(12) United States Patent
`US 7,486,684 B2
`Chu et a].
`(45) Date of Patent:
`Feb. 3, 2009
`
`(10) Patent N0.:
`
`US007486684B2
`
`(54) METHOD AND APPARATUS FOR
`ESTABLISHMENT AND MANAGEMENT OF
`VOICE-OVER IP VIRTUAL PRIVATE
`NETWORKS IN IP-BASED
`COMMUNICATION SYSTEMS
`
`Inventors: Thomas P. Chu, Englishtown, NJ (US);
`Martin Joel Glapa, Golden, CO (US);
`Francis Robert Magee, Lincroft, NJ
`(US); Steven H. Richman, Highland
`Park, NJ (US)
`
`Assignee:
`
`Alcatel-Lucent USA Inc., Murray Hill,
`NJ (US)
`
`Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 976 days.
`
`10/674,885
`
`Sep. 30, 2003
`
`(56)
`
`References Cited
`U.S. PATENT DOCUMENTS
`
`7,369,556 B1*
`2002/0150083 A1*
`2002/0169887 A1*
`2003/0076815 A1*
`2003/0117954 A1*
`
`5/2008
`10/2002
`11/2002
`/2003
`6/2003
`
`Rekhter et al.
`
`............ .. 370/392
`
`.......... .. 370/352
`Fangman et a1.
`..
`709/231
`MeLampy et a1,
`Miller et a1,
`...... ..
`370/352
`De Neve et a1.
`..
`.. 370/230
`
`OTHER PUBEICATIONS
`
`Network Working Group, Request for Comments: 2685, Category:
`Standards Track, B. Fox, Lucent Technologies, B. Gleeson, Nortel
`Networks, Sep. 1999, Virtual Private Networks Identifier, http://
`www.ietf. org/rfc/rfc2685 .b<t7number:2685.
`
`
`
`* cited by examiner
`
`Primary ExamineriJohn Pezzlo
`
`(57)
`
`ABSTRACT
`
`
`
`Prior Publication Data
`
`US 2005/0068942 A1
`
`Mar. 31, 2005
`
`Int. Cl.
`
`(2006.01)
`H04L 12/56
`(2006.01)
`H04] [/16
`US. Cl.
`................... .. 370/401; 370/352; 379/8817
`Field of Classification Search ....... .. 370/3527356,
`370/400, 401, 466, 467, 230, 389, 392; 709/231;
`379/8817
`
`Establishing voice calls in an IP based VPN includes deter-
`mining the relative location of a terminating point with
`respect to an originating point of a new communication con-
`taining the voice data, determining one or more IP addresses
`to egress the communication from the originating point to the
`terminating point, creating a VPN identifier in the new com-
`munication, passing the new communication to the terminat-
`ing point and removing the VPN identifier from the new
`communication. The VPN identifier can be an extra field
`
`added to an encapsulation coding scheme of the voice data.
`
`See application file for complete search history.
`
`16 Claims, 16 Drawing Sheets
`
`220
`
`2%
`
`SOFT-SWITCH
`FOR GATEWAY
`
`LOCAL
`SOFT-SWITCH
`IP ADDRESS C
`
`SERVICE
`PROVIDERS
`IP NETWORK
`400
`140J
`/
`
`
`
`1304
`
`/FOR INCOMING CALL.
`THE SOFT-SWITCH CAN IDENTIFY
`THE VPN LABEL FROM
`THE DIALED NUMBER
`
`_I\
`PSNT GATEWAY
`1302
`
`«m
`
`PSTN PHONE
`1301
`
`LOCAL
`\_
`PACKET SWITCH \
`I
`210
`I
`
`SUBSCRIBER'S
`LAN
`1304
`
`/
`
`CALLING PHONE
`101
`SUBSCRIBER
`IP ADDRESS A1
`
`\
`
`
`
`\
`_m_+_J
`\
`
`// ENCAPSULATION WILL BE USED \
`VOICE
`PACKET
`RTP
`I_—
`UDP
`
`VOICE
`PACKET
`RTP
`UDP
`IP ADDRESS
`IP ADDRESS
`
`
`
`
`VPN-ID
`
`LOWER LAYER
`
`
`
`
`
`LOWER LAYER
`
`PETITIONER APPLE INC.
`
`EX. 1003-1
`
`PETITIONER APPLE INC. EX. 1003-1
`
`

`

`U.S. Patent
`
`Feb. 3, 2009
`
`Sheet 1 of 16
`
`US 7,486,684 B2
`
`
`
`LOCAL AREA NETWORK 120
`
`GATEWAY 130
`
`IP PHONE 103
`
`FIG. 1
`
`(PRIOR ART)
`
`PETITIONER APPLE INC.
`
`EX. 1003-2
`
`PETITIONER APPLE INC. EX. 1003-2
`
`

`

`SIGNALING
`r ————————————— "/1 MESSAGES
`SOFT-SWITCH
`/ I TO OTHER
`220
`' SOFT-SWITCHES
`
`EX. 1003-3
`
`V0”:
`SUBNETWORK
`
`IP NETWORK
`
`DATA SERVICES
`
`SUBNETWORK
`
`
`
`man'S'fl
`
`60%‘9'qaa
`
`91J0Zmus
`
`Z81789698177.Sfl
`
`SIGNALING MESSIAGES
`—{— ~ _I .92.
`IVERTICLIE
`:CONTROIL
`IINTERFACE
`34—"4
`
`155
`
`ROUTER
`
`140
`
`SWITCH
`210
`
`IP PHONE 103
`
`CUSTOMER PREMISES 105
`
`SERVICE PROVIDER
`
`CENTRAL OFFICE 205
`
`PETITIONER APPLE INC. EX. 1003-3
`
`

`

`INTEGRATED TRAFFIC
`
`EX. 1003-4
`
`TO SUBSCRIBER'S
`
`LOCATION
`
`210
`
`OTHER TRAFFIC
`
`302
`PACKET
`
`CLASSIFIER
`
`SOFT-SWITCH 220
`
`
`
`man'S'fl
`
`60%‘9'qaa
`
`U)
`5'CD
`CDl—p
`D)
`OH,
`I—t
`ON
`
`Z81789698177.Sfl
`
`PETITIONER APPLE INC. EX. 1003-4
`
`

`

`SUBSCRIBER
`LOCATION
`
`105
`
`SUBSCRIBER
`
`LOCATION
`
`402
`
`PACKET
`
`SWITCH
`
`PACKET
`SWITCH
`
`.
`
`EX. 1003-5
`
`SERVICE PROVIDERS NETWORK
`400
`
`
`
`man'S'fl
`
`60%‘9'qaa
`
`CI)
`I3"CD
`CD4—}
`J}
`Ot-a
`N
`
`HO
`
`ZS178969877.Sfl
`
`PACKET
`SWITCH
`
`210
`
`PACKET
`SWITCH
`
`210
`
`SUBSCRIBER
`LOCATION
`1 05
`
`SUBSCRIBER
`LOCATION
`1 05
`
`PETITIONER APPLE INC. EX. 1003-5
`
`

`

`220
`
`SOFT-SWITCH
`
`CONNECTION
`
`502
`
`CONNECTION
`
`506
`
`CONNECTION
`504
`
`EX. 1003-6
`
`
`
`man'S'fl
`
`60%‘9'qaa
`
`91J0Smus
`
`Z8178969877.Sfl
`
`SCOPE OF H.248
`
`9oo_
`
`l
`
`(D
`
`Z(
`
`I)
`U)
`UJ
`
`oon
`
`:
`n.
`
`PETITIONER APPLE INC. EX. 1003-6
`
`

`

`EX. 1003-7
`
`VoIP
`SUBNETWORK
`310
`
`01'.
`'
`ROUTER
`140
`
`.4
`g:
`'é’}
`IP PHONE 101
`IP ADDRESS = A
`
`CONNECTION
`24”
`
`SWITCH
`210
`
`IP ADDRESS = B
`
`CUSTOMER PREMISES 105
`
`SERVICE PROVIDER
`
`_ _ _ _C_E'1TBA_L Q'TIEE 2_05__J
`
`91J09mus
`
`Z81789698177.Sfl
`
`IP ADDRESS=C
`
`SOFT—SWITCH 220
`
`
`
`man'S'fl
`
`#11(D
`P‘
`3»
`
`NcQN
`
`:
`
`PETITIONER APPLE INC. EX. 1003-7
`
`

`

`IP ADDRESS=C
`
`IP ADDRESS=E1
`
`IP ADDRESS=G
`
`INGRESS
`
`612
`
`'-'
`
`‘
`
`-
`
`SOFT-SWITCH
`
`SOFT-SWIT
`
`EGRESS
`
`SOFT-SWITCH
`520
`
`TO TERMINATING
`
`IP-PBX SERVER
`
`FROM ORIGINATING
`lP-PBX SERVER
`
`EX. 1003-8
`
`CONNECTION
`240
`
`CON ECTION
`
`CONNECTION
`540
`
`INGRESS
`PACKET
`
`SWITCH
`
`210
`
`TRANSIT
`PACKET
`
`SWITCH
`
`410
`
`EGRESS
`PACKET
`
`SWITCH
`
`510
`
`310
`
`IP ADDRESS = B
`
`IP ADDRESS = D1
`
`IP ADDRESS = F
`
`
`
`man'S'fl
`
`60%‘9'qaa
`
`U)
`5'CD
`CDl—p
`\]
`OI—I,
`I—t
`ON
`
`Z8178969877.Sfl
`
`PETITIONER APPLE INC. EX. 1003-8
`
`

`

`EX. 1003-9
`
`I
`IP ADDRESS = F
`EGRESS
`|
`CENT
`|
`L _ «H. 51L 9:: 35331 _ _ _ .4
`
`SERVER 802
`
`IP ADDRESS J
`
`
`
`man'S'fl
`
`60%‘9'qaa
`
`91J08mus
`
`Z81789698177.Sfl
`
`I” — _ — TPXSDEé§;G_ _ —
`
`EGRESS
`
`SOFT-SWITCH
`
`624
`
`
`
`L 628
`
`I
`CONNECTION
`
`CONNECTION
`
`I I I I I I I L | | | I I I I
`
`I440 .
`
`<_.—‘_——
`REMOTE |
`RING-BACIK
`I
`
`EGRESS
`pACKET
`SWITCH
`
`540
`
`I
`
`IP PHONE 601
`
`DESTINATION CUSTOMER
`L EREWSEE 83‘: ________ _ _ _I
`
`PETITIONER APPLE INC. EX. 1003-9
`
`

`

`EX. 1003-10
`
`IP ADDRESS = F
`EGRESS
`LCE'iTEAi EFE'EEBPL _ _ _ _|
`
`EGRESS
`
`SOFT-SWITCH 520
`
`| I I I | I
`
`SERVER 802
`
`—‘_
`
`F632
`
`vi1
`
`\
`
`IP PHONE 601
`
`DESTINATION CUSTOMER
`L PREMISES 806
`
`.J
`
`
`
`man'S'fl
`
`600Z‘€°q9fl
`
`91J06mus
`
`Z81789698177.Sfl
`
`f_ _ _ _ _ _ _ _ _ _ _ _ _ _
`IP ADDRESS = G
`
`—|
`
`CONNECTION
`540
`
`EGRESS
`PACKET
`
`SWITCH
`
`510
`
`4—:fi_
`I 638
`
`| I | I
`
`CONNECWON
`I440
`
`‘4——i-—————-
`REMOTE]
`RI NG-BACIK
`
`PETITIONER APPLE INC. EX. 1003-10
`
`

`

`IP ADDRESS=G
`
`IP ADDRESS=E1
`
`IP ADDRESS=G
`
`TRANSIT
`SOFT-SWITCH
`
`642
`
`I
`
`638
`
`E
`
`EGRESS
`SOFT-SWITCH
`
`520
`
`FROM ORIGINATING
`
`IP-PBX SERVER
`
`TO TERMINATING
`
`lP-PBX SERVER
`
`
`
`man'S'fl
`
`9"19:1
`600Z
`
`INGRESS
`SO FT-SWITCH
`
`EX. 1003-11
`
`CONNECTION
`
`CONNECTION
`
`CONNECTION
`
`240
`
`540
`
`INGRESS
`
`PACKET
`
`SWITCH
`
`210
`
`TRANSIT
`
`PACKET
`
`SWITCH
`
`410
`
`EGRESS
`
`PACKET
`
`SWITCH
`
`510
`
`IP ADDRESS = B
`
`IP ADDRESS = D1
`
`IP ADDRESS = F
`
`U)
`5'
`('D
`(D4—}
`I—t
`
`C°Wy
`
`—I
`ON
`
`Z81789698177.Sfl
`
`PETITIONER APPLE INC. EX. 1003-11
`
`

`

`EX. 1003-12
`
`PACKET
`SWITCH
`IP ADDRESS = B
`210
`I SERVICE PROVIDER
`I CENTRAL OFFICE 205
`
`| I | | I | I I I I
`
`|
`
`644
`
`N
`
`O
`
`NNECT
`
`140
`
`ROUTER
`131
`
`IP PHONEW131
`'P ADDRESS = A
`CUSTOMER PREMISES 105
`
`CONNECTION
`240
`
`VOIP
`
`SUBNETWORK
`
`310
`
`
`
`mama'S'fl
`
`60%‘9'qaa
`
`91J0[Imus
`
`Z81789698177.Sfl
`
`PETITIONER APPLE INC. EX. 1003-12
`
`

`

`FIG. 12
`
`CONNECTION
`
`140
`
`CALLING PHONE
`101
`IP ADDRESS A
`
`INGRESS
`PACKET
`SWITCH
`210
`
`CONNECTION
`
`. 240
`
`TRANSIT
`PACKET
`SWITCH
`410
`
`CONNECTION
`440
`
`EGRESS
`PACKET
`SWITCH
`510 CONNECTION
`
`VOICE
`PACKET
`
`RTP
`
`UDP
`
`IP ADDRESS
`
`(A&H AS SOURCE
`AND DESTINATION
`DEPENDING ON
`DIRECTION ON
`
`DIRECTION OF FLOW)
`
`LOWER LAYER
`SPECIFIED BY
`CONNECTION 240
`
`VOICE
`PACKET
`
`RTP
`
`UDP
`
`VOICE
`PACKET
`
`UDP
`
`IP ADDRESS
`
`IP ADDRESS
`
`VPN-ID
`
`(MPLS
`IN EXAMPLE)
`
`LOWER LAYER
`SPECIFIED BY
`CONNECTION 240
`
`VPN-ID
`(MPLS
`IN EXAMPLE)
`LOWER LAYER
`SPECIFIED BY
`CONNECTION 440
`
`1 220
`
`1220
`
`1210
`
`EX. 1003-13
`
`(A&H AS SOURCE
`AND DESTINATION
`DEPENDING ON
`DIRECTION ON
`DIRECTION OF FLOW)
`LOWER LAYER
`SPECIFIED BY
`CONNECTION 240
`
`CA i ED PHONE
`601
`IP ‘ DDRESS H
`
`VOICE
`PACKET
`
`IP ADDRESS
`
`
`
`man'S'fl
`
`60%‘9TIM
`
`91J0ZImus
`
`Z81789698177.Sfl
`
`PETITIONER APPLE INC. EX. 1003-13
`
`

`

`LOCAL
`SOFT-SWITCH
`
`200
`
`SOFT—SWITCH
`FOR GATEWAY
`
`FOR INCOMING CALL,
`THE SOFT-SWITCH CAN IDENTIFY
`THE VPN LABEL FROM
`THE DIALED NUMBER
`
`SERVICE
`PROVIDER'S
`IP NETWORK
`
`EX. 1003-14
`
`\
`// ENCAPSULATION WILL BE USED \
`VOICE
`PACKET
`
`CALL'q‘aPHONE
`SUBSCRIBER
`
`IP ADDRESS A1
`
`/
`
`LOCAL
`PACKE; (SWITCH \\
`
`\
`
`PSNT GATEWAY
`1302
`
`PSTN PHONE
`1301
`
`VOICE
`PACKET
`
`IP ADDRESS
`
`LOWER LAYER
`
`IP ADDRESS
`
`VPN-ID
`
`LOWER LAYER
`
`
`
`mama'S'fl
`
`60%‘9'qaa
`
`U)
`5'
`('D
`(D4—}
`h—t
`()3
`°W
`I—L
`ON
`
`Z81789698177.Sfl
`
`PETITIONER APPLE INC. EX. 1003-14
`
`

`

`IP ADDRESS FROM
`SUBSCRIBER 1 IS USED
`
`IP ADDRESS FROM
`SUBSCRIBER 2 IS USED
`
`INGRESS
`
`IP ADDRESS C
`
`EGRESS
`
`IF, ADDRESS J
`
`CALLE6%PHONE
`
`CALLING PHONE
`101
`SUBSCRIBER 1
`IP ADDRESS A
`
`FIG. 14a
`
`
`
`man'S'fl
`
`60%‘9'qaa
`
`91J0I71mus
`
`Z81789698177.Sfl
`
`EX. 1003-15
`
`GATEWAY
`1402
`SERVICE PROVIDER'S
`IP NETWORK
`
`INTER-NET
`
`SUBSCRIBER 2
`LAN
`
`EGRESS
`PACKET
`SWITCH
`510
`
`INGRESS
`PACKET
`SWITCH
`21o
`
`VOICE PACKET WITH VPN
`IDENTIFIER FOR SUBSCRIBER 1
`
`VOICE PACKET WITH VPN
`IDENTIFIER FOR SUBSCRIBER 2
`
`PETITIONER APPLE INC. EX. 1003-15
`
`

`

`IP ADDRESS FROM
`SUBSCRIBER 1 IS USED
`
`IP ADDRESS FROM
`SERVICE PROVIDERS
`SPACE IS USED
`
`INGRESS
`SOFT'SW'TCH \\
`IP ADDRESS C
`
`SUBSCRIBER 1
`LAN
`1304
`
`,
`
`SERVICE
`PROVIDERS
`IP NETWORK
`
`INGRESS
`PACKET SWITCH
`21 0
`
`EGRE S
`PACKET SWITCH
`510
`
`VOICE PACKET WITH
`SPECIAL VPN IDENTIFIER
`
`CALLING PHONE
`‘01
`SUBSCRIBER
`IP ADDRESS A
`
`EX. 1003-16
`
`IP ADDRESS FROM
`SUBSCRIBER 2 IS USED
`/
`
`/
`
`EGRESS
`/
`/ SOFT-SWITCH
`IP ADDRESS J
`
`/
`
`o E
`E
`CALL 6%?“ N
`SUBSCRIBER
`Y
`
`IP ADDRESS
`
`SUBSCRIBER 2
`LAN
`1404
`
`mam'S'fl
`
`60%‘9'qaa
`
`91J0SImus
`
`Z81789698177.Sfl
`
`PETITIONER APPLE INC. EX. 1003-16
`
`

`

`CALLING PHONE
`
`SUBSCRIBER
`IP ADDRESS A
`
`E s
`
`220
`
`520
`
`EGRESS
`
`SOFT'SW'TCH
`"D ADDRESS J
`
`SUBSCRIBER
`LAN
`
`SERVICE
`PROVIDER‘S
`IP NETWORK
`
`SUBSCRIBER
`LAN
`
`INGRESS
`PACKET SWITCH
`210
`
`EGRESS
`PACKET SWITCH
`510
`
`SCIDIEFSVSITCH
`IP ADDRESS C
`
`EX. 1003-17
`
`CALLIES‘J1 PHONE
`
`SUBSCRIBER
`IP ADDRESS B
`
`
`
`man'S'fl
`
`60%‘9'qaa
`
`91J091mus
`
`Z81789698177.Sfl
`
`T]
`
`(AB)
`
`IP ADDRESS PAIR
`
`T]
`
`PETITIONER APPLE INC. EX. 1003-17
`
`

`

`US 7,486,684 B2
`
`2
`alternative is similar to the “Software Defined Network” ser-
`vices from the SPs where TDM based PBXs are connected to
`
`_
`
`the SP’s networking using the Primary Rate Interface (PRI)
`from the ISDN. We will refer to this alternative as VoIP-VPN.
`The module in this network that handles call signaling from
`the user is commonly referred to as a soft-switch. Depending
`on the size ofthe network, a network may contain a number of
`soft-switches, which are interconnected. Call signaling mes-
`sages route through a series of soft-switches in order to estab-
`lish a call as it is more efficient to connect the IP PBXs
`
`through an IP network, without converting the voice traffic to
`TDM and back.
`
`ets ofvoice data from an originating point from one subscrib-
`
`1
`METHOD AND APPARATUS FOR
`ESTABLISHMENT AND MANAGEMENT OF
`VOICE-OVER IP VIRTUAL PRIVATE
`NETWORKS IN IP-BASED
`COMMUNICATION SYSTEMS
`
`FIELD OF THE INVENTION
`
`The invention relates to the field of communications sys-
`tems and more specifically to the management and control of
`voice-over Internet Protocol (VoIP) Virtual private networks
`(VPNs) in an IP-based public branch exchange (PBX) envi-
`ronment.
`
`
`
`DESCRIPTION OF THE BACKGROUND ART
`
`IP based PBX has gained acceptance and momentum in the
`market place of advanced, high speed communications. The
`architecture of an prior art IP-PBX system is seen in FIG. 1.
`The system 100 consists of a number of IP phones (101, 102,
`103) which are connected to a local area network (LAN) 120.
`Connected to the LAN is a server 110 which provides control
`ofthe local telephony network. The server 110 communicates
`with IP phones (101, 102, 103) via IP messages, accepts call
`requests from the IP phones (101, 102, 103) and alerts the
`phones upon incoming calls. There are two common stan-
`dards for this protocol: H.248 from the International Tele-
`phone Union (ITU) and Session Invitation Protocol (SIP)
`from the Internet Engineering Task Force (IETF). The intel-
`ligence of the system 100 resides in the server 110 which can
`provide enhanced services such as call waiting, call hold, call
`transfer and the like.
`
`In IP-PBX, voice traffic is encapsulated inside IP packets
`and is carried between the IP phones using the LAN. For
`communications to phones in the public switched telephone
`network (PSTN), a gateway 130 is needed to convert the IP
`encapsulated voice trafiic to the traditional time division mul-
`tiplexed (TDM) format. The gateway 130 is also under con-
`trol of the server 110 using H.248. The usual access protocol
`between the gateway 130 and the PSTN is ISDN PRI. Many
`traditional PBXs have been upgraded to have an IP interface
`to support IP phones. These PBXs are considered as IP-PBX
`in this convention.
`
`As IP-PBXs are created, the need to connect all the PBXs
`within an enterprise together to form a corporate network
`exists (just as it did with respect to TDM based systems). An
`advantage in connecting two IP-based PBXs is that the voice
`trafiic is already packetized. Direct packet-to-packet connec-
`tivity is desirable as there is no need to convert the voice
`packets to TDM and back to again. A packet to TDM gateway
`is not necessary for calls between the IP-PBXs. This results in
`cost reduction and improvement in the performance of the
`system, as this avoids costly packet to TDM conversion and
`vice versa.
`
`In one of the approaches to interconnect IP-PBXs, the user
`subscribes to connection oriented packet services, such as
`frame relay and ATM permanent virtual circuit services, from
`a service provider (SP). The SP would only provide transport
`services for the packet and is not aware that the packets are
`voice packets. In an alternate approach in which the SP can
`provide added functionality, the SP would actively participate
`in the call signaling when a call is being in set up. In doing so,
`the SP can provide enhanced service at the request of the
`end-user on a call-by-call basis.As the SP network is aware of
`when calls are set up and torn-down, the service can be 65
`charged based on call duration. This may result in lower cost
`to the end-user, anotherbenefit. In the TDM environment, this
`
`In the curre 1t state of the art, all the IP phones are assigned
`an IP address from the SP’s IP address space. However, this is
`a major shor coming. Most enterprises use their own IP
`addressing scheme in addressing their workstations and PCs.
`All IP-VPN services allow the customer to use their own IP
`
`address scherr e. Customer would like any VoIP-VPN service
`to have the same capability, i.e, the IP phones can be assigned
`IP address fro n the customer IP address space instead of the
`SP’s public IP address space. This capability is important as,
`in the future, that an IP phone would actually be part of a PC
`or workstatior . In this case, it is paramount that the PC and the
`IP phone use he same IP address or, at least, use IP address
`from the same addressing space. This invention describes an
`innovative method to do this.
`
`
`
`SUMMARY OF THE INVENTION
`
`The disadvantages heretofore associated with the prior art
`are overcome by a novel method for establishing and manag-
`ing voice call traffic in anVoIP IP virtual private network. The
`method comprises, in one embodiment, determining the rela-
`tive location of a terminating point with respect to an origi-
`nating point of a new communication containing the voice
`data, determining one or more IP addresses to egress the
`communication from the originating point to the terminating
`point, creating a VPN identifier in the new communication,
`passing the new communication to the terminating point and
`removing the VPN identifier from the new communication.
`The VPN identifier is an extra field (such as an MPLS label)
`added to an encapsulation coding scheme ofthe voice data. In
`an alternate method, the packet switches (or special gateway)
`can perform address translation from an IP address from one
`IP address space to an IP address from another IP address
`space of the voice data.
`An apparatus for IP-based VPN communications includes
`at least one soft-switch and at least one packet switch having
`an interface to said at least one soft-switch. The packet switch
`has a VPN processing module for selectively establishing a
`VPN based on a selection of originating and terminating IP
`addresses of voice calls passed to the at least one soft-switch
`and at least one packet switch. In one embodiment, the at least
`one soft-switch is an ingress soft-switch and an egress soft-
`switch. Similarly, the at least one packet switch is an ingress
`packet switch and an egress packet switch. The apparatus may
`further include a PSTN gateway connected to a gateway
`soft-switch and said at least one soft-switch for processing
`“off-net” calls. The apparatus may further include an inter-
`VPN gateway disposed between an ingress packet switch and
`an egress packet switch. The inter-VPN gateway passes pack-
`
`PETITIONER APPLE INC.
`
`EX. 1003-18
`
`PETITIONER APPLE INC. EX. 1003-18
`
`

`

`US 7,486,684 B2
`
`3
`
`4
`
`er’s VoIP-VPN to a terminating point of another subscriber’ s
`VoIP-VPN, modifying the VPN identifier appropriately.
`
`
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`subscriber can negotiate the per-minute cost with the SP
`which usually results in cost saving. The subscribers can use
`many of the enhanced features provided by the SP. The sub-
`scriber can leave the detailed engineering and maintenance of
`the network to the SP. The SP offers a VoIP VPN service that
`
`'
`
`following descriptions, the soft-switch represents the entire
`
`The teachings of the present invention can be readily
`understood by considering the following detailed description
`in conjunction with the accompanying drawings, in which:
`FIG. 1 depicts a general overview of a prior art IP-PBX
`configuration;
`FIG. 2 depicts a general overview of a portion of a com-
`munication system in one embodiment of the subject inven-
`tion;
`FIG. 3 depicts an abbreviated view of the system of FIG. 2
`to highlight a packet classifier feature;
`FIG. 4 depicts a general architecture ofa transport network
`which is connected to the communication system of the sub-
`ject invention;
`FIG. 5 depicts a detailed view of a packet switch in one
`embodiment of the subject invention;
`FIG. 6 depicts a flow diagram of forward signaling of a call
`in the ingress soft switch of the system;
`FIG. 7 depicts a flow diagram of forward signaling of a call
`in the transit network;
`FIG. 8 depicts a flow diagram of forward signaling of a call
`in the egress soft switch;
`FIG. 9 depicts a flow diagram of return signaling of a call
`in the egress soft switch;
`FIG. 10 depicts a flow diagram ofreturn signaling of a call
`in the transit network;
`FIG. 11 depicts a flow diagram ofreturn signaling of a call
`in the ingress soft switch of the system;
`FIG. 12 depicts encapsulation schemes of voice packets in
`one embodiment of the subject invention;
`FIG. 13 depicts a configuration of a call from the VPN to
`the Public Switched Telephone Network in one embodiment
`of the subject invention;
`FIG. 14a depicts a configuration of a call from a first VPN
`to a second VPN in one embodiment ofthe subject invention;
`FIG. 14b depicts a configuration of a call from a first VPN
`to a second VPN in a second embodiment of the subject
`invention; and
`FIG. 15 depicts a configuration for a call between two
`locations on the same VPN where address translation is used
`
`to transfer traffic in the subject invention.
`To facilitate understanding, identical reference numerals
`have been used, where possible, to designate identical ele-
`ments that are common to the figures.
`
`DETAILED DESCRIPTION
`
`The subject invention specifies a network architecture for
`providing a voice over IP virtual private network (VoIP VPN)
`service to a subscriber and a method of establishing such a
`VoIP VPN. The VoIP VPN service connects all the IP-PBXs
`
`of a subscriber into a single logical network. In one embodi-
`ment, the present invention provides a virtual private network
`service where subscribers can use their own internal dial plan.
`This does not preclude each IP phone from being assigned its
`own E. 164 number (the international standard dial plan) and
`receiving calls from the PSTN directly. Similarly, a sub-
`scriber can use their own IP address assignment plan in
`assigning IP addresses to the IP-PBX server and the IP
`phones. The VoIP VPNs from all the subscribers share a
`common physical network.
`Connecting IP-PBXs together to form a corporate network
`has many advantages to the SP and subscribers alike. The
`
`allows such SP’s to keep the traffic of the high-end subscrib-
`ers on their network. These subscribers, in general, have a
`tendency to subscribe to many enhanced services, which have
`high margin. Another benefit to the subscriber is that the SP
`can charge the service based on usage (e. g. minutes ofuse). In
`many instances, the SP can provide attractive rates which
`results in substantial savings to the subscriber.
`A useful feature of the VoIP VPN service is that the SP
`
`provides gateway functionality to the PSTN. This function-
`ality renders the traditional packet-to-TDM gateway of the
`IP-PBX unnecessary. This reduces the system cost of the
`IP-PBX, both in capital spending and future maintenance.
`Also, an inter-VPN gateway would be another useful feature.
`The inter-VPN gateway forwards voice packets from one
`VPN to another directly, without conversion to TDM first.
`Additionally, the same architecture also applies to other voice
`over packet technologies such as ATM with slight modifica-
`tion, and not just VoIP.
`FIG. 2 depicts a portion of an exemplary communications
`system 200 in one embodiment of the subject invention. The
`system 200 comprises a Customer Premise 105 having a
`plurality of IP phones (101, 102, 103) and a server 110 con-
`nected to a VoIP-VPN SP at the SP’s central office 205.
`Connection 145 is the connection between the customer 105
`and CO 205, and is made via one or more routers 140. In one
`embodiment ofthe invention, the subscriber (at the Customer
`Premise) uses their own IP address in assigning IP address to
`their devices. To increase reliability, dual access to the SP is
`possible (such as via a second connection 155 shown in
`broken line format).
`The router 140 at the Customer Premise 105 is connected to
`
`a special media gateway 210 at the SP’s central office. This
`media gateway 210 accepts voice packets from an incoming
`interface and switches these packets to an outgoing interface.
`In H.248 terminology, all the terminations of this special
`gateway are packet terminations. i.e. ephemeral terminations.
`Although the voice traffic remains in packet form, its encap-
`sulating scheme may change (e. g. from IP to ATM, or from IP
`V4 to IP V6). Even if the packet encapsulation scheme
`remains the same, header information may be changed (e.g.
`one IP address to another IP address). We refer to this type of
`media gateway 210 as a packet switch.
`Also located at the SP central office is a soft-switch 220.
`Server 110 at the Customer Premise 105 will communicate
`
`with the soft-switch 220 with an agreed upon signaling pro-
`tocol. Examples of suitable protocols used are selected from
`the group consisting of H248 and SIP. The soft-switch 220,
`based on requests from the server 110 or peer soft-switches
`(explained in greater detail below), sends the appropriate
`commands to packet switch 210 to set up the appropriate
`cross-connects. Such interaction between the soft-switch 220
`
`and packet switch 210 is managed by a control interface (i.e.,
`a vertical control interface) 215 (described in greater detail
`below). The soft-switch is the intelligence of the system. It
`contains all the information regarding the subscribers’ VPNs.
`For example, it keeps track ofthe VPN that a location belongs
`to, the dial plans of the subscribers, the VPN identifier for an
`VPN (or a particular interface) and the like. The soft-switch
`can be implemented in a distributed marmer in that its data-
`base may be housed in a different physical unit than its pro-
`cessing logic modules or as a single unit. For simplicity, in the
`
`PETITIONER APPLE INC.
`
`EX. 1003-19
`
`PETITIONER APPLE INC. EX. 1003-19
`
`

`

`US 7,486,684 B2
`
`5
`
`6
`
`
`
`system, containing all the necessary modules such as signal-
`ing, control logic, service logic, database and the like.
`In general, the subscriber would subscribe to many ser-
`vices from the same SP, both data services as well as voice
`services (i.e., integrated access) via the first and second con-
`nections 145 and 155. It is the SP’s responsibility to separate
`the packets and direct them to the appropriate network equip-
`ment that supports the individual services. The separation
`function that separates all packets based on some criteria is
`referred to as packet classification. FIG. 3 depicts an abbre-
`viated view of the communication system 200 for the pur-
`poses of focusing on packet classification. In most cases,
`packet classification is performed in the packet switch 210.
`Both data and voice traffic is sent from the Customer Premise
`
`105 to the packet switch 210. The packet switch 210 classifies
`the packets and forwards all VoIP-VPN voice packets to a
`VoIP network (and vice versa). The VoIP network carries both
`on—net (within the same VoIP VPN) and off-net (to PSTN)
`calls. Packet switch 210 also forwards other packets to the
`appropriate services.
`In some implementations, a packet classifier 302 is exter-
`nal to the packet switch 210. One or more tunnels 300x are
`established between packet classifier 302 and the packet
`switch 210. Thepacket switch 302 forwards all voice traffic to
`the packet switch 210 through these tunnels 300x. In short,
`packet classification is a function of a logical module which
`can be external or internal to the packet switch 210.
`In one embodiment ofthis classifier 302, each access inter-
`face has an associated table whose entries consist of destina-
`
`tion and origination IP-address/UDP port pairs with protocol
`type UDP. The entries are dynamically created and deleted
`based on the call signaling. The table is created when a call is
`set up and deleted when a call is torn down. Packets matching
`any one ofthe entries will be forwarded to the logical module
`that handles the VoIP-VPN logic. Otherwise, packets are
`processed as non VoIP-VPN traffic.
`As the number of the active phones rise even during busy
`hours, the classification table is relatively small. If memory
`and performance are concerns, many alternative algorithms
`are possible, but at
`the expense being more rigid. For
`example, all VoIP-VPN traffic can be assigned a diffServ
`(RFC 2474) code point (DSCP) and the classification may
`key on this code point. In this example, the classification table
`is a single entry, the DSCF. However, the subscriber has to
`ensure no other applications or services use this DSCF value.
`An alternate method is to use an IP subnet mask. This implies
`that all IP-phones, and only IP-phones, belong to this IP
`subnet.
`
`The classification process is performed at the first point of
`entry to the SP’s network. If the first point of entry is the so
`soft— switch 220, information to build the classification table is
`already embedded in the vertical control protocol between the
`soft-switch 220 and the packet switch 210 and no additional
`protocol is needed. If the first point ofentry is another device,
`that device needs to support the classification module and to
`be under soft-switch control. VoIP-VPN traffic is forwarded
`
`to the packet switch 210 via a plurality of tunnels 300x such
`as but not limited to MPLS LSPs. An embodiment of this
`
`control protocol is H.248 using an enhanced package that
`supports this function.
`It is not necessary for the subscriber to classify packets at
`their premises. However, it may be advantageous to do so in
`some instances. The classifier 302 allows the same architec-
`ture as the one at the SP central office and is under the control
`of the IP-PBX server. After classification, the subscriber can
`put the VoIP-VPN traffic in tunnels (for example, a dedicated
`layer 2 tunnel) and transfer the packets to the SP. Certain
`
`advantages of putting the VoIP-VPN traffic on separate layer
`2 tunnels include: (1) the ability to engineer the tunnels to the
`desired QoS level; (2) an ease in security administration as the
`traffic is separated and different policies can be applied to the
`_ VoIP-VPN traffic; and/or (3) diverse routing is dynamically
`supported on a per call basis. Calls to the same place can be
`forwarded differently by mapping them to different layer 2
`tunnels.
`
`FIG. 4 depicts the general architecture of a transport net-
`work 400 which is connected to the system 200. Packet
`switches 210 of various SP central offices are connected to
`
`each other through a network 3 1 0 via connection to a plurality
`of network core packet switches 402. In some embodiments
`of the invention, tunnels are used in order to provide a guar-
`anteed level of quality of service as the tunnels can be engi-
`neered more easily. Examples of suitable tunneling tech-
`niques are frame relay permanent virtual circuit (PVC), ATM
`PVC, MPLS labeled switched path (LSP), IP tunnels and the
`like. Tunnels based on other higher layer protocols are con-
`sidered layer-2 connections as these tunnels functionally pro-
`vide point-to-point connectivity (layer 2 functions).
`Note that the invention does not preclude direct logical
`connection between two “edge” packet switches 210. In fact,
`this is the case if the traffic volume between two packet
`switches warrants such a connection. More specifically, the
`invention supports both direct as well as consolidated (via
`core packet switches 402) connection. In addition, connec-
`tivity between the customer premise router 140 and the edge
`packet switch 210 as well as between packet switches do not
`necessarily need to be based on tunnel technologies. The
`invention a so supports regular connectionless IP. However,
`in the latter case, quality of service may not be guaranteed.
`A well accepted standard for the vertical control interface
`215 betwee 1 a media gateway controller (or soft-switch 220)
`and a media gateway (or packet switch 210) is the H.248
`specificatiot from the ITU, though others may be used. As
`there are many different types of media gateways, the H.248
`recommenc ation provides the means for the industry to
`extend the specifications to support the different types of
`gateways. These extensions are referred to as “packages”.
`The packet switch 210 can be considered as a specific type of
`gateway wl ere all the terminations are ephemeral (non-per-
`manent). This following description specifies the functional
`characteristics of the interface between the soft-switch 220
`
`
`
`and the packet switch 210, and can be implemented as a
`package of the H.248 specification. Other embodiments of
`H.248 are also possible.
`The structure of the packet switch 210 is described herein
`for illustrative purposes only using the terminology of H.248.
`The logical structure of the packet switch 210 that manages
`voice traffic is depicted in FIG. 5. The packet switch 210 is
`provided with a plurality of layer-l (physical) or layer-2
`(logical link) connections 502, 504, 506. The peer of these
`connections can be rotters 140 at customer premises 105,
`routers within the SF’s IP network, and other packets
`switches (210 or 402). Each connection carries a number of
`voice calls. Each ofthe voice calls (denoted by arrows extend-
`ing from the plurality of connections 502, 504 and 506 into
`the packet switch 210) passes through a VPN Processing
`Logic Module 510. The VPN Processing Logic Module 510
`decides how to establish theVPN based on the originating and
`destination addresses in the call signaling information (dis-
`cussed in greater detail below). The maximum number of
`allowable calls for each connection depends on the amount of
`network resources allocated and the nature ofthe calls (coder,
`silence suppression, etc.). The soft-switch 220 manages the
`
`PETITIONER APPLE INC.
`
`EX. 1003-20
`
`PETITIONER APPLE INC. EX. 1003-20
`
`

`

`US 7,486,684 B2
`
`7
`
`8
`
`number of active calls over a specific connection. Calls are
`identified as call terminations within packet switch 210.
`When the soft-switch 220 needs to establish a cross-con-
`
`intervals. In one embodiment ofthis invention, the setting and
`retrieval of this information is executed through the H.248
`vertical interface.
`
`whether the call is local, to another on—net phone, or to a
`
`There could be multiple technologies, one encapsulating
`he other within layer 2. Therefore, this sub-field is actually an
`ordered sequence of the (type, ID) pair as described above.
`For example, the layer 2 could be MPLS over frame relay. In
`his case, the sequence is (frame relay, DLCI) and then
`MPLS, label). Depending on the encoding scheme, an addi-
`ional information sub -field, indicating the number of entries
`in the sequence may be added. In an alternate embodiment, an
`indicator field in each entry exists to indicate whether there
`are more entries following. The order of t