, and a portable gaming device. Electronic device 710 includes a processor 700, a transceiver 702, an antenna element 704, one or more input / output devices 706 (for example, speaker / microphone, numeric keypad, display / touch device) and memory 708. The electronic device 710 can be connected wirelessly to a base station (not shown) via a wireless link 790.
[0044] The electronic device 710 may include one or more components, devices or different functionalities (not shown). It will be understood that the electronic device 710 may include less or more of the elements described above.
[0045] Processor 700 may be a general purpose, special purpose or digital signal processor, and may be a plurality of processors or a combination of such processors. Processor 700 includes functionality to perform signal encoding, data processing, power control, input / output processing, and / or any other functionality that allows electronic device 710 to operate on system 400 or system 500. Processor 700 is coupled to transceiver 702 that
Petition 870170007785, of 02/03/2017, p. 169/192
16/19 is coupled to the antenna element 704. It will be understood that processor 700 and transceiver 702 can be separate or integrated components. Similarly, antenna element 704 can be a single element or countless elements (multiple antennas or elements).
[0046] Transceiver 702 is configured to modulate data or signals for transmission by antenna 704 and demodulate data or signals received by antenna 704.
[0047] Processor 700 is coupled to one or more input / output devices 706 (including ports or busbars) operable to enter / exit user data. In addition, processor 700 is coupled to operable 708 memory for storing and retrieving data. Any suitable type of memory storage device can be included, such as random access memory (RAM), read-only memory (ROM), hard disk, subscriber identity module (SIM) card, a memory card, a secure digital memory card (SD), and the like.
[0048] Other elements or devices that could be included within the electronic device 710 will not be described in this document, unless necessary or relevant to an understanding of the present disclosure.
[0049] Figure 8 illustrates a flow chart that illustrates a method 800 for providing a server and credential for crossing with the use of retransmitters around network address translation (TURN) in a communication system according to a modality. The method comprises receiving, on a signaling communication port, a signaling message from a first electronic device when the first electronic device registers or authenticates with the signaling communication port, in step 802. The signaling message comprises a or more signaling message parameters. The signaling message further comprises a request for the signaling communication port to generate a TURN credential for the first electronic device. The TURN credential is associated with one or more signaling message parameters. For example, the registration message of the first electronic device 402 is received at signaling communication port 406 (step 405). The registration message includes
Petition 870170007785, of 02/03/2017, p. 170/192
17/19 a TURN credential provision request parameter, and can include parameters such as the domain parameter, the expiration parameter and the revocation parameter.
[0050] Signaling message parameters are validated on the signaling communication port, in step 804. For example, the registration message is validated by signaling communication port 406 (step 410). To illustrate, signaling communication port 406 validates the domain parameter “realm” (if present) against its security policies and discards requests with an invalid domain value. If the domain parameter is not present, the signaling communication port chooses a default domain. Signaling communication port 406 validates the “exp” expiration parameter (if present) and discards requests with an invalid value. If the expiration parameter is not present, the signaling communication port chooses an expiration value, such as an expiration value for the authentication message (for example, the REGISTER message).
[0051] The TURN credential is sent to the first electronic device via the signaling communication port, in step 806. For example, signaling communication port 406 sends the TURN credential in its “200 OK” response message to the first electronic device 402 (step 415).
[0052] One of the advantages of this disclosure is that the signaling communication port authenticates users during the registration process, ensuring that only authenticated users can receive TURN credentials. Other approaches similar to the OAuth Code or REST API use web servers to distribute TURN credentials. Web servers may or may not authenticate users. For example, in a GPP-defined WebRTC 3 architecture, the web server only hosts JS WebRTC code but will not authenticate users when an IMS identity is used to access the WebRTC service. In this case, the signaling communication port-based approach is more secure than the web server-based approach.
[0053] Another advantage of the present disclosure is that the signaling communication port-based approach reuses communication protocols
Petition 870170007785, of 02/03/2017, p. 171/192
18/19
Existing ICE / TURN with little to no change or addition of new interfaces. This approach does not need extra steps to verify TURN credentials (for example, steps to verify code in the OAuth solution), thus requiring less overhead to deploy and operate.
[0054] Another advantage of the present disclosure is that the signaling communication port-based approach allows the ED to retrieve new credentials for anonymous calls to avoid leaking called information through analysis of the TURN username, providing more protection over user privacy than other approaches.
[0055] In some modalities, some or all of the functions or processes of one or more devices are implanted or supported by a computer program that is formed by computer-readable program code and that is incorporated in a computer-readable medium. The term “computer-readable program code” includes any type of computer code, which includes source code, object code and executable code. The term “computer-readable media” includes any type of media capable of being accessed by a computer, such as read-only memory (ROM), random access memory (RAM), hard disk controller, a compact disc (CD ), a digital video disc (DVD), or any other type of memory.
[0056] In an exemplary modality, an electronic device is used to provide a server and credential for crossing with the use of retransmitters around network address translation (TURN) in a communication system. The electronic device includes a sending element that sends a signaling message to a signaling communication port, the signaling message comprising one or more signaling message parameters, wherein the signaling message further comprises a request for the signaling communication port generates a TURN credential for the first ED, where the TURN credential is associated with one or more signaling message parameters, and a receiving element that receives the TURN credential from the communication port signaling. In some embodiments, the electronic device may include different elements
Petition 870170007785, of 02/03/2017, p. 172/192
19/19 or additional to perform any or a combination of steps described in the modalities.
[0057] In an exemplary mode, a signaling communication port is used to provide a server and credential for crossing with the use of relays around network address translation (TURN) in a communication system. The signaling communication port includes a receiving element that receives a signaling message from a first electronic device (ED), the signaling message comprising one or more signaling message parameters, wherein the signaling message further comprises a request for the signaling communication port to generate a TURN credential for the first ED, where the TURN credential is associated with one or more signaling message parameters, and a sending element that sends the TURN credential to the first electronic device. In some embodiments, the signaling communication port may include different or additional elements to carry out any one or a combination of steps described in the modalities.
[0058] It may be advantageous to provide definitions of certain words and expressions used throughout that patent document. The terms “include” and “understand”, as well as their derivatives, mean inclusion without limitation. The term "or" is inclusive and means and / or. The terms "associated with" and "associated with", as well as the derivatives thereof, mean to include, to be included within, to interconnect with, to contain, to be contained within, to connect to or with, to engage with or with, to be communicable with , cooperate with, interim, juxtapose, be close to, be connected to or with, have, have a property of, or similar
[0059] Although this disclosure has described certain modalities, in general, methods, alterations and permutations associated with these modalities and methods will be evident to those skilled in the art. Consequently, the above description of exemplary modalities does not define or restrict this disclosure. Other changes, substitutions, and changes are also possible without departing from the spirit and scope of this disclosure, as defined by the following claims.

权利要求:
Claims (29)
[1]
1. Method for providing server and crossing credentials with the use of retransmitters around network address translation (TURN) in a voice communication system over Internet Protocol, VoIP, the VoIP communication system comprising a gateway signaling communication, a TURN server, and an electronic device, the signaling communication port is a proxy call session control function, P-CSCF, CHARACTERIZED by the fact that the method comprises:
receive, on the signaling communication port, a signaling message from a first electronic device (ED) when the first electronic device registers with the signaling communication port, the signaling message is a registration message, the signaling message comprises one or more signaling message parameters, the signaling message further comprises:
a request for the signaling communication port to generate a TURN credential for the first ED, where the TURN credential is associated with one or more signaling message parameters;
generate a user portion of the TURN credential;
in response to determining that the signaling communication port and the TURN server have a pre-shared key, generating, on the signaling communication port, the password portion of the TURN credential by hashing the user portion of the credential of TURN with the pre-shared key; and sending, from the signaling communication port, the TURN credential to the first ED in a response to the registration message, where the TURN credential comprises the user portion and the password portion.
[2]
2. Method, according to claim 1, CHARACTERIZED by the fact that it additionally comprises:
in response to the signaling message comprising a domain parameter, request a credential for a domain defined by the domain parameter where the domain parameter identifies the username and password combination to authenticate requests.
[3]
3. Method, according to claim 2, CHARACTERIZED by the fact that it additionally comprises:
Petition 870190097141, of 27/09/2019, p. 14/21
2/8 validate the one or more signaling message parameters; and select the domain and a TURN server for the domain based on the signaling message.
[4]
4. Method, according to claim 3, CHARACTERIZED by the fact that it additionally comprises:
in response to the signaling message comprise an expiration parameter, request a credential for an expiration time defined by the expiration parameter; and in response to the signaling message comprising a revocation parameter, requesting the signaling communication port to revoke previously generated credentials.
[5]
5. Method, according to claim 3, CHARACTERIZED by the fact that it additionally comprises:
in response to the user portion comprising a user portion domain parameter, generating a user domain defined by the user portion domain parameter;
in response to the user portion comprising a user portion expiration parameter, generating a user portion expiration time defined by the expiration parameter; and in response to the user portion comprising a user portion revocation parameter, sending an indication to the TURN server to revoke previously generated TURN credentials.
[6]
6. Method, according to claim 5, CHARACTERIZED by the fact that it further comprises: in response to determining that the signaling communication port and the TURN server have a shared key, generate the password portion of the TURN credential through hash the user portion of the TURN credential with the shared key.
[7]
7. Method, according to claim 6, CHARACTERIZED by the fact that it additionally comprises:
after the TURN credential is received by the first DE, receive, by the TURN server, an allocation request for the first DE, the allocation request comprising a request for a TURN relay address and one or more parameter values of allocation request, the one or more request request parameter values
Petition 870190097141, of 27/09/2019, p. 15/21
3/8 allocation is based on the user portion of the TURN credential and the password portion of the TURN credential, where the method additionally comprises:
on the TURN server:
receive the allocation request from the first ED, the allocation request comprising a message authentication code based on the password portion of the TURN credential;
extract the one or more allocation request parameter values from the allocation request;
validate the one or more extracted allocation request parameter values; and discard the allocation request if one or more of the one or more allocation request parameter values is invalid.
[8]
8. Method, according to claim 7, CHARACTERIZED by the fact that it additionally comprises:
identify the shared key; generate a TURN server password by hashing one or more allocation request parameter values based on the user portion of the TURN credential with the shared key; and validate the allocation request received using the TURN server password.
[9]
9. Method, according to claim 7, CHARACTERIZED by the fact that it additionally comprises:
in response to the allocation request, understand a revocation parameter: revoke previously received TURN credentials; and reject revoked credentials.
[10]
10. Method, according to claim 9, CHARACTERIZED by the fact that it additionally comprises:
receive, on the signaling communication port, an update request for a second TURN credential for the first ED other than the TURN credential, in which the update request is received before the expiration of a registration message cycle time signaling; validate the update request on the signaling communication port; and send the second TURN credential to the first ED.
[11]
11. Method, according to claim 10, CHARACTERIZED
Petition 870190097141, of 27/09/2019, p. 16/21
4/8 by the fact that it additionally comprises:
receive the second TURN credential on the first ED; and use the second TURN credential to make anonymous calls.
[12]
12. Method, according to claim 9, CHARACTERIZED by the fact that it additionally comprises:
receive, on the signaling communication port, an update request to provide a second TURN server for the first ED, the update request received prior to the expiration of a signaling message registration cycle time, in which the request update is based on a network condition or a security condition, the method additionally comprises: validating the update request on the signaling communication port; generate a second TURN credential for the first ED; and send the second TURN credential to the first ED.
[13]
13. Method, according to claim 12, CHARACTERIZED by the fact that it additionally comprises: receiving the second TURN credential on the first ED; and use the second TURN server to make calls.
[14]
14. Electronic device for providing a server and credential for crossing with the use of relays around network address translation (TURN) in a voice communication system over Internet Protocol, VoIP, the VoIP communication system comprising the device electronic, a signaling communication port, and a TURN server, the signaling communication port is a proxy call session control function, P-CSCF, CHARACTERIZED by the fact that the electronic device comprises:
a processor; and memory attached to the processor; where the electronic device is configured to:
send a signaling message to the signaling communication port when the electronic device registers with the signaling communication port, the signaling message is a registration message, the signaling message comprising: one or more message parameters signaling, the signaling message further comprising:
a request for the signaling gateway to generate a TURN credential for the first ED, where the TURN credential is
Petition 870190097141, of 27/09/2019, p. 17/21
5/8 associated with one or more signaling message parameters;
receive the TURN credential from the signaling communication port in a response to the registration message, where the TURN credential comprises a user portion and a password portion, where the signaling communication port uses a key that is pre-shared with the TURN server by hashing the user portion to generate the password portion.
[15]
15. Electronic device, according to claim 14, CHARACTERIZED by the fact that the electronic device is additionally configured for:
in response to the signaling message comprise a domain parameter, request a credential for a domain defined by the domain parameter where the domain parameter identifies the username and password combination to authenticate requests.
[16]
16. Electronic device, according to claim 14, CHARACTERIZED by the fact that the electronic device is additionally configured for:
in response to the signaling message comprise an expiration parameter, request a credential for an expiration time defined by the expiration parameter; and in response to the signaling message comprising a revocation parameter, requesting the signaling communication port to revoke previously generated credentials.
[17]
17. Electronic device, according to claim 15, CHARACTERIZED by the fact that the electronic device is additionally configured to: after receiving the TURN credential, send an allocation request to a first selected TURN server based on the signaling message , since the first TURN server is coupled to the signaling communication port, the allocation request comprises a request for a TURN relay address.
[18]
18. Electronic device, according to claim 16, CHARACTERIZED by the fact that the electronic device is additionally configured to: send an update request for a second TURN credential to the first ED different from the TURN credential, the request being update is sent before the expiration of a
Petition 870190097141, of 27/09/2019, p. 18/21
6/8 signaling message registration cycle; receive the second TURN credential; and use the second TURN credential to make anonymous calls.
[19]
19. Electronic device, according to claim 17, CHARACTERIZED by the fact that the electronic device is additionally configured to: send an update request to a second TURN server for the first ED different from the first TURN server, in which the update request is based on a network condition or a security condition, in which the update request is sent before the signaling message registration cycle expires; receive a second TURN credential; and use the second TURN server to make calls.
[20]
20. Signaling communication port for providing a server and credential for crossing with the use of relays around the network address translation (TURN) in a voice communication system over Internet Protocol, VoIP, the VoIP communication system comprising the signaling communication port, a TURN server, and an electronic device, the signaling communication port is a proxy call session control function, P-CSCF, FEATURED by the fact that the communication port of signaling comprises:
a processor; and memory attached to the processor; where the signaling communication port is configured to:
receiving a signaling message from a first electronic device (ED) when the first electronic device registers with the signaling communication port, the message and signaling is a registration message, the signaling message comprising: one or more message parameters signaling, the signaling message further comprising:
a request for the signaling communication port to generate a TURN credential for the first ED, where the TURN credential is associated with one or more signaling message parameters; and generate a user portion of the TURN credential;
in response to determining that the signaling communication port and the TURN server have a pre-shared key, generate the password portion of the TURN credential by hashing the user portion of the TURN
Petition 870190097141, of 27/09/2019, p. 19/21
7/8 TURN credential with the pre-shared key; and sending the TURN credential to the first electronic device in a response to the registration message, where the TURN credential comprises the user portion and the password portion.
[21]
21. Signaling communication port, according to claim 20, CHARACTERIZED by the fact that the signaling communication port is additionally configured for:
in response to the signaling message comprise a domain parameter, generate a credential for a domain defined by the domain parameter where the domain parameter identifies the username and password combination to authenticate requests.
[22]
22. Signaling communication port, according to claim 21, CHARACTERIZED by the fact that the signaling communication port is additionally configured to: validate the one or more signaling message parameters; and select the domain and a TURN server for the domain based on the signaling message.
[23]
23. Signaling communication port, according to claim 21, CHARACTERIZED by the fact that the signaling communication port is additionally configured to: in response to the signaling message comprise an expiration parameter, generate a credential for a timeout expiration defined by the expiration parameter; and in response to the signaling message comprise a revocation parameter, revoke previously generated credentials.
[24]
24. Signaling communication port, according to claim 23, CHARACTERIZED by the fact that the TURN credential comprises a user portion and a password portion, the signaling communication port additionally configured to: generate the user portion of the TURN credential.
[25]
25. Signaling communication port, according to claim 24, CHARACTERIZED by the fact that the signaling communication port is additionally configured to: in response to the user portion comprise a user portion domain parameter, generate a domain defined by the user portion domain parameter.
[26]
26. Signaling communication port, according to
Petition 870190097141, of 27/09/2019, p. 20/21
8/8 claim 25, CHARACTERIZED by the fact that the signaling communication port is additionally configured to: in response to the user portion comprise a user portion expiration parameter, generate a user portion expiration time defined by the parameter expiration; and in response to the user portion comprising a user portion revocation parameter, send an indication to the TURN server to revoke previously generated TURN credentials.
[27]
27. Signaling communication port, according to claim 26, CHARACTERIZED by the fact that the signaling communication port is additionally configured to: determine that the signaling communication port and the TURN server have a shared key; and generating the password portion of the TURN credential by hashing the user portion of the TURN credential with the shared key.
[28]
28. Signaling communication port, according to claim 27, CHARACTERIZED by the fact that the signaling communication port is additionally configured to: receive an update request for a second TURN credential for the first ED different from the credential of TURN, in which the update request is received before the expiration of a signal message registration cycle time; validate the update request; and send the second TURN credential to the first ED.
[29]
29. Signaling communication port, according to claim 27, CHARACTERIZED by the fact that the signaling communication port is additionally configured to: receive an update request to provide a second TURN server for the first ED, the update request is received prior to the expiration of a signaling message registration cycle time, in which the update request is based on a network condition or a security condition; validate the update request; and send the second TURN server to the first ED.

类似技术:

---

公开号 | 公开日 | 专利标题

---

BR112017002343B1|2020-01-21|device and method for providing servers and crossing credentials with the use of retransmitters around network address translation |

---

US8725885B1|2014-05-13|Securely establishing ice relay connections

---

US10148628B2|2018-12-04|System and method for secure messaging in a hybrid peer-to-peer network

---

US9154484B2|2015-10-06|Identity propagation

---

US8549614B2|2013-10-01|Establishing internet protocol security sessions using the extensible messaging and presence protocol

---

US20090094684A1|2009-04-09|Relay server authentication service

---

US10313397B2|2019-06-04|Methods and devices for access control of data flows in software defined networking system

---

RU2016139439A|2018-04-10|Reporting legal interception in wireless networks using relay transmission for public safety

---

Rasol et al.2016|An improved secure SIP registration mechanism to avoid VoIP threats

---

Marino et al.2019|PKIoT: A public key infrastructure for the Internet of Things

---

Beekman et al.2013|Man-in-the-middle attack on T-Mobile Wi-Fi Calling

---

KR20140021632A|2014-02-20|Method and system to differentiate and assigning ip addresses to wireless femto cells h|nb | nodeb) and lgw | by using ikev2 | procedure

---

JP5331032B2|2013-10-30|Network call control system

---

Al Saidat et al.2015|Develop a secure SIP registration mechanism to avoid VoIP threats

---

Deebak et al.2015|Analyzing Threefold Schemes for Enhancing Communication Channel Efficiencies Using IP Multimedia Server–Client Systems for LTE Networks

---

Fan et al.2017|Design and implementation of NAT traversal based on SCDMA access gateway

---

Asghar et al.2010|Security issues of SIP

---

Liu2020|Internet Engineering Task Force K. Larose Internet-Draft Agilicus Intended status: Informational D. Dolson Expires: 27 March 2021

---

Panton et al.2016|Secure proximity-based identity pairing using an untrusted signalling service

---

Kawashima et al.2008|Architecture for broadband and mobile VPN over NGN

---

Vintilă2012|Potential Applications of IPsec in Next Generation Networks

---

Keromytis2011|Overview of VoIP Systems

同族专利:

---

公开号 | 公开日

---

CN106233704B|2019-08-20|

---

EP3167599A4|2017-07-12|

---

US9515995B2|2016-12-06|

---

US9621518B2|2017-04-11|

---

KR20170041880A|2017-04-17|

---

KR101794787B1|2017-11-07|

---

US20150188882A1|2015-07-02|

---

BR112017002343A2|2017-11-28|

---

US20160050179A1|2016-02-18|

---

US20170187678A1|2017-06-29|

---

WO2016023507A1|2016-02-18|

---

JP6414630B2|2018-10-31|

---

EP3167599B1|2019-12-04|

---

JP2017527210A|2017-09-14|

---

EP3167599A1|2017-05-17|

---

CN106233704A|2016-12-14|

引用文献:

---

公开号 | 申请日 | 公开日 | 申请人 | 专利标题

---

---

US8065418B1|2004-02-02|2011-11-22|Apple Inc.|NAT traversal for media conferencing|

---

US7620033B2|2004-05-21|2009-11-17|Alcatel-Lucent Usa Inc.|Method for optimal path selection in traversal of packets through network address translators|

---

US8571011B2|2004-08-13|2013-10-29|Verizon Business Global Llc|Method and system for providing voice over IP managed services utilizing a centralized data store|

---

US20070022289A1|2005-07-20|2007-01-25|Mci, Inc.|Method and system for providing secure credential storage to support interdomain traversal|

---

US7920549B2|2005-07-20|2011-04-05|Verizon Business Global Llc|Method and system for providing secure media gateways to support interdomain traversal|

---

US8108677B2|2006-10-19|2012-01-31|Alcatel Lucent|Method and apparatus for authentication of session packets for resource and admission control functions |

---

WO2008056071A1|2006-11-08|2008-05-15|France Telecom|Method for establishing a secured connection, and corresponding sfc equipment, mfc equipment, and terminal requiring a computer software program|

---

US20160277261A9|2006-12-29|2016-09-22|Prodea Systems, Inc.|Multi-services application gateway and system employing the same|

---

US8578459B2|2007-01-31|2013-11-05|At&T Intellectual Property I, L.P.|Methods and apparatus to control network access from a user device|

---

US8656017B2|2007-05-16|2014-02-18|Microsoft Corporation|Peer-to-peer collaboration system with edge routing|

---

US20090094684A1|2007-10-05|2009-04-09|Microsoft Corporation|Relay server authentication service|

---

US20100257276A1|2007-11-22|2010-10-07|Nokia Corporation|Virtual network interface for relayed nat traversal|

---

US8893248B2|2008-12-12|2014-11-18|Tekelec, Inc.|Methods, systems, and computer readable media for media session policy compliance auditing and enforcement using a media relay and session initiation protocol signaling|

---

US8752161B1|2009-07-22|2014-06-10|Cisco Technology, Inc.|Securing and authenticating multiple devices behind a NAT device|

---

US8495130B2|2009-10-21|2013-07-23|Telefonaktiebolaget L M Ericsson |Method and arrangement for locating services in a peer-to-peer network|

---

GB2485148B|2010-11-01|2016-12-21|Media Network Services|Network routing|

---

CN107426145A|2011-01-25|2017-12-01|交互数字专利控股公司|For based on content identification come the method and apparatus that automatically finds and obtain content|

---

CN102185827B|2011-01-30|2014-05-14|广东佳和通信技术有限公司|Firewall-penetrating method of voice in VOIP system|

---

US9154426B2|2011-10-31|2015-10-06|Apple Inc.|Low-latency hole punching|

---

US20130308628A1|2012-05-15|2013-11-21|Viber Media, Inc.|Nat traversal for voip|

---

US8601144B1|2012-11-27|2013-12-03|Sansay, Inc.|Systems and methods for automatic ICE relay candidate creation|

---

US8879718B2|2012-12-04|2014-11-04|Genesys Telecommunications Laboratories, Inc.|Distributed event delivery|

---

US9712515B2|2012-12-21|2017-07-18|Cellco Partnership|Verifying an identity of a message sender|

---

US9712593B2|2013-02-04|2017-07-18|Oracle International Corporation|Javascript API for WebRTC|

---

US9307031B2|2013-02-04|2016-04-05|Oracle International Corporation|Generic model for customizing protocol behavior through javascript|

---

KR101447438B1|2013-02-07|2014-10-08|오픈벡스|Communication system using heterogeneous networks|

---

US9294458B2|2013-03-14|2016-03-22|Avaya Inc.|Managing identity provider identifiers for web real-time communications interactive flows, and related methods, systems, and computer-readable media|

---

US9300633B2|2013-03-25|2016-03-29|International Business Machines Corporation|Network-level access control management for the cloud|

---

US10263952B2|2013-10-31|2019-04-16|Avaya Inc.|Providing origin insight for web applications via session traversal utilities for network address translation messages, and related methods, systems, and computer-readable media|

---

US20150180748A1|2013-12-20|2015-06-25|Futurewei Technologies Inc.|METHOD AND APPARATUS OF WebRTC MEDIA CONTROL|

---

US9515995B2|2013-12-27|2016-12-06|Futurewei Technologies, Inc.|Method and apparatus for network address translation and firewall traversal|

---

US10129243B2|2013-12-27|2018-11-13|Avaya Inc.|Controlling access to traversal using relays around network address translation servers using trusted single-use credentials|

---

US10334037B2|2014-03-31|2019-06-25|Yaana Technologies, Inc.|Peer-to-peer rendezvous system for minimizing third party visibility and method thereof|EP2573660B1|2009-12-22|2014-06-25|Nissha Printing Co., Ltd.|Touch panel and portable device using the same|

---

US9515995B2|2013-12-27|2016-12-06|Futurewei Technologies, Inc.|Method and apparatus for network address translation and firewall traversal|

---

US10129412B1|2014-09-08|2018-11-13|Whatsapp Inc.|Establishing and maintaining a VOIP call|

---

US9596272B2|2014-09-25|2017-03-14|Microsoft Technology Licensing, Llc|Media session between network endpoints|

---

US10171511B2|2014-09-25|2019-01-01|Microsoft Technology Licensing, Llc|Media session between network endpoints|

---

US10244003B2|2014-09-25|2019-03-26|Microsoft Technology Licensing, Llc|Media session between network endpoints|

---

US9762508B2|2014-10-02|2017-09-12|Microsoft Technology Licensing, Llc|Relay optimization using software defined networking|

---

WO2016069908A1|2014-10-29|2016-05-06|Kodiak Networks, Inc.|System and method to leverage web real-time communication for implementing push-to-talk solutions|

---

US9942129B2|2014-10-31|2018-04-10|Szegedi Tudományegyetem|Communication method|

---

EP3253004B1|2015-01-29|2021-11-24|NTT Communications Corporation|Communication control device, communication control method, and communication control program|

---

US10735476B1|2015-09-30|2020-08-04|Amazon Technologies, Inc.|Connection service with network routing|

---

US10594746B1|2015-09-30|2020-03-17|Amazon Technologies, Inc.|Connection service with network routing|

---

US10462101B2|2015-11-13|2019-10-29|Nanning Fugui Precision Industrial Co., Ltd.|Network communication method based on software-defined networking and server using the method|

---

US9961014B2|2015-11-13|2018-05-01|Nanning Fugui Precision Industrial Co., Ltd.|Network communication method based on software-defined networking and server using the method|

---

US10158679B2|2015-11-18|2018-12-18|Microsoft Technology Licensing, Llc|Media session between network endpoints|

---

US10079863B2|2015-11-18|2018-09-18|Microsoft Technology Licensing, Llc|Media session between network endpoints|

---

KR101741829B1|2015-11-27|2017-06-15|주식회사 수산아이앤티|Method of identifying terminals and apparatus thereof|

---

US9614973B1|2016-06-16|2017-04-04|Sorenson Ip Holdings, Llc|Voice over internet protocol credentials|

---

US20180054468A1|2016-08-16|2018-02-22|Avaya Inc.|Systems and methods for media tunneling through edge server|

---

CN108234398B|2016-12-15|2021-01-08|中国电信股份有限公司|Multimedia communication method and system and related equipment|

---

US10348784B2|2017-02-15|2019-07-09|Microsoft Technology Licensing, Llc|Conferencing server directly accessible from public internet|

---

CN109246589B|2017-06-14|2020-10-30|普天信息技术有限公司|Method and equipment for realizing positioning service of remote halo terminal|

---

US10778726B2|2017-08-31|2020-09-15|Microsoft Technology Licensing, Llc|Bidirectional data exchange between computing devices|

---

US20190068684A1|2017-08-31|2019-02-28|Microsoft Technology Licensing, Llc|Bidirectional data exchange|

---

US20190141009A1|2017-11-07|2019-05-09|General Electric Company|Session moderator for turn-pattern tcp-packet relay with websocket instantiation|

---

US11115863B2|2017-12-27|2021-09-07|Telefonaktiebolaget Lm Ericsson |Connection establishement in a cellular network|

---

US10432583B1|2018-03-14|2019-10-01|Syniverse Technologies, Llc|Routing agent platform with a 3-tier architecture for diameter communication protocol in IP networks|

---

US10855755B2|2018-05-04|2020-12-01|Citrix Systems, Inc.|WebRTC API redirection with fallbacks|

---

US10880120B2|2018-07-19|2020-12-29|Avaya Inc.|System and methods for tunneling media through secure channel|

---

CN113472545B|2021-08-31|2022-02-01|阿里云计算有限公司|Equipment network access method, device, equipment, storage medium and communication system|

法律状态:
2019-07-02| B07A| Technical examination (opinion): publication of technical examination (opinion)|

---

2019-12-31| B09A| Decision: intention to grant|

---

2020-01-21| B16A| Patent or certificate of addition of invention granted|Free format text: PRAZO DE VALIDADE: 20 (VINTE) ANOS CONTADOS A PARTIR DE 13/08/2015, OBSERVADAS AS CONDICOES LEGAIS. |

优先权:

---

申请号 | 申请日 | 专利标题

---

US14/142,465|US9515995B2|2013-12-27|2013-12-27|Method and apparatus for network address translation and firewall traversal|

---

US14/461,162|US9621518B2|2013-12-27|2014-08-15|Method and apparatus for provisioning traversal using relays around network address translationcredential and servers|

---

PCT/CN2015/086866|WO2016023507A1|2013-12-27|2015-08-13|Method and apparatus for provisioning traversal using relays around network address translationcredential and servers|

---