【作者】 周达文；

【导师】 黄本雄；

【作者基本信息】 华中科技大学 ， 通信与信息系统， 2006， 硕士

【摘要】 随着网络应用的迅猛发展,VoIP技术得到了广泛应用。但是,为解决IP地址不足以及网络安全问题而提出的网络地址翻译(Network Address Translation, NAT)技术和防火墙技术却导致了VoIP的端到端通信问题。如何有效解决信令、媒体流的防火墙/NAT穿越问题,将是VoIP业务能否广泛推广应用的关键。论文主要针对防火墙/NAT穿越展开深入研究,在现今最热门会话边界控制器(Session Border Controller, SBC)方案的基础上提出一种分布式的改进方案。和其他的防火墙/NAT穿越方案相比,SBC方案不需要对现有网络环境做任何假设和修改,并且提供了更好的QoS(Quality of Service)保障。但是,由于SBC需要同时完成信令中转和媒体转发,SBC有可能成为系统的瓶颈。另外,SBC的安全和QoS保障都是基于逐包分析策略,这更加剧了SBC的负担。最后,SBC的结构注定了它难以依靠动态扩展来提高容量,也难以通过负载均衡进行流量分担。在充分研究SBC技术优缺点的基础上,本文提出分布式防火墙/NAT穿透方案,从结构上将SBC的信令中转和媒体转发处理分开。信令中转由信令接入网关(Signaling Access Gateway, SAG)完成,媒体转发由媒体通道控制器(Media Channel Controller, MCC)完成,二者之间的服务关系由网管中心(Net Manage Center, NMC)动态定义。在媒体流和信令流分开的基础上,多台MCC通过媒体扩展和负载均衡组成媒体子系统并通过多级媒体通道策略实现QoS优化;多台SAG通过信令扩展和负载均衡策略组成信令子系统。由此构成一个分布式系统,媒体和信令子系统的容量可以根据要求扩展,任何一个服务器故障或者受到攻击都不会对系统性能造成实质的影响。本文给出了一个基于SIP的分布式防火墙/NAT穿越的实验系统并详细讲述了系统中SAG, MCC, NMC实现结构以及实现过程中所用到的关键技术。最后对这个实验系统进行了功能和性能测试,通过测试数据可以看到,SAG的通话建立和维护能力比SBC提高了将近两个数量级。在媒体通道控制器数量足够多的情况下,分布式防火墙/NAT穿越系统的容量将比同配置的单台SBC容量有巨大的提升。更多还原

【Abstract】 Voice over IP technology develops with the rapid development of network applications. However, NAT(Network Address Translation) and firewall technologies, which are brought forward for the insufficiency of IP address and the network security, conduce to issue between end to end communications. Consequently, how to solve the problems mentioned above effectively will greatly affect the promotion and application of VoIP. Developed from a new technology named SBC(Session Border Controller), this paper proposes distributed architecture to resolve firewall/NAT problem.Compare to other Firewall/NAT traversing solution, SBC technology become popular because it is suitable to be applied in all firewall/NAT environment nowadays and it needs no modification on existing network However, classic SBC system faces serious problems as follows: SBC is the bottle-neck: Being in charge of media and signaling forwarding makes SBC the bottle-neck of the system. Handling packets inspection for security and QoS(Quality of Service) purpose increases SBC’s load. Furthermore, SBC system is hard to extend.Based on the research on the SBC technology, this paper proposes a distributed architecture to resolve firewall/NAT traversing: SBC is split into two servers: SAG (Signaling Access Gateway) and MCC (Media Channel Controller) to let signaling and media flow pass through separately. The relationship between the SAGs and the MCCs is determined by the NMC(Network Manage Center). The media subsystem which is made up of MCCs and the signaling subsystem which is made up of SAGs can achieve great capacity enhancement that a single SBC can never reach. The greater significance is that: in a fully distributed architecture, every subsystem can be easily extended and dynamically controlled without any modification on the existing system.This paper also gives a prototype of the architecture based on SIP(Session initial protocol). It contains the main structure and key technology of SAG, MCC and NMC. The test result shows that: the SAG’s ability of call construction is nearly 100 times greater than the SBC; if there are enough MCCs providing media channels, the firewall/NAT traversing system under a distributed architecture can achieve great capacity enhancement than the formal SBC system.更多还原