WO1997040610A2 - Internet protocol filter - Google Patents

Internet protocol filter Download PDF

Info

Publication number
WO1997040610A2
WO1997040610A2 PCT/CA1997/000269 CA9700269W WO9740610A2 WO 1997040610 A2 WO1997040610 A2 WO 1997040610A2 CA 9700269 W CA9700269 W CA 9700269W WO 9740610 A2 WO9740610 A2 WO 9740610A2
Authority
WO
WIPO (PCT)
Prior art keywords
packet
network
address
node
destination
Prior art date
Application number
PCT/CA1997/000269
Other languages
French (fr)
Other versions
WO1997040610A3 (en
Inventor
Bruce Anthony Wootton
William G. Colvin
Original Assignee
Northern Telecom Limited
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Family has litigation
First worldwide family litigation filed litigation Critical https://patents.darts-ip.com/?family=21774476&utm_source=google_patent&utm_medium=platform_link&utm_campaign=public_patent_search&patent=WO1997040610(A2) "Global patent litigation dataset” by Darts-ip is licensed under a Creative Commons Attribution 4.0 International License.
Application filed by Northern Telecom Limited filed Critical Northern Telecom Limited
Priority to DE69708281T priority Critical patent/DE69708281T2/en
Priority to AU25632/97A priority patent/AU707905B2/en
Priority to CA002248577A priority patent/CA2248577C/en
Priority to JP9537534A priority patent/JPH11508753A/en
Priority to KR1019980708503A priority patent/KR100317443B1/en
Priority to EP97917189A priority patent/EP0895684B1/en
Publication of WO1997040610A2 publication Critical patent/WO1997040610A2/en
Publication of WO1997040610A3 publication Critical patent/WO1997040610A3/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/0281Proxies
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/28Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
    • H04L12/46Interconnection of networks
    • H04L12/4604LAN interconnection over a backbone network, e.g. Internet, Frame Relay
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L12/00Data switching networks
    • H04L12/66Arrangements for connecting between networks having differing types of switching systems, e.g. gateways
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2514Translation of Internet protocol [IP] addresses between local and global IP addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2517Translation of Internet protocol [IP] addresses using port numbers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/02Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
    • H04L63/029Firewall traversal, e.g. tunnelling or, creating pinholes

Definitions

  • the present invention generally relates to inter ⁇ network firewalls and, in particular, to an internet protocol (IP) filter whereby a private IP network domain is mapped to a single IP address on the public Internet.
  • IP internet protocol
  • Firewalls are generally known and characterized by computer servers which function to couple nodes within the domain of the private network to nodes in a public network domain, such as the Internet.
  • a deficiency of the known firewall products is the need for a unique public IP address for each concurrent session or interaction between public and private nodes.
  • the invention therefore, according to a first exemplary aspect provides a method of interfacing private and public data communications networks, through a filter node in communication with both networks, the filter node having an address known in the public network, comprising the steps of: routing from nodes in the private network, to the filter node, data packets having destination information, which includes a destination address and a destination port, corresponding to nodes in the public network and having source information, which includes a source address and a source port, of the respective private network nodes; for each data packet received from the private network, at the filter node, maintaining the source information taken from the data packet in correlation with a unique value representing a port of the filter node, and replacing in the data packet the source address with the filter node address and the source port with the filter node port value; and routing from the filter node, in the public network, the data packets having the replaced source information, according to the destination information in
  • the invention provides a method of interfacing private and public data communications networks, through a filter node in communication with both networks, comprising the steps of: (a) receiving at the filter node, from the private network, a data packet having an a destination address corresponding to a node in the public network and a source address corresponding to a node in the private network; (b) maintaining, by the filter node, the source address taken from the data packet; (c) replacing, in the data packet, the source address with an address of the filter node; (d) routing from the filter node, in the public network, the data packet having the replaced source address, according to the destination address, to the corresponding public network node; (e) waiting for a return packet from the public network, responsive to the data packet having the replaced source information; (f) replacing, in the return packet, the destination address with the maintained source address; and (g) routing from the filter node, in the private network, the return packet having the replaced destination address to the corresponding private network node.
  • the invention provides a method of operating a filter node for interfacing first and second data communications networks, comprising the steps of: receiving from the first network, a data packet having destination information, which includes a destination address and a destination port, corresponding to a node in the second network and having source information, which includes a source address and a source port, corresponding to a node in the first network; maintaining the source information taken from the data packet in correlation with a unique value representing a port of the filter node; replacing in the data packet the source address with an address of the filter node and the source port with the filter node port value; and sending to the second network the data packet having the replaced source information, whereby that packet is routed according to its destination information to the corresponding second network node.
  • the invention provides a filter node for interfacing first and second data communications networks, comprising: means for receiving from the first network, a data packet having destination information, which includes a destination address and a destination port, corresponding to a node in the public network and having source information, which includes a source address and a source port, corresponding to a node in the first network; means for maintaining the source information taken from the data packet in correlation with a unique value representing a port of the filter node; means for replacing in the data packet the source address with an address of the filter node and the source port with the filter node port value; and means for sending to the second network, the data packet having the replaced source information, whereby that packet is routed according to its destination information to the corresponding second network node.
  • An IP filter embodying the present invention, is a communications device designed to provide public network or Internet access to nodes of private networks, advantageously without requiring the private nodes on such networks to register public Internet addresses.
  • the IP filter effects a translation between a source port number for the private network and a destination port number for the public network for communication therebetween. Benefits of the IP filter include private node security and conservation of Internet-registered addresses.
  • the IP filter may support three data transport protocols over the internet protocol: transmission control protocol (TCP), user datagram protocol (UDP) and Internet control message protocol (ICMP) . Packets of other protocols may be ignored.
  • TCP transmission control protocol
  • the TCP protocol prepends a TCP header to a data packet.
  • the source port and destination port numbers are contained in this header.
  • the Internet addresses of the source and destination nodes are contained in the IP header.
  • the IP address and port information extracted from each packet will be used to determine where the IP filter should route this packet.
  • the IP filter maintains a lookup table of information on each TCP connection. This information includes the port from the private node, the private IP address, the assigned port number of the destination node, and the port number of the IP filter in the form of an index.
  • the private address and port number are added to the table as a new entry, if an entry corresponding to this packet is not found in the table and if the TCP header indicates that this is a new connection request. Then the source address and port number in the packet header are replaced with the IP filter's IP address and port number, and the packet is transmitted to the Internet.
  • the destination port number is used to index the lookup table.
  • the destination address and port number are replaced with the private network's IP address and port number, and the packet is transmitted to the private network. If the received packet's source port is different from the port recorded in the table, and if the packet header information indicates that this packet is the first response on the connection, then the lookup table is updated with the port number assigned by the Internet node, if needed.
  • the lookup table entry is zeroed. If the IP filter receives packets from the Internet that do not have entries in the lookup table corresponding to the IP filter port, it ignores the packets.
  • the UDP protocol is connectionless, as opposed to
  • TCP a connection-oriented protocol.
  • the UDP header contains no codes governing initial connection or end of transmission.
  • the data of interest in the UDP header are the source port and destination port. This information, along with the Internet addresses contained in the IP header, are used to determine where the IP filter should route this packet.
  • the IP filter maintains a lookup table of information on each UDP session.
  • the IP filter receives a UDP packet from the private network, it records the source address, the source port number, the destination port number, and the assigned IP filter port number as the index to the table. Then the private node address and port number in the packet header are replaced with the address and assigned port number of the IP filter. Then the packet is transmitted to the Internet.
  • the IP filter When the IP filter receives a UDP packet from the Internet, it indexes the UDP lookup table and replaces the packet's destination information, namely the IP filter address and assigned port number, with the private address and port number from the lookup table.
  • the lookup table also maintains an interval indication for an expiration timer on datagram packets received as per standard UDP implementations. If the IP filter receives packets from the Internet that do not have entries in the lookup table corresponding to the IP filter port, it ignores the packets. As ICMP packets do not contain port numbers of either source or destination, any ICMP packets received from the private network are processed one at a time, with buffering of additional ICMP packets.
  • the IP filter reads the private address from the packet header and replaces it with the address of the IP filter.
  • the packet is transmitted to the Internet, and the IP filter waits for the response.
  • the destination address in the packet header is changed from that of the IP filter to that of the node on the private network. Then the IP filter transmits the packet to the private network.
  • each node To successfully deliver packets over an IP protocol network, each node must maintain a table of other hosts' IP addresses and their corresponding Ethernet addresses in an Ethernet based data communications network. The nodes actually use the IP addresses and the Ethernet addresses to address packets. The relationship between the two addresses is dynamic; that is, a node with an IP address may change its Ethernet address.
  • the information in the address table is obtained from the replies to the node's broadcast of ARP packets.
  • the source node broadcasts ARP packets to request the Ethernet address of the destination node, given the destination node's IP address. If the destination node receives the packet, it sends a reply packet with the requested information.
  • the IP filter passes ARP packets in a manner similar to TCP and UDP packet passing.
  • the IP filter receives an ARP packet from a node on the private network destined for the public network, it replaces the source address information with the filter's address information.
  • the private node's IP address and the target IP address are placed in a lookup table.
  • the target node replies with its own Ethernet address, the destination address information is changed from that of the IP filter to that of the private node before transmitting the packet to the private node.
  • the private node address information is obtained from the table.
  • the ARP packet does not pass through the IP filter but is restricted to communications between the filter and the one side of the network.
  • IP filter may log, for example, by writing them into a text file.
  • the IP filter ideally will process packets as fast as the networks present them but when network traffic is too heavy, the IP filter will then buffer the packets in two queues, one for the private network and one for the Internet.
  • Two source and destination lookup tables may be utilized, one for TCP packets and the other for UDP packets.
  • Each table is directly indexed by the IP filter port number assigned to the communication session.
  • the table entries contain the IP address of the private node, the source port of the private node, and the destination port of the Internet node. If there is no connection on a certain IP filter port, then the corresponding entry in the table may be zeroed. Packets arriving from both the private network and the Internet are processed using the same lookup table. This arrangement assumes that of the available IP filter communications ports some are designated for UDP communication and some for TCP communication.
  • Figure 1 is a schematic representing an internet protocol filter coupling a private network and a public network
  • Figure 2 is a block diagram representing internal components of the filter.
  • a private network 10 communicatively coupled through an internet protocol (IP) filter 12 to a public network 14 which may form part of a global data network, otherwise referred to as the Internet 16.
  • IP internet protocol
  • the private network 10 represents a conventional data communications network, such as a local area network (LAN) , having a plurality of nodes 18 each being identified by a unique IP address within the domain of the private network 10.
  • the public network 14 and Internet 16 are representative of public domain data communications networks also having a plurality of nodes 20 with corresponding IP addresses.
  • the IP filter 12 acts as a gateway through which data packets are exchanged between the private network 10 and the public network 14, thereby providing Internet access to the nodes 18 of the private network 10.
  • the IP filter 12 constitutes one of the private network nodes 18 and is the only such node to have a public IP address that is Internet-registered, whereby the IP filter 12 essentially also constitutes one of the public nodes 20 and its IP address is known in the public domain.
  • the IP addresses of the other private network nodes 18 are reserved for the private network 10, and not known or registered in the public Internet address domain.
  • associated with the IP address of the IP filter 12 are a plurality of IP ports, specifically 65,536 in total of which 64,512 are not reserved for predefined protocols and can be used for address translations.
  • IP filter 12 manages the communications between private nodes 18 and the Internet nodes 20 by modifying header information of data packets received from the private network 10 before transmitting each to the public network 14. The modifications cause the communications between the private nodes 18 and the public Internet nodes 20 to actually be between the IP filter 12 and the Internet nodes 20, which route all return communications to the IP filter 12 which subsequently routes the return data packets to the private nodes 18.
  • the IP filter 12 accepts no connection requests from the public network 14. All communications between private nodes 18 and public nodes 20 are initiated by the private nodes 18.
  • the IP filter 12 is designed to support three data transport protocols over the internet protocol: TCP, UDP and ICMP messages; packets of other protocols are rejected or ignored.
  • a translation table is maintained by the IP filter 12 to map address and ports for packets received from the private network 10 destined to the public network 14 and vise versa.
  • the translation table contains the following for each entry: private IP address (pIP) private port (pPort) internet (public) IP address (ilP) internet (public) Port (iPort) timer session type/state Ethernet address
  • the basic translation substitutes IP addresses and ports from the private network side to the IP filter's IP address and ports, thereby hiding all nodes 18 on the private network 10 from the public network 14.
  • a packet originating on the private network side specifies a source - destination of
  • the IP filter 12 will translate the above to (frIP, frPort - ilP, iPort) where frIP is the IP address of the IP filter 12 on the public network 14, and frPort is the index into the translation table plus an offset value, for example, of 1024 to skip using well known ports.
  • frPort represents an arbitrary port.
  • the internet node 20 will reply with a packet (ilP, iPort - frIP, frPort) which will be received by the IP filter 12 and translated thereby to
  • Translating from the public side can be a direct table lookup since frPort minus 1024 is the index into the table. If (ilP, iPort) in the packet does not match the corresponding entries in the table, then an unauthorized access is logged and the packet dropped.
  • the checksum in both the TCP/UCP and IP header must be recalculated.
  • the IP header checksum must be recalculated.
  • the IP filter 12 locates an unused entry in the table and fills it in, setting the type to TCP and state to SYN. Then the packet is forwarded by the general scheme above. If no free entries exist in the table, then the packet is dropped and the event is logged. If a SYN packet is received from the public network 14 interface, it is treated as unauthorized and logged (except for FTP special case described below) . However, a SYN+ACK packet is forwarded if the state of the translation table entry is SYN. After forwarding such a packet the state set to OPEN.
  • FIN If a FIN packet is received by the IP filter 12 and if the state in the translation table is not FIN, the state is set to FIN and the packet forwarded. If the state is FIN, then the packet is forwarded and the translation table entry is deleted by setting it to 0. A FIN must be sent by each side to close a TCP connection.
  • the IP filter 12 when any UDP packet is received from the private network 10 side, the IP filter 12 first tries its standard lookup. If a translation table entry is not found, an unused entry is set up and the state set to OPEN. If a free entry is not found in the table, then rather than dropping the packet, a random UDP in the table is overwritten. Since UDP is connectionless and consequently an unreliable transport, if a packet is received from the public network 14 that would have needed the entry that was overwritten, that packet will be dropped and the node 18 on the private side will need to retry.
  • an FTP client establishes a TCP "control" connection with an FTP server on a particular port, for example, port 21.
  • the FTP server will open a TCP connection from its "data" port, for example, which is default 20, to a destination port specified by the client.
  • packets sent by the private network 10 to port 21 need to be analyzed for an FTP "port" command at the IP filter 12. If detected, then a new entry in the table must be set up with pPort set to the value in the FTP port command. The IP address and port number in the FTP command must be changed to the IP filter's address and port before forwarding the packet. The state is set to FTPDATA.
  • the IP filter 12 locates a new entry in the translation table.
  • the sequence field of the packet is stored in pPort in the table and the table index is put in the sequence field of the packet.
  • the ICMP checksum is recalculated and the standard IP header substitution is done.
  • the type is set to ICMP and state to PING and the timer set to 1 minute.
  • an echo reply (ping) is received from the public network 14 interface, then the sequence field is used as the index into the table. If the state is PING, then pPort in the table is substituted into the sequence field of the packet, the ICMP checksum recalculated and the standard IP header substitution is done. The table entry is then deleted. If an echo request (ping) is received from the public network 14, then the IP filter 12 will reply. This allows internet access to confirm that the IP filter 12 is reachable and running.
  • the header information contained is extracted. If the protocol was TCP or UDP, the (frIP, frPort - ilP, iPort) of the originating packet can be determined and the translation table entry located. If the IP address extracted from the ICMP matches the address in the table, the IP filter 12 forwards the packet to the private network 10 using the standard scheme.
  • the private network 10 and the public network 14 are Ethernet based LANs.
  • the IP filter 12 may be implemented by a data processing platform which is equipped with two conventional Ethernet hardware interfaces connected to networks 10 and 14, respectively, and which is provisioned with appropriate software to implement the functionality of the IP filter 12.
  • Internal components of the IP filter 12 in terms of software executable by the data processing platform are shown in Figure 2.
  • the internal components include two packet drivers 30 and 32, an address resolution protocol (ARP) table 34, an Ethernet address table 36, an IP handler 38, an address translation 40 and a user interface 42.
  • the packet drivers 30 and 32 control the Ethernet hardware interfaces in order to communicate with, respectively, the private network 10 and the public network 14.
  • the IP handler 38 provides a router functionality for receiving and forwarding messages, and maintains the ARP table 34 and the Ethernet table 36.
  • the address translation 40 effects translation between source port numbers from the private network 10 and the destination port numbers on the public network side 14.
  • the user interface 42 enables an operator, via a keyboard and display terminal attached to the processing platform, to interface with the IP filter 12. Functions keys are provided to configure the IP filter, view or copy log files, display status, etc.
  • the log file will contain the connect time of TCP or UDP sessions, inbound and outbound traffic statistics, and invalid access to the IP filter 12. To prevent the log file from growing too large, this information will be logged to a new file when the date changes.
  • Routing of packets to and from the IP filter 12 is described in the following in terms of a public interface, from the view of the public network 14, and of a private interface, from the view of the private network 10.
  • the public interface behaves as a host on the LAN segment. To forward a packet, it checks to see if the destination IP is on the local LAN segment. If it is, it looks up the IP address in its ARP table to find the Ethernet address. If there is no entry in the ARP table, it must put the packet on a queue and send out an ARP request to get the Ethernet address. Standard aging out of ARP table entries needs to be done. If the IP destination is not on the LAN segment, it will forward the packet to the configured default router. ICMP Redirect messages sent by the default router will be ignored.
  • the private interface effects the functionality of a router, as it needs to be able to forward packets to one or more routers to communicate with the remote client stations.
  • a large remote client network may access multiple router machines.
  • Conventional routing can result in large routing tables because the routing entries become host addresses instead of subnet addresses. That is, if the network is set up so that a client may come in through either Routerl or Router2, then no single router can be the router for the subnet that that client station is on.
  • a conventional router that would get routing tables via RIP from all routers on the private network would end up with a large table of host addresses for each remote client connected. This can affect performance in the search time necessary to find the route, the memory required for large tables and the amount of RIP traffic on the LAN segment between all these routers.
  • the IP filter will maintain an Ethernet table. For every packet that is forwarded from the private to public side, if a translation entry exists, use its Ethernet index to compare with the Ethernet source address of the incoming packet. If they match, nothing more needs to be done. Otherwise, the Ethernet table is searched for the source Ethernet address, adding a new Ethernet table entry if not found. The index to the Ethernet table is then saved in the translation table entry. Then when a packet is being translated from the public to private side, the Ethernet address can be retrieved directly from the index in the translation table. Thus packets will be routed to the router which forwarded the packet to the IP filter.

Abstract

The IP filter (12), embodying the present invention, is a communications device designed to provide public network (14) or Internet (16) access to nodes (18) of private networks (10), advantageously without requiring the private nodes on such networks to register public Internet addresses. The IP filter presents a single IP address to the Internet and uses a plurality of IP ports to solve the problem of IP address conservation. It initiates sessions by assigning private side IP sessions to a unique port of the IP filter's public address. The IP filter effects a translation between a source port number for the private network and a destination port number for the public network for communication therebetween. Benefits of the IP filter include private node security and conservation of Internet-registered addresses.

Description

INTERNET PROTOCOL FILTER Background Of The Invention The present invention generally relates to inter¬ network firewalls and, in particular, to an internet protocol (IP) filter whereby a private IP network domain is mapped to a single IP address on the public Internet.
Firewalls are generally known and characterized by computer servers which function to couple nodes within the domain of the private network to nodes in a public network domain, such as the Internet. A deficiency of the known firewall products is the need for a unique public IP address for each concurrent session or interaction between public and private nodes.
A firewall providing conservation of public IP addresses would be desirable.
Summary Of The Invention It is an object of the present invention to provide a new and improved apparatus for communicatively coupling two networks. The invention, therefore, according to a first exemplary aspect provides a method of interfacing private and public data communications networks, through a filter node in communication with both networks, the filter node having an address known in the public network, comprising the steps of: routing from nodes in the private network, to the filter node, data packets having destination information, which includes a destination address and a destination port, corresponding to nodes in the public network and having source information, which includes a source address and a source port, of the respective private network nodes; for each data packet received from the private network, at the filter node, maintaining the source information taken from the data packet in correlation with a unique value representing a port of the filter node, and replacing in the data packet the source address with the filter node address and the source port with the filter node port value; and routing from the filter node, in the public network, the data packets having the replaced source information, according to the destination information in each, to the corresponding public network nodes.
According to a second exemplary aspect, the invention provides a method of interfacing private and public data communications networks, through a filter node in communication with both networks, comprising the steps of: (a) receiving at the filter node, from the private network, a data packet having an a destination address corresponding to a node in the public network and a source address corresponding to a node in the private network; (b) maintaining, by the filter node, the source address taken from the data packet; (c) replacing, in the data packet, the source address with an address of the filter node; (d) routing from the filter node, in the public network, the data packet having the replaced source address, according to the destination address, to the corresponding public network node; (e) waiting for a return packet from the public network, responsive to the data packet having the replaced source information; (f) replacing, in the return packet, the destination address with the maintained source address; and (g) routing from the filter node, in the private network, the return packet having the replaced destination address to the corresponding private network node.
According to a third exemplary aspect, the invention provides a method of operating a filter node for interfacing first and second data communications networks, comprising the steps of: receiving from the first network, a data packet having destination information, which includes a destination address and a destination port, corresponding to a node in the second network and having source information, which includes a source address and a source port, corresponding to a node in the first network; maintaining the source information taken from the data packet in correlation with a unique value representing a port of the filter node; replacing in the data packet the source address with an address of the filter node and the source port with the filter node port value; and sending to the second network the data packet having the replaced source information, whereby that packet is routed according to its destination information to the corresponding second network node.
According to a fourth exemplary aspect, the invention provides a filter node for interfacing first and second data communications networks, comprising: means for receiving from the first network, a data packet having destination information, which includes a destination address and a destination port, corresponding to a node in the public network and having source information, which includes a source address and a source port, corresponding to a node in the first network; means for maintaining the source information taken from the data packet in correlation with a unique value representing a port of the filter node; means for replacing in the data packet the source address with an address of the filter node and the source port with the filter node port value; and means for sending to the second network, the data packet having the replaced source information, whereby that packet is routed according to its destination information to the corresponding second network node. An IP filter, embodying the present invention, is a communications device designed to provide public network or Internet access to nodes of private networks, advantageously without requiring the private nodes on such networks to register public Internet addresses. The IP filter presents a single IP address to the Internet and uses a plurality of IP ports to solve the problem of IP address conservation. It initiates sessions by assigning private side IP sessions to a unique port of the IP filter's public address whereby up to 64,512 (= 65,536 total - 1,024 well known ports) concurrent sessions may be supported through the single IP address. The IP filter effects a translation between a source port number for the private network and a destination port number for the public network for communication therebetween. Benefits of the IP filter include private node security and conservation of Internet-registered addresses. In a particular embodiment, the IP filter may support three data transport protocols over the internet protocol: transmission control protocol (TCP), user datagram protocol (UDP) and Internet control message protocol (ICMP) . Packets of other protocols may be ignored.
The TCP protocol prepends a TCP header to a data packet. The source port and destination port numbers are contained in this header. The Internet addresses of the source and destination nodes are contained in the IP header. The IP address and port information extracted from each packet will be used to determine where the IP filter should route this packet.
The IP filter maintains a lookup table of information on each TCP connection. This information includes the port from the private node, the private IP address, the assigned port number of the destination node, and the port number of the IP filter in the form of an index. When a packet is received from the private network, the private address and port number are added to the table as a new entry, if an entry corresponding to this packet is not found in the table and if the TCP header indicates that this is a new connection request. Then the source address and port number in the packet header are replaced with the IP filter's IP address and port number, and the packet is transmitted to the Internet.
When the IP filter receives a packet from the Internet, the destination port number is used to index the lookup table. When the corresponding table entry is found, the destination address and port number are replaced with the private network's IP address and port number, and the packet is transmitted to the private network. If the received packet's source port is different from the port recorded in the table, and if the packet header information indicates that this packet is the first response on the connection, then the lookup table is updated with the port number assigned by the Internet node, if needed. When the IP filter detects an end of transmission code in the packet, the lookup table entry is zeroed. If the IP filter receives packets from the Internet that do not have entries in the lookup table corresponding to the IP filter port, it ignores the packets. The UDP protocol is connectionless, as opposed to
TCP, a connection-oriented protocol. The UDP header contains no codes governing initial connection or end of transmission. The data of interest in the UDP header are the source port and destination port. This information, along with the Internet addresses contained in the IP header, are used to determine where the IP filter should route this packet.
The IP filter maintains a lookup table of information on each UDP session. When the IP filter receives a UDP packet from the private network, it records the source address, the source port number, the destination port number, and the assigned IP filter port number as the index to the table. Then the private node address and port number in the packet header are replaced with the address and assigned port number of the IP filter. Then the packet is transmitted to the Internet.
When the IP filter receives a UDP packet from the Internet, it indexes the UDP lookup table and replaces the packet's destination information, namely the IP filter address and assigned port number, with the private address and port number from the lookup table. The lookup table also maintains an interval indication for an expiration timer on datagram packets received as per standard UDP implementations. If the IP filter receives packets from the Internet that do not have entries in the lookup table corresponding to the IP filter port, it ignores the packets. As ICMP packets do not contain port numbers of either source or destination, any ICMP packets received from the private network are processed one at a time, with buffering of additional ICMP packets. The IP filter reads the private address from the packet header and replaces it with the address of the IP filter. The packet is transmitted to the Internet, and the IP filter waits for the response. When it receives the responding packet, the destination address in the packet header is changed from that of the IP filter to that of the node on the private network. Then the IP filter transmits the packet to the private network.
To successfully deliver packets over an IP protocol network, each node must maintain a table of other hosts' IP addresses and their corresponding Ethernet addresses in an Ethernet based data communications network. The nodes actually use the IP addresses and the Ethernet addresses to address packets. The relationship between the two addresses is dynamic; that is, a node with an IP address may change its Ethernet address. The information in the address table is obtained from the replies to the node's broadcast of ARP packets. The source node broadcasts ARP packets to request the Ethernet address of the destination node, given the destination node's IP address. If the destination node receives the packet, it sends a reply packet with the requested information.
Though it does not maintain a true ARP table, the IP filter passes ARP packets in a manner similar to TCP and UDP packet passing. When the IP filter receives an ARP packet from a node on the private network destined for the public network, it replaces the source address information with the filter's address information. The private node's IP address and the target IP address are placed in a lookup table. When the target node replies with its own Ethernet address, the destination address information is changed from that of the IP filter to that of the private node before transmitting the packet to the private node. The private node address information is obtained from the table. When an ARP packet is destined for the firewall, the ARP packet does not pass through the IP filter but is restricted to communications between the filter and the one side of the network.
Events and errors encountered by the IP filter may be logged, for example, by writing them into a text file.
The IP filter ideally will process packets as fast as the networks present them but when network traffic is too heavy, the IP filter will then buffer the packets in two queues, one for the private network and one for the Internet.
Two source and destination lookup tables may be utilized, one for TCP packets and the other for UDP packets. Each table is directly indexed by the IP filter port number assigned to the communication session. The table entries contain the IP address of the private node, the source port of the private node, and the destination port of the Internet node. If there is no connection on a certain IP filter port, then the corresponding entry in the table may be zeroed. Packets arriving from both the private network and the Internet are processed using the same lookup table. This arrangement assumes that of the available IP filter communications ports some are designated for UDP communication and some for TCP communication.
Brief Description Of The Drawings The invention will be better understood from the following description together with reference to the accompanying drawings, in which:
Figure 1 is a schematic representing an internet protocol filter coupling a private network and a public network; and
Figure 2 is a block diagram representing internal components of the filter.
Detailed. Description
Referring to Figure 1, shown for illustration of the present invention is a private network 10 communicatively coupled through an internet protocol (IP) filter 12 to a public network 14 which may form part of a global data network, otherwise referred to as the Internet 16. The private network 10 represents a conventional data communications network, such as a local area network (LAN) , having a plurality of nodes 18 each being identified by a unique IP address within the domain of the private network 10. The public network 14 and Internet 16 are representative of public domain data communications networks also having a plurality of nodes 20 with corresponding IP addresses.
The IP filter 12 acts as a gateway through which data packets are exchanged between the private network 10 and the public network 14, thereby providing Internet access to the nodes 18 of the private network 10. The IP filter 12 constitutes one of the private network nodes 18 and is the only such node to have a public IP address that is Internet-registered, whereby the IP filter 12 essentially also constitutes one of the public nodes 20 and its IP address is known in the public domain. The IP addresses of the other private network nodes 18 are reserved for the private network 10, and not known or registered in the public Internet address domain. As is conventional, associated with the IP address of the IP filter 12 are a plurality of IP ports, specifically 65,536 in total of which 64,512 are not reserved for predefined protocols and can be used for address translations.
Communications between nodes 18 on the private network 10 are unaffected by the presence of the IP filter 12, but to access the public network 14 and particularly the nodes 20 therein, the private nodes 18 route all communications requests through the IP filter 12. The IP filter 12 manages the communications between private nodes 18 and the Internet nodes 20 by modifying header information of data packets received from the private network 10 before transmitting each to the public network 14. The modifications cause the communications between the private nodes 18 and the public Internet nodes 20 to actually be between the IP filter 12 and the Internet nodes 20, which route all return communications to the IP filter 12 which subsequently routes the return data packets to the private nodes 18.
The IP filter 12 accepts no connection requests from the public network 14. All communications between private nodes 18 and public nodes 20 are initiated by the private nodes 18. The IP filter 12 is designed to support three data transport protocols over the internet protocol: TCP, UDP and ICMP messages; packets of other protocols are rejected or ignored.
A translation table is maintained by the IP filter 12 to map address and ports for packets received from the private network 10 destined to the public network 14 and vise versa. The translation table contains the following for each entry: private IP address (pIP) private port (pPort) internet (public) IP address (ilP) internet (public) Port (iPort) timer session type/state Ethernet address
The basic translation substitutes IP addresses and ports from the private network side to the IP filter's IP address and ports, thereby hiding all nodes 18 on the private network 10 from the public network 14. A packet originating on the private network side specifies a source - destination of
(pIP, pPort - ilP, iPort) This defines a "socket" in which the endpoints of the connection (source and destination) are defined by the IP addresses in the IP header and the ports in the TCP or UDP header.
The IP filter 12 will translate the above to (frIP, frPort - ilP, iPort) where frIP is the IP address of the IP filter 12 on the public network 14, and frPort is the index into the translation table plus an offset value, for example, of 1024 to skip using well known ports. The frPort represents an arbitrary port.
The internet node 20 will reply with a packet (ilP, iPort - frIP, frPort) which will be received by the IP filter 12 and translated thereby to
(ilP, iPort - pIP, pPort) In general, to translate from the private side, the values (protocol type, pIP, pPort, ilP, iPort) must be located in the translation table. This should be done with a hash table lookup.
Translating from the public side can be a direct table lookup since frPort minus 1024 is the index into the table. If (ilP, iPort) in the packet does not match the corresponding entries in the table, then an unauthorized access is logged and the packet dropped.
In translating packets, when a port is substituted in the TCP or UDP header, the checksum in both the TCP/UCP and IP header must be recalculated. When an IP address is substituted in the IP header, the IP header checksum must be recalculated.
Following are special considerations for different protocols supported by the IP filter 12.
In respect of TCP, when a SYN packet is received from the private network 10, the IP filter 12 locates an unused entry in the table and fills it in, setting the type to TCP and state to SYN. Then the packet is forwarded by the general scheme above. If no free entries exist in the table, then the packet is dropped and the event is logged. If a SYN packet is received from the public network 14 interface, it is treated as unauthorized and logged (except for FTP special case described below) . However, a SYN+ACK packet is forwarded if the state of the translation table entry is SYN. After forwarding such a packet the state set to OPEN.
If a FIN packet is received by the IP filter 12 and if the state in the translation table is not FIN, the state is set to FIN and the packet forwarded. If the state is FIN, then the packet is forwarded and the translation table entry is deleted by setting it to 0. A FIN must be sent by each side to close a TCP connection.
If a RST packet is received, then the translation table entry is deleted.
Having regard now to the UDP protocol, when any UDP packet is received from the private network 10 side, the IP filter 12 first tries its standard lookup. If a translation table entry is not found, an unused entry is set up and the state set to OPEN. If a free entry is not found in the table, then rather than dropping the packet, a random UDP in the table is overwritten. Since UDP is connectionless and consequently an unreliable transport, if a packet is received from the public network 14 that would have needed the entry that was overwritten, that packet will be dropped and the node 18 on the private side will need to retry.
With regard to FTP, an FTP client establishes a TCP "control" connection with an FTP server on a particular port, for example, port 21. However, when data is to be transmitted, the FTP server will open a TCP connection from its "data" port, for example, which is default 20, to a destination port specified by the client.
To support this, packets sent by the private network 10 to port 21 need to be analyzed for an FTP "port" command at the IP filter 12. If detected, then a new entry in the table must be set up with pPort set to the value in the FTP port command. The IP address and port number in the FTP command must be changed to the IP filter's address and port before forwarding the packet. The state is set to FTPDATA.
When a SYN packet is received from the public network 14, if a table entry exists and is in FTPDATA state, then the packet is forwarded and the state set to OPEN.
For the ICMP protocol, if an ICMP packet is received from the private network 10 and if that packet is an echo request (ping) , then the IP filter 12 locates a new entry in the translation table. The sequence field of the packet is stored in pPort in the table and the table index is put in the sequence field of the packet. The ICMP checksum is recalculated and the standard IP header substitution is done. The type is set to ICMP and state to PING and the timer set to 1 minute.
If an echo reply (ping) is received from the public network 14 interface, then the sequence field is used as the index into the table. If the state is PING, then pPort in the table is substituted into the sequence field of the packet, the ICMP checksum recalculated and the standard IP header substitution is done. The table entry is then deleted. If an echo request (ping) is received from the public network 14, then the IP filter 12 will reply. This allows internet access to confirm that the IP filter 12 is reachable and running.
If a Destination Unreachable packet is received from the public network 14, then the header information contained is extracted. If the protocol was TCP or UDP, the (frIP, frPort - ilP, iPort) of the originating packet can be determined and the translation table entry located. If the IP address extracted from the ICMP matches the address in the table, the IP filter 12 forwards the packet to the private network 10 using the standard scheme.
All other ICMP packets received from either side are dropped and logged.
Since most data communications protocols are based on either the UDP or TCP protocols, these other protocols are compatible with the IP filter 12 as long as they do not initiate negotiations like FTP to have the server open a connection back to the client. Examples of other compatible protocols include: Telnet; TFTP (Trivial File Transfer Protocol); DNS (Domain Name Services); and Web browsers. Whenever a packet is transmitted in either direction, the timer field of the translation table entry is set to the configured timeout value (except ping) . Each minute, the timer field of all active entries in the tables are decremented and if they become 0, then the translation table entry is deleted. This will clear out UDP and PING entries which are no longer in use and also TCP entries which have had an abnormal termination and did not send FIN from each side. It could be a security hole to leave an unused entry in the table for too long. A good timeout value to be configured would be just longer than the typical TCP keep alive.
According to a particular embodiment, the private network 10 and the public network 14 are Ethernet based LANs. The IP filter 12 may be implemented by a data processing platform which is equipped with two conventional Ethernet hardware interfaces connected to networks 10 and 14, respectively, and which is provisioned with appropriate software to implement the functionality of the IP filter 12. Internal components of the IP filter 12 in terms of software executable by the data processing platform are shown in Figure 2. The internal components include two packet drivers 30 and 32, an address resolution protocol (ARP) table 34, an Ethernet address table 36, an IP handler 38, an address translation 40 and a user interface 42. The packet drivers 30 and 32 control the Ethernet hardware interfaces in order to communicate with, respectively, the private network 10 and the public network 14. The IP handler 38 provides a router functionality for receiving and forwarding messages, and maintains the ARP table 34 and the Ethernet table 36. The address translation 40 effects translation between source port numbers from the private network 10 and the destination port numbers on the public network side 14. The user interface 42 enables an operator, via a keyboard and display terminal attached to the processing platform, to interface with the IP filter 12. Functions keys are provided to configure the IP filter, view or copy log files, display status, etc. The log file will contain the connect time of TCP or UDP sessions, inbound and outbound traffic statistics, and invalid access to the IP filter 12. To prevent the log file from growing too large, this information will be logged to a new file when the date changes.
Routing of packets to and from the IP filter 12 is described in the following in terms of a public interface, from the view of the public network 14, and of a private interface, from the view of the private network 10.
The public interface behaves as a host on the LAN segment. To forward a packet, it checks to see if the destination IP is on the local LAN segment. If it is, it looks up the IP address in its ARP table to find the Ethernet address. If there is no entry in the ARP table, it must put the packet on a queue and send out an ARP request to get the Ethernet address. Standard aging out of ARP table entries needs to be done. If the IP destination is not on the LAN segment, it will forward the packet to the configured default router. ICMP Redirect messages sent by the default router will be ignored.
The private interface effects the functionality of a router, as it needs to be able to forward packets to one or more routers to communicate with the remote client stations. A large remote client network may access multiple router machines. Conventional routing can result in large routing tables because the routing entries become host addresses instead of subnet addresses. That is, if the network is set up so that a client may come in through either Routerl or Router2, then no single router can be the router for the subnet that that client station is on. A conventional router that would get routing tables via RIP from all routers on the private network would end up with a large table of host addresses for each remote client connected. This can affect performance in the search time necessary to find the route, the memory required for large tables and the amount of RIP traffic on the LAN segment between all these routers.
To handle routing in this environment, the IP filter will maintain an Ethernet table. For every packet that is forwarded from the private to public side, if a translation entry exists, use its Ethernet index to compare with the Ethernet source address of the incoming packet. If they match, nothing more needs to be done. Otherwise, the Ethernet table is searched for the source Ethernet address, adding a new Ethernet table entry if not found. The index to the Ethernet table is then saved in the translation table entry. Then when a packet is being translated from the public to private side, the Ethernet address can be retrieved directly from the index in the translation table. Thus packets will be routed to the router which forwarded the packet to the IP filter.
Those skilled in the art will recognize that various modifications and changes could be made to the invention without departing from the spirit and scope thereof. It should therefore be understood that the claims are not to be considered as being limited to the precise embodiments set forth above, in the absence of specific limitations directed to each embodiment.

Claims

WE CLAIM :
1. A method of interfacing private (10) and public (14) data communications networks, through a filter node (12) in communication with both networks, the filter node having an address known in the public network, comprising the steps of: routing from nodes (18) in the private network, to the filter node, data packets having destination information, which includes a destination address and a destination port, corresponding to nodes (20) in the public network and having source information, which includes a source address and a source port, of the respective private network nodes; for each data packet received from the private network, at the filter node, maintaining the source information taken from the data packet in correlation with a unique value representing a port of the filter node, and replacing in the data packet the source address with the filter node address and the source port with the filter node port value; and routing from the filter node, in the public network, the data packets having the replaced source information, according to the destination information in each, to the corresponding public network nodes.
2. A method as claimed in claim 1, comprising the steps of: routing from nodes in the public network, to the filter node, data packets each having the address of the filter node as the destination address; for each data packet received from the public network, at the filter node, correlating the destination port of the destination information in the data packet to particular source information being maintained and replacing, in the data packet, the destination information with the particular source information; routing from the filter node, in the private network, the data packets having the replaced destination information to the corresponding private network nodes .
3. A method as claimed in claim 2, comprising ignoring by the filter node a data packet received from the public network, if the destination port of the destination information in that data packet can not be correlated to the maintained source information.
4. A method as claimed in claim 3, wherein maintaining the source information includes storing the source information from each data packet as an entry in a lookup table, and the filter node port value correlating to the source information constitutes an index into the table for that entry.
5. A method as claimed in claim 4, wherein the data packets include packets in accordance with a transmission control protocol (TCP) over an internet protocol (IP) .
6. A method as claimed in claim 5, comprising receiving at the filter node a TCP packet from the private network; and if an entry corresponding to the TCP packet is not found in the lookup table and the TCP packet indicates that this is a connection request, storing the source information together with the destination information from the TCP packet as a new entry in the lookup table.
7. A method as claimed in claim 6, comprising receiving at the filter node a TCP packet from the public network; and if the source port in the received TCP packet is different from the destination port in a source information entry of the lookup table, indexed by the destination port in the TCP packet, and if the TCP packet indicates that this packet is a first response to the connection request, then updating by the filter node the destination port in the table entry with the source port from the received TCP packet.
8. A method as claimed in claim 7, comprising receiving at the filter node a TCP packet having an end of transmission code in the packet and zeroing an entry in the lookup table corresponding to the received TCP packet.
9. A method as claimed in claim 4, wherein the data packets include packets in accordance with a user datagram protocol (UDP) over an internet protocol (IP) .
10. A method as claimed in claim 9, comprising receiving at the filter node a UDP data packet from the private network, and adding the source information and the destination information from the UDP packet together with an interval indication for an expiration timer as a new entry in the lookup table.
11. A method of interfacing private (10) and public data (14) communications networks, through a filter node
(12) in communication with both networks, comprising the steps of:
(a) receiving at the filter node, from the private network, a data packet having an a destination address corresponding to a node (20) in the public network and a source address corresponding to a node (18) in the private network;
(b) maintaining, by the filter node, the source address taken from the data packet; (c) replacing, in the data packet, the source address with an address of the filter node;
(d) routing from the filter node, in the public network, the data packet having the replaced source address, according to the destination address, to the corresponding public network node;
(e) waiting for a return packet from the public network, responsive to the data packet having the replaced source information;
(f) replacing, in the return packet, the destination address with the maintained source address; and
(g) routing from the filter node, in the private network, the return packet having the replaced destination address to the corresponding private network node.
12. A method as claimed in claim 11, comprising buffering, at the filter node, further data packets received from the private network while waiting for the return packet, and repeating steps (b) through (g) on an individual basis for the further packets, if any, that were buffered.
13. A method as claimed in claim 12, wherein the data packets include packets in accordance with an internet control message protocol (ICMP) .
14. A method of operating a filter node (12) for interfacing first (10) and second (14) data communications networks, comprising the steps of: receiving from the first network, a data packet having destination information, which includes a destination address and a destination port, corresponding to a node (20) in the second network and having source information, which includes a source address and a source port, corresponding to a node (18) in the first network; maintaining the source information taken from the data packet in correlation with a unique value representing a port of the filter node; replacing in the data packet the source address with an address of the filter node and the source port with the filter node port value; and sending to the second network the data packet having the replaced source information, whereby that packet is routed according to its destination information to the corresponding second network node.
15. A method as claimed in claim 14, comprising the steps of: receiving from the second network, a data packet having the address of the filter node as the destination address; correlating the destination port of the destination information in the data packet to particular source information being maintained; replacing, in the data packet, the destination information with the particular source information; sending to the first network the data packet having the replaced destination information, whereby that packet is routed according to its destination information to the corresponding first network node.
16. A method as claimed in claim 15, comprising ignoring a data packet received from the second network, if the destination port of the destination information in that data packet can not be correlated to the maintained source information.
17. A method as claimed in claim 16, wherein maintaining the source information includes storing the source information from the data packet as an entry in a lookup table, and the filter node port value correlating to the source information constitutes an index into the table for that entry.
18. A method as claimed in claim 17, wherein the data packets include packets in accordance with a transmission control protocol (TCP) over an internet protocol (IP) .
19. A method as claimed in claim 18, comprising receiving a TCP packet from the first network; and if an entry corresponding to the TCP packet is not found in the lookup table and the TCP packet indicates that this is a connection request, storing the source information together with the destination information from the TCP packet as a new entry in the lookup table.
20. A method as claimed in claim 19, comprising receiving a TCP packet from the second network; and if the source port in the received TCP packet is different from the destination port in a source information entry of the lookup table, indexed by the destination port in the TCP packet, and if the TCP packet indicates that this packet is a first response to the connection request, then updating the destination port in the table entry with the source port from the received TCP packet.
21. A method as claimed in claim 20, comprising receiving a TCP packet having an end of transmission code in the packet, and zeroing an entry in the lookup table corresponding to the received TCP packet.
22. A method as claimed in claim 17, wherein the data packets include packets in accordance with a user datagram protocol (UDP) over an internet protocol (IP) .
23. A method as claimed in claim 22, comprising receiving a UDP data packet from the first network, and adding the source information and the destination information from the UDP packet together with an interval indication for an expiration timer as a new entry in the lookup table.
24. A method of operating a filter node (14) for interfacing first (10) and second (14) data communications networks, comprising the steps of:
(a) receiving from the first network, a data packet having an a destination address corresponding to a node (20) in the second network and a source address corresponding to a node (18) in the first network; (b) maintaining the source address taken from the data packet;
(c) replacing, in the data packet, the source address with an address of the filter node; (d) sending to the second network the data packet having the replaced source address, whereby that packet is routed to the corresponding second network node;
(e) receiving a return packet from the second network, responsive to the data packet having the replaced source information;
(f) replacing, in the return packet, the destination address with the maintained source address; and
(g) sending to the first network the return packet having the replaced destination address, whereby that packet is routed to the corresponding first network node.
25. A method as claimed in claim 24, comprising buffering further data packets received from the first network while waiting for the return packet, and repeating steps (b) through (g) on an individual basis for the further packets, if any, that were buffered.
26. A method as claimed in claim 25, wherein the data packets include packets in accordance with an internet control message protocol (ICMP) .
27. A filter node (12) for interfacing first (10) and second (14) data communications networks, comprising: means for receiving from the first network, a data packet having destination information, which includes a destination address and a destination port, corresponding to a node (20) in the second network and having source information, which includes a source address and a source port, corresponding to a node (18) in the first network; means for maintaining the source information taken from the data packet in correlation with a unique value representing a port of the filter node; means for replacing in the data packet the source address with an address of the filter node and the source port with the filter node port value; and means for sending to the second network, the data packet having the replaced source information, whereby that packet is routed according to its destination information to the corresponding second network node.
28. A filter node as claimed in claim 27, comprising: means for receiving from the second network, a data packet having the address of the filter node as the destination address; means for correlating the destination port of the destination information in the data packet to particular source information being maintained; means for replacing, in the data packet, the destination information with the particular source information; and means for sending to the first network the data packet having the replaced destination information, whereby that packet is routed according to its destination information to the corresponding first network node.
29. A method as claimed in claim 28, comprising means for ignoring a data packet received from the second network, if the destination port of the destination information in that data packet can not be correlated to the maintained source information.
30. A method as claimed in claim 29, wherein the means for maintaining the source information includes means for storing the source information from the data packet as an entry in a lookup table, and wherein the filter node port value correlating to the source information constitutes an index into the table for that entry.
31. A filter node (12) for interfacing first (10) and second (14) data communications networks, comprising:
(a) means for receiving from the first network, a data packet having an a destination address corresponding to a node (20) in the second network and a source address corresponding to a node (18) in the first network;
(b) means for maintaining the source address taken from the data packet;
(c) means for replacing, in the data packet, the source address with an address of the filter node; (d) means for sending to the second network the data packet having the replaced source address, whereby that packet is routed to the corresponding second network node;
(e) means for receiving a return packet from the second network, responsive to the data packet having the replaced source information;
(f) means for replacing, in the return packet, the destination address with the maintained source address; and
(g) means for sending to the first network the return packet having the replaced destination address, whereby that packet is routed to the corresponding first network node.
32. A filter node as claimed in claim 31, comprising means for buffering further data packets received from the first network while waiting for the return packet, and means for controlling means (b) through (g) on an individual basis for processing the further packets, if any, that were buffered.
PCT/CA1997/000269 1996-04-24 1997-04-23 Internet protocol filter WO1997040610A2 (en)

Priority Applications (6)

Application Number Priority Date Filing Date Title
DE69708281T DE69708281T2 (en) 1996-04-24 1997-04-23 INTERNET PROTOCOL-FILTER
AU25632/97A AU707905B2 (en) 1996-04-24 1997-04-23 Internet protocol filter
CA002248577A CA2248577C (en) 1996-04-24 1997-04-23 Internet protocol filter
JP9537534A JPH11508753A (en) 1996-04-24 1997-04-23 Internet Protocol Filter
KR1019980708503A KR100317443B1 (en) 1996-04-24 1997-04-23 Internet protocol filter
EP97917189A EP0895684B1 (en) 1996-04-24 1997-04-23 Internet protocol filter

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US1594596P 1996-04-24 1996-04-24
US60/015,945 1996-04-24

Publications (2)

Publication Number Publication Date
WO1997040610A2 true WO1997040610A2 (en) 1997-10-30
WO1997040610A3 WO1997040610A3 (en) 1997-11-27

Family

ID=21774476

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CA1997/000269 WO1997040610A2 (en) 1996-04-24 1997-04-23 Internet protocol filter

Country Status (9)

Country Link
US (1) US6128298A (en)
EP (1) EP0895684B1 (en)
JP (1) JPH11508753A (en)
KR (1) KR100317443B1 (en)
CN (1) CN1216657A (en)
AU (1) AU707905B2 (en)
CA (1) CA2248577C (en)
DE (1) DE69708281T2 (en)
WO (1) WO1997040610A2 (en)

Cited By (35)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2000209263A (en) * 1999-01-11 2000-07-28 Sanyo Electric Co Ltd Ts data filtering circuit for digital broadcasting receiver
GB2350259A (en) * 1999-05-21 2000-11-22 Tien Chung Nan Interconnecting computers
NL1013273C2 (en) * 1999-10-12 2001-04-17 Koninkl Kpn Nv Method and system for sending IP messages.
EP1130846A2 (en) * 2000-03-03 2001-09-05 Nexland, Inc. Network address translation gateway
EP1137238A2 (en) * 2000-03-20 2001-09-26 SAMSUNG ELECTRONICS Co. Ltd. System and method for integrated communications over a local IP network
WO2001080514A2 (en) * 2000-04-14 2001-10-25 Stratus Technologies Bermuda Ltd. Robust, secure service network
WO2001086866A2 (en) * 2000-05-05 2001-11-15 Fujitsu Network Communications, Inc. Unique address space and method for a transport network
EP1161059A2 (en) * 2000-05-31 2001-12-05 Alcatel Method and device for translating telecommunication network IP addresses by a leaky-controlled memory
WO2002039657A1 (en) * 2000-11-08 2002-05-16 Icomera Ab A method for secure packet-based communication between two units via an intermedia unit
WO2002051093A2 (en) 2000-12-21 2002-06-27 Nokia Corporation Address sharing
KR20020093398A (en) * 2001-06-08 2002-12-16 (주)바네트 Method for sharing an authorized internet protocol address of ultra highspeed internet restrictively
WO2002103981A2 (en) * 2001-06-14 2002-12-27 Nortel Networks Limited Providing telephony services to terminals behind a firewall and/or network address translator
US6515966B1 (en) 2000-05-05 2003-02-04 Fujitsu Network Communications, Inc. System and method for application object transport
EP1310060A1 (en) * 2000-08-15 2003-05-14 Polycom Israel Ltd. A multimedia communication control unit as a secure device for multimedia communication between lan users and other network users
US6587457B1 (en) 1998-03-31 2003-07-01 Nokia Mobile Phones Ltd. Method for connecting data flows
KR20030069729A (en) * 2002-02-22 2003-08-27 삼성전자주식회사 Method for routing packet date in mobile communication system
KR20030075810A (en) * 2002-03-20 2003-09-26 유디에스 주식회사 Communication system and its method between Internet protocol network and Private Network
US6693909B1 (en) 2000-05-05 2004-02-17 Fujitsu Network Communications, Inc. Method and system for transporting traffic in a packet-switched network
KR100422375B1 (en) * 2000-08-23 2004-03-16 큰사람컴퓨터 주식회사 Method and system for establishing connections between terminals connected to network environments having different IP-addressing schemes
WO2004023728A2 (en) * 2002-09-06 2004-03-18 Matsushita Electric Industrial Co., Ltd. Home terminal apparatus and communication system
US6775229B1 (en) 2000-05-05 2004-08-10 Fujitsu Network Communications, Inc. Method and system for providing a protection path for connection-oriented signals in a telecommunications network
WO2004100500A2 (en) * 2003-05-05 2004-11-18 Thomson Licensing S.A. System and method for communicating with a display device via a network
US7031286B1 (en) 1998-06-30 2006-04-18 Telefonaktiebolaget Lm Ericsson (Publ) Method and an arrangement in a mobile radio system
US7047176B2 (en) 2000-05-05 2006-05-16 Fujitsu Limited Method and system for hardware simulation
US7068655B2 (en) 2001-06-14 2006-06-27 Nortel Networks Limited Network address and/or port translation
US7075927B2 (en) 2000-05-05 2006-07-11 Fujitsu Limited Method and system for quality of service (QoS) support in a packet-switched network
US7113763B2 (en) 2002-06-03 2006-09-26 Nokia Corporation Bluetooth access point and remote bluetooth modules for powerline based networking
US7133403B1 (en) 2000-05-05 2006-11-07 Fujitsu Limited Transport network and method
US7151773B1 (en) 2000-05-05 2006-12-19 Fujitsu Limited System and method for connectionless/connection oriented signal transport
US7173912B2 (en) 2000-05-05 2007-02-06 Fujitsu Limited Method and system for modeling and advertising asymmetric topology of a node in a transport network
US7240368B1 (en) * 1999-04-14 2007-07-03 Verizon Corporate Services Group Inc. Intrusion and misuse deterrence system employing a virtual network
US7385917B1 (en) 2000-05-05 2008-06-10 Fujitsu Limited Method and system for providing a protection path for connectionless signals in a telecommunications network
US7668306B2 (en) 2002-03-08 2010-02-23 Intel Corporation Method and apparatus for connecting packet telephony calls between secure and non-secure networks
US7684317B2 (en) 2001-06-14 2010-03-23 Nortel Networks Limited Protecting a network from unauthorized access
US9667594B2 (en) 1999-06-15 2017-05-30 Ssh Communications Security Oyj Maintaining network address translations

Families Citing this family (150)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
JP2001345854A (en) * 2000-03-27 2001-12-14 Matsushita Electric Ind Co Ltd Method, system and device for communicating packet between networks
KR100528156B1 (en) 1997-03-12 2005-11-15 노마딕스, 인코포레이티드 Nomadic Translator or Router
JP3038650B2 (en) * 1997-04-28 2000-05-08 日本電気株式会社 Internet communication method and apparatus for mobile packet communication system
US6006258A (en) * 1997-09-12 1999-12-21 Sun Microsystems, Inc. Source address directed message delivery
US6092110A (en) * 1997-10-23 2000-07-18 At&T Wireless Svcs. Inc. Apparatus for filtering packets using a dedicated processor
US6353614B1 (en) * 1998-03-05 2002-03-05 3Com Corporation Method and protocol for distributed network address translation
US6876654B1 (en) * 1998-04-10 2005-04-05 Intel Corporation Method and apparatus for multiprotocol switching and routing
US6370147B1 (en) 1998-04-23 2002-04-09 3Com Corporation Method for addressing of passive network hosts in a data-over-cable system
US6636485B1 (en) 1998-05-14 2003-10-21 3Com Corporation Method and system for providing quality-of-service in a data-over-cable system
US6560203B1 (en) 1998-05-27 2003-05-06 3Com Corporation Method for changing type-of-service in a data-over-cable system
US6442158B1 (en) 1998-05-27 2002-08-27 3Com Corporation Method and system for quality-of-service based data forwarding in a data-over-cable system
US6510162B1 (en) 1998-05-27 2003-01-21 3Com Corporation System and method for managing channel usage in a data over cable system
US6775276B1 (en) 1998-05-27 2004-08-10 3Com Corporation Method and system for seamless address allocation in a data-over-cable system
US6717949B1 (en) * 1998-08-31 2004-04-06 International Business Machines Corporation System and method for IP network address translation using selective masquerade
US6892229B1 (en) 1998-09-30 2005-05-10 3Com Corporation System and method for assigning dynamic host configuration protocol parameters in devices using resident network interfaces
US6728885B1 (en) 1998-10-09 2004-04-27 Networks Associates Technology, Inc. System and method for network access control using adaptive proxies
US6570875B1 (en) 1998-10-13 2003-05-27 Intel Corporation Automatic filtering and creation of virtual LANs among a plurality of switch ports
US6667968B1 (en) * 1998-12-03 2003-12-23 Telefonaktiebolaget L M Ericsson (Publ) System and method for providing multiple endpoints in a device disposed in a packet-switched network
US8266266B2 (en) 1998-12-08 2012-09-11 Nomadix, Inc. Systems and methods for providing dynamic network authorization, authentication and accounting
US7194554B1 (en) 1998-12-08 2007-03-20 Nomadix, Inc. Systems and methods for providing dynamic network authorization authentication and accounting
US8713641B1 (en) 1998-12-08 2014-04-29 Nomadix, Inc. Systems and methods for authorizing, authenticating and accounting users having transparent computer access to a network using a gateway device
US6662135B1 (en) 1998-12-09 2003-12-09 3Com Corporation Method and apparatus for reflective mixer testing of a cable modem
US6657991B1 (en) * 1998-12-21 2003-12-02 3Com Corporation Method and system for provisioning network addresses in a data-over-cable system
US6584096B1 (en) * 1998-12-30 2003-06-24 Nortel Networks Limited Method and apparatus for connecting a home network to the internet
US6577642B1 (en) 1999-01-15 2003-06-10 3Com Corporation Method and system for virtual network administration with a data-over cable system
US6738382B1 (en) * 1999-02-24 2004-05-18 Stsn General Holdings, Inc. Methods and apparatus for providing high speed connectivity to a hotel environment
US6563824B1 (en) 1999-04-20 2003-05-13 3Com Corporation Apparatus and methods for determining the correct workstation within a LAN for a LAN modem to route a packet
US6697862B1 (en) * 1999-05-21 2004-02-24 3Com Corporation System and method for network address maintenance using dynamic host configuration protocol messages in a data-over-cable system
US6654387B1 (en) 1999-05-21 2003-11-25 3Com Corporation Method for network address table maintenance in a data-over-cable system using a network device registration procedure
US6754622B1 (en) 1999-05-24 2004-06-22 3Com Corporation Method for network address table maintenance in a data-over-cable system using destination reachibility
US6785292B1 (en) 1999-05-28 2004-08-31 3Com Corporation Method for detecting radio frequency impairments in a data-over-cable system
JP2001053794A (en) * 1999-08-09 2001-02-23 Nec Corp Real time backup communication method for ip communication
EP1208677B1 (en) * 1999-09-03 2012-05-02 Broadcom Corporation Apparatus and method for enabling voice over ip support for a network switch
US6553568B1 (en) 1999-09-29 2003-04-22 3Com Corporation Methods and systems for service level agreement enforcement on a data-over cable system
US6698021B1 (en) * 1999-10-12 2004-02-24 Vigilos, Inc. System and method for remote control of surveillance devices
AU1224101A (en) 1999-10-22 2001-05-08 Nomadix, Inc. Gateway device having an xml interface and associated method
US6581108B1 (en) * 1999-11-30 2003-06-17 Lucent Technologies Inc. Managing multiple private data networks using network and payload address translation
US6798782B1 (en) 1999-12-10 2004-09-28 Sun Microsystems, Inc. Truly anonymous communications using supernets, with the provision of topology hiding
US7765581B1 (en) 1999-12-10 2010-07-27 Oracle America, Inc. System and method for enabling scalable security in a virtual private network
US6970941B1 (en) 1999-12-10 2005-11-29 Sun Microsystems, Inc. System and method for separating addresses from the delivery scheme in a virtual private network
US6977929B1 (en) 1999-12-10 2005-12-20 Sun Microsystems, Inc. Method and system for facilitating relocation of devices on a network
US6870842B1 (en) 1999-12-10 2005-03-22 Sun Microsystems, Inc. Using multicasting to provide ethernet-like communication behavior to selected peers on a network
US7336790B1 (en) 1999-12-10 2008-02-26 Sun Microsystems Inc. Decoupling access control from key management in a network
JP3436906B2 (en) * 1999-12-10 2003-08-18 パナソニック コミュニケーションズ株式会社 Error notification device and error notification method
US6879593B1 (en) * 1999-12-20 2005-04-12 Intel Corporation Connections of nodes on different networks
US7072933B1 (en) 2000-01-24 2006-07-04 Microsoft Corporation Network access control using network address translation
US7925693B2 (en) * 2000-01-24 2011-04-12 Microsoft Corporation NAT access control with IPSec
US20020112076A1 (en) * 2000-01-31 2002-08-15 Rueda Jose Alejandro Internet protocol-based computer network service
US6804262B1 (en) 2000-04-28 2004-10-12 3Com Corporation Method and apparatus for channel determination through power measurements
US6862267B1 (en) * 2000-05-08 2005-03-01 Nortel Networks Limited Determining network addresses and ports using table from a description file
GB2362482A (en) * 2000-05-15 2001-11-21 Ridgeway Systems & Software Lt Direct slave addressing to indirect slave addressing
US6718385B1 (en) * 2000-05-19 2004-04-06 Galaxy Computer Services, Inc. System for controlling movement of information using an information diode between a source network and a destination network
US6816500B1 (en) 2000-07-10 2004-11-09 3Com Corporation Apparatus, method and system for multimedia access network channel management
US20030093430A1 (en) * 2000-07-26 2003-05-15 Mottur Peter A. Methods and systems to control access to network devices
EP1307867B1 (en) 2000-07-26 2010-06-23 Smiths Detection Inc. Methods and systems for networked camera control
US7382397B2 (en) * 2000-07-26 2008-06-03 Smiths Detection, Inc. Systems and methods for controlling devices over a network
GB2365256A (en) 2000-07-28 2002-02-13 Ridgeway Systems & Software Lt Audio-video telephony with port address translation
FR2812991B1 (en) * 2000-08-08 2003-01-24 France Telecom TRANSLATION OF USER INSTALLATION TERMINAL IDENTIFIERS IN A PACKET NETWORK
KR100689034B1 (en) * 2000-08-26 2007-03-08 삼성전자주식회사 Network address translation system and method being capable of accessing to node having private IP address from external network and computer-readable medium recording the method
KR100645960B1 (en) * 2000-08-29 2006-11-14 삼성전자주식회사 System and method for accessing to node of private network
US6981278B1 (en) * 2000-09-05 2005-12-27 Sterling Commerce, Inc. System and method for secure dual channel communication through a firewall
US7836498B2 (en) * 2000-09-07 2010-11-16 Riverbed Technology, Inc. Device to protect victim sites during denial of service attacks
US20020101859A1 (en) * 2000-09-12 2002-08-01 Maclean Ian B. Communicating between nodes in different wireless networks
US6661799B1 (en) 2000-09-13 2003-12-09 Alcatel Usa Sourcing, L.P. Method and apparatus for facilitating peer-to-peer application communication
FI112308B (en) * 2000-09-14 2003-11-14 Nokia Corp Sharing protocol processing
US7054930B1 (en) * 2000-10-26 2006-05-30 Cisco Technology, Inc. System and method for propagating filters
DE10053951B4 (en) * 2000-10-31 2005-04-21 Siemens Ag Method and router for establishing a connection via an IP-oriented network
GB2369746A (en) 2000-11-30 2002-06-05 Ridgeway Systems & Software Lt Communications system with network address translation
KR100464487B1 (en) * 2000-12-27 2004-12-31 엘지전자 주식회사 Apparatus and method for security through packet check in ADSL modem
US6775235B2 (en) * 2000-12-29 2004-08-10 Ragula Systems Tools and techniques for directing packets over disparate networks
GB2371186A (en) * 2001-01-11 2002-07-17 Marconi Comm Ltd Checking packets
KR100393273B1 (en) * 2001-02-12 2003-07-31 (주)폴리픽스 An Online Data Communicating System and a Method in a Private Network
KR100418445B1 (en) * 2001-04-11 2004-02-14 (주) 세이프아이 Method and system for restricting access from external
US7366194B2 (en) 2001-04-18 2008-04-29 Brocade Communications Systems, Inc. Fibre channel zoning by logical unit number in hardware
US7167472B2 (en) * 2001-04-18 2007-01-23 Brocade Communications Systems, Inc. Fibre channel zoning by device name in hardware
US7151778B2 (en) 2001-04-18 2006-12-19 Brocade Communications Systems, Inc. Frame filtering of fibre channel packets
US20020154635A1 (en) * 2001-04-23 2002-10-24 Sun Microsystems, Inc. System and method for extending private networks onto public infrastructure using supernets
US6987765B2 (en) * 2001-06-14 2006-01-17 Nortel Networks Limited Changing media sessions
US6513122B1 (en) 2001-06-29 2003-01-28 Networks Associates Technology, Inc. Secure gateway for analyzing textual content to identify a harmful impact on computer systems with known vulnerabilities
WO2003028340A1 (en) * 2001-08-30 2003-04-03 Siemens Aktiengesellschaft Pre- processing of nat addresses
GB0123371D0 (en) * 2001-09-28 2001-11-21 Nokia Corp Improved interconnection of IP networks
US20040048610A1 (en) * 2001-09-28 2004-03-11 Kim Soo Hwan Method and system for matching subscriber states in network in which public land mobile network and wired/wireless private network are interworked
US20030069981A1 (en) * 2001-10-09 2003-04-10 Koninklijke Philips Electronics N.V. IP hopping for secure data transfer
US7006436B1 (en) * 2001-11-13 2006-02-28 At&T Corp. Method for providing voice-over-IP service
US20040133669A1 (en) * 2001-11-28 2004-07-08 Esa Jalonen Event or polling driven DVB-T filter detection
US7512084B2 (en) * 2001-11-28 2009-03-31 Nokia Corporation Event driven filter monitoring for IP multicast services
US7227864B2 (en) * 2001-12-17 2007-06-05 Microsoft Corporation Methods and systems for establishing communications through firewalls and network address translators
US7114005B2 (en) * 2002-02-05 2006-09-26 Cisco Technology, Inc. Address hopping of packet-based communications
US7475145B2 (en) * 2002-04-26 2009-01-06 International Business Machines Corporation Dynamic invocation of web services
WO2003094366A2 (en) 2002-05-06 2003-11-13 Qualcomm Incorporated System and method for registering ip address of wireless communication device
IL165340A0 (en) * 2002-05-23 2006-01-15 Matsushita Electric Ind Co Ltd Information processing system
US7657616B1 (en) 2002-06-10 2010-02-02 Quest Software, Inc. Automatic discovery of users associated with screen names
US7428590B2 (en) * 2002-06-10 2008-09-23 Akonix Systems, Inc. Systems and methods for reflecting messages associated with a target protocol within a network
US7774832B2 (en) * 2002-06-10 2010-08-10 Quest Software, Inc. Systems and methods for implementing protocol enforcement rules
CA2488731A1 (en) 2002-06-10 2003-12-18 Akonix Systems, Inc. Systems and methods for a protocol gateway
US7707401B2 (en) * 2002-06-10 2010-04-27 Quest Software, Inc. Systems and methods for a protocol gateway
JP4346869B2 (en) * 2002-06-26 2009-10-21 パナソニック株式会社 Electronic device and information processing method
CN1798156A (en) * 2002-09-30 2006-07-05 松下电器产业株式会社 Information processing apparatus and receiving apparatus
US20040083388A1 (en) * 2002-10-25 2004-04-29 Nguyen The Vinh Method and apparatus for monitoring data packets in a packet-switched network
US7454499B2 (en) * 2002-11-07 2008-11-18 Tippingpoint Technologies, Inc. Active network defense system and method
US20040139226A1 (en) * 2002-12-13 2004-07-15 Dany Margalit Method for assigning an IP address to a network connectable device
US7216359B2 (en) * 2002-12-19 2007-05-08 International Business Machines Corporation Secure communication overlay using IP address hopping
US20050013274A1 (en) * 2003-03-05 2005-01-20 Harri Pekonen System and method for data transmission and reception
US7627640B2 (en) * 2003-03-17 2009-12-01 Epostal Services, Inc. Messaging and document management system and method
MXPA05008750A (en) * 2003-03-17 2005-09-20 Epostal Services Inc Messaging and document management system and method.
US7535878B2 (en) * 2003-03-28 2009-05-19 Intel Corporation Method, apparatus and system for ensuring reliable access to a roaming mobile node
US7694021B1 (en) * 2003-05-28 2010-04-06 Cisco Technology, Inc. Firewall for gateway network elements between IP based networks
US7573867B1 (en) * 2003-07-17 2009-08-11 Sprint Spectrum L.P. Method and system for maintaining a radio link connection during absence of real-time packet data communication
US20050041631A1 (en) * 2003-08-20 2005-02-24 Naveen Aerrabotu Apparatus and method for primary link packet control
US7715326B2 (en) * 2003-08-22 2010-05-11 Eutech Cybernetics Pte. Ltd. Webserver alternative for increased security
CN100440886C (en) 2003-09-02 2008-12-03 华为技术有限公司 Method for realizing multimedia protocol passing through network address translation device
US20050053063A1 (en) * 2003-09-04 2005-03-10 Sajeev Madhavan Automatic provisioning of network address translation data
US20050102704A1 (en) * 2003-11-07 2005-05-12 Rudy Prokupets Multiregional security system integrated with digital video recording and archiving
TWI257217B (en) * 2003-11-10 2006-06-21 Inst Information Industry Method to detect the form of network address translation
CN1270481C (en) * 2003-12-08 2006-08-16 华为技术有限公司 Access gate wireless local area network and implementation for guaranteeing network safety
US7305706B2 (en) * 2004-01-15 2007-12-04 Cisco Technology, Inc. Establishing a virtual private network for a road warrior
US7430203B2 (en) * 2004-01-29 2008-09-30 Brocade Communications Systems, Inc. Fibre channel zoning hardware for directing a data packet to an external processing device
US20070174436A1 (en) * 2004-01-30 2007-07-26 Hajime Maekawa Communication system, information processing system, information processing apparatus, tunnel management apparatus, information processing method, tunnel management method, and program
US20050177859A1 (en) * 2004-02-09 2005-08-11 Valentino Henry Iii Video surveillance system and methods of use and doing business
CN100525202C (en) * 2004-05-28 2009-08-05 中兴通讯股份有限公司 A method of registration for the private network terminal to the gatekeeper based on the H.323 protocol
CN1299476C (en) * 2004-05-28 2007-02-07 中兴通讯股份有限公司 Method for H.323 agent server to register on gatekeeper from terminals after being agent of NAT
CN1756259B (en) * 2004-09-27 2011-04-20 国际商业机器公司 Method and system for using a network address translation (nat) in an IP network
US8059562B2 (en) * 2004-10-18 2011-11-15 Nokia Corporation Listener mechanism in a distributed network system
US8464299B1 (en) 2004-11-17 2013-06-11 Rockstar Consortium Us Lp Resource conservation for packet television services
KR20060059292A (en) * 2004-11-26 2006-06-01 한국전자통신연구원 Network management method in interactive satellite communication system
US20060215649A1 (en) * 2005-03-08 2006-09-28 Chris Morrall Network address converting apparatus using SSW tree
US20060221955A1 (en) * 2005-04-05 2006-10-05 Mark Enright IP addressing in joined private networks
US8064439B2 (en) 2005-06-30 2011-11-22 Cisco Technology, Inc. Method and system for call processing
EP1946217A2 (en) * 2005-11-03 2008-07-23 Akonix Systems, Inc. Systems and methods for remote rogue protocol enforcement
US7451145B1 (en) * 2005-12-13 2008-11-11 At&T Corp. Method and apparatus for recursively analyzing log file data in a network
JP4759389B2 (en) * 2006-01-10 2011-08-31 アラクサラネットワークス株式会社 Packet communication device
JP4634320B2 (en) * 2006-02-28 2011-02-16 株式会社日立製作所 Device and network system for anti-abnormal communication protection
JP4594258B2 (en) * 2006-03-10 2010-12-08 富士通株式会社 System analysis apparatus and system analysis method
US7704617B2 (en) * 2006-04-03 2010-04-27 Bloom Energy Corporation Hybrid reformer for fuel flexibility
JP4780413B2 (en) * 2007-01-12 2011-09-28 横河電機株式会社 Unauthorized access information collection system
US8046492B1 (en) * 2007-11-06 2011-10-25 Juniper Networks, Inc. Offset independent filtering
DE102008012559A1 (en) * 2008-03-04 2009-09-17 Jochen Schumacher Method for establishing a communication link between subscriber devices in a data network
CN101286895B (en) * 2008-05-22 2010-08-18 上海交通大学 Dynamic configurable data monitoring system and method for distributed network
GB2478470B8 (en) 2008-11-17 2014-05-21 Sierra Wireless Inc Method and apparatus for network port and netword address translation
US8924486B2 (en) 2009-02-12 2014-12-30 Sierra Wireless, Inc. Method and system for aggregating communications
US8326919B1 (en) * 2009-12-22 2012-12-04 Emc Corporation Network address translation auto-discovery in data storage networks
US9160707B2 (en) 2010-10-22 2015-10-13 Telefonaktiebolaget L M Ericsson (Publ) Differentiated handling of network traffic using network address translation
US8904036B1 (en) * 2010-12-07 2014-12-02 Chickasaw Management Company, Llc System and method for electronic secure geo-location obscurity network
WO2012106820A1 (en) * 2011-02-08 2012-08-16 Sierra Wireless, Inc. Method and system for forwarding data between network devices
CN102209124B (en) * 2011-06-08 2014-03-12 杭州华三通信技术有限公司 Method for communication between private network and public network and network address translation equipment
US9931251B2 (en) * 2011-07-20 2018-04-03 etectRx Inc. Wetness sensors, wetness monitoring system, and related methods
US9634911B2 (en) * 2013-07-30 2017-04-25 Avaya Inc. Communication device event captures
US9832196B2 (en) 2014-09-15 2017-11-28 Bank Of America Corporation Network monitoring device
EP3231142B1 (en) * 2014-12-09 2021-07-21 Telefonaktiebolaget LM Ericsson (publ) Network address translation
CN104579939B (en) * 2014-12-29 2021-02-12 网神信息技术(北京)股份有限公司 Gateway protection method and device

Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0465201A2 (en) * 1990-06-29 1992-01-08 Digital Equipment Corporation Bridge-like internet protocol router

Family Cites Families (10)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5383179A (en) * 1988-12-15 1995-01-17 Laboratoire Europeen De Recherches Electroniques Avancees Message routing method in a system having several different transmission channels
US5400334A (en) * 1993-08-10 1995-03-21 Ungermann-Bass, Inc. Message security on token ring networks
US5606668A (en) * 1993-12-15 1997-02-25 Checkpoint Software Technologies Ltd. System for securing inbound and outbound data packet flow in a computer network
US5835726A (en) * 1993-12-15 1998-11-10 Check Point Software Technologies Ltd. System for securing the flow of and selectively modifying packets in a computer network
US5416842A (en) * 1994-06-10 1995-05-16 Sun Microsystems, Inc. Method and apparatus for key-management scheme for use with internet protocols at site firewalls
US5623601A (en) * 1994-11-18 1997-04-22 Milkway Networks Corporation Apparatus and method for providing a secure gateway for communication and data exchanges between networks
US5793763A (en) * 1995-11-03 1998-08-11 Cisco Technology, Inc. Security system for network address translation systems
US5781550A (en) * 1996-02-02 1998-07-14 Digital Equipment Corporation Transparent and secure network gateway
US5826014A (en) * 1996-02-06 1998-10-20 Network Engineering Software Firewall system for protecting network elements connected to a public network
US5778174A (en) * 1996-12-10 1998-07-07 U S West, Inc. Method and system for providing secured access to a server connected to a private computer network

Patent Citations (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
EP0465201A2 (en) * 1990-06-29 1992-01-08 Digital Equipment Corporation Bridge-like internet protocol router

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
INTERNET SECURITY HANDBOOK, 1995, MAIDENHEAD,ENGLAND, pages 27-37, XP002040993 STALLINGS W: *
RFC1631, May 1994, INTERNET ENGINEERING TASK FORCE, USA, pages 1-10, XP002040992 EGEVANG K AND FRANCIS P: "The IP Network Address Translator (NAT)" *

Cited By (65)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6587457B1 (en) 1998-03-31 2003-07-01 Nokia Mobile Phones Ltd. Method for connecting data flows
US7031286B1 (en) 1998-06-30 2006-04-18 Telefonaktiebolaget Lm Ericsson (Publ) Method and an arrangement in a mobile radio system
JP2000209263A (en) * 1999-01-11 2000-07-28 Sanyo Electric Co Ltd Ts data filtering circuit for digital broadcasting receiver
US7240368B1 (en) * 1999-04-14 2007-07-03 Verizon Corporate Services Group Inc. Intrusion and misuse deterrence system employing a virtual network
US7958556B2 (en) 1999-04-14 2011-06-07 Verizon Corporate Services Group Inc. Intrusion and misuse deterrence system employing a virtual network
US8955095B2 (en) * 1999-04-14 2015-02-10 Verizon Corporate Services Group, Inc. Intrusion and misuse deterrence system employing a virtual network
GB2350259A (en) * 1999-05-21 2000-11-22 Tien Chung Nan Interconnecting computers
GB2350259B (en) * 1999-05-21 2003-10-08 Chung-Nan Tien Method for enabling a remote user at a remote computer to access a computer selectively connected to a local computer network
US9667594B2 (en) 1999-06-15 2017-05-30 Ssh Communications Security Oyj Maintaining network address translations
NL1013273C2 (en) * 1999-10-12 2001-04-17 Koninkl Kpn Nv Method and system for sending IP messages.
EP1093258A1 (en) * 1999-10-12 2001-04-18 Koninklijke KPN N.V. Method and system for transmitting IP messages
EP1130846A3 (en) * 2000-03-03 2003-09-24 Nexland, Inc. Network address translation gateway
US8165140B2 (en) 2000-03-03 2012-04-24 Symantec Corporation Network address translation gateway for local area networks using local IP addresses and non-translatable port addresses
EP1259886A1 (en) * 2000-03-03 2002-11-27 Nexland, Inc. Network address translation gateway for local area networks using local ip addresses and non-translatable port addresses
EP1259886A4 (en) * 2000-03-03 2004-04-28 Nexland Inc Network address translation gateway for local area networks using local ip addresses and non-translatable port addresses
EP1130846A2 (en) * 2000-03-03 2001-09-05 Nexland, Inc. Network address translation gateway
US7447804B2 (en) 2000-03-20 2008-11-04 Samsung Electronics Co., Ltd. System and method for multi-telecommunication over local IP network
EP1137238A3 (en) * 2000-03-20 2004-01-21 SAMSUNG ELECTRONICS Co. Ltd. System and method for integrated communications over a local IP network
EP1137238A2 (en) * 2000-03-20 2001-09-26 SAMSUNG ELECTRONICS Co. Ltd. System and method for integrated communications over a local IP network
WO2001080514A3 (en) * 2000-04-14 2002-06-20 Stratus Technologies Internati Robust, secure service network
WO2001080514A2 (en) * 2000-04-14 2001-10-25 Stratus Technologies Bermuda Ltd. Robust, secure service network
US7151773B1 (en) 2000-05-05 2006-12-19 Fujitsu Limited System and method for connectionless/connection oriented signal transport
WO2001086866A3 (en) * 2000-05-05 2002-04-04 Fujitsu Network Communications Unique address space and method for a transport network
US7133403B1 (en) 2000-05-05 2006-11-07 Fujitsu Limited Transport network and method
US7173912B2 (en) 2000-05-05 2007-02-06 Fujitsu Limited Method and system for modeling and advertising asymmetric topology of a node in a transport network
US6515966B1 (en) 2000-05-05 2003-02-04 Fujitsu Network Communications, Inc. System and method for application object transport
US6693909B1 (en) 2000-05-05 2004-02-17 Fujitsu Network Communications, Inc. Method and system for transporting traffic in a packet-switched network
US7075927B2 (en) 2000-05-05 2006-07-11 Fujitsu Limited Method and system for quality of service (QoS) support in a packet-switched network
US7058730B2 (en) 2000-05-05 2006-06-06 Fujitsu Limited Unique address space and method for a transport network
US7385917B1 (en) 2000-05-05 2008-06-10 Fujitsu Limited Method and system for providing a protection path for connectionless signals in a telecommunications network
US7047176B2 (en) 2000-05-05 2006-05-16 Fujitsu Limited Method and system for hardware simulation
WO2001086866A2 (en) * 2000-05-05 2001-11-15 Fujitsu Network Communications, Inc. Unique address space and method for a transport network
US6775229B1 (en) 2000-05-05 2004-08-10 Fujitsu Network Communications, Inc. Method and system for providing a protection path for connection-oriented signals in a telecommunications network
US6795816B2 (en) 2000-05-31 2004-09-21 Alcatel Method and device for translating telecommunication network IP addresses by a leaky-controlled memory
EP1161059A3 (en) * 2000-05-31 2003-06-18 Alcatel Method and device for translating telecommunication network IP addresses by a leaky-controlled memory
EP1161059A2 (en) * 2000-05-31 2001-12-05 Alcatel Method and device for translating telecommunication network IP addresses by a leaky-controlled memory
EP1310060A4 (en) * 2000-08-15 2005-09-21 Polycom Israel Ltd A multimedia communication control unit as a secure device for multimedia communication between lan users and other network users
US9531776B2 (en) 2000-08-15 2016-12-27 Polycom, Inc. Multimedia communication control unit as a secure device for multimedia communication between LAN users and other network users
US8706893B2 (en) 2000-08-15 2014-04-22 Polycom Israel, Ltd. Multimedia communication control unit as a secure device for multimedia communication between LAN users and other network users
EP1310060A1 (en) * 2000-08-15 2003-05-14 Polycom Israel Ltd. A multimedia communication control unit as a secure device for multimedia communication between lan users and other network users
KR100422375B1 (en) * 2000-08-23 2004-03-16 큰사람컴퓨터 주식회사 Method and system for establishing connections between terminals connected to network environments having different IP-addressing schemes
WO2002039657A1 (en) * 2000-11-08 2002-05-16 Icomera Ab A method for secure packet-based communication between two units via an intermedia unit
US7009956B2 (en) 2000-12-21 2006-03-07 Nokia Corporation Address sharing
WO2002051093A2 (en) 2000-12-21 2002-06-27 Nokia Corporation Address sharing
WO2002051093A3 (en) * 2000-12-21 2002-11-14 Nokia Corp Address sharing
KR20020093398A (en) * 2001-06-08 2002-12-16 (주)바네트 Method for sharing an authorized internet protocol address of ultra highspeed internet restrictively
WO2002103981A2 (en) * 2001-06-14 2002-12-27 Nortel Networks Limited Providing telephony services to terminals behind a firewall and/or network address translator
US8108553B2 (en) 2001-06-14 2012-01-31 Rockstar Bidco, LP Providing network address translation information
WO2002103981A3 (en) * 2001-06-14 2004-06-10 Nortel Networks Ltd Providing telephony services to terminals behind a firewall and/or network address translator
US8484359B2 (en) 2001-06-14 2013-07-09 Rockstar Consortium Us Lp Providing telephony services to terminals behind a firewall and/or a network address translator
US8397276B2 (en) 2001-06-14 2013-03-12 Genband Us Llc Protecting a network from unauthorized access
US7684317B2 (en) 2001-06-14 2010-03-23 Nortel Networks Limited Protecting a network from unauthorized access
US8244876B2 (en) 2001-06-14 2012-08-14 Rockstar Bidco, LP Providing telephony services to terminals behind a firewall and/or a network address translator
US7940654B2 (en) 2001-06-14 2011-05-10 Genband Us Llc Protecting a network from unauthorized access
US7068655B2 (en) 2001-06-14 2006-06-27 Nortel Networks Limited Network address and/or port translation
KR20030069729A (en) * 2002-02-22 2003-08-27 삼성전자주식회사 Method for routing packet date in mobile communication system
US7668306B2 (en) 2002-03-08 2010-02-23 Intel Corporation Method and apparatus for connecting packet telephony calls between secure and non-secure networks
US8582749B2 (en) 2002-03-08 2013-11-12 Intel Corporation Method and apparatus for connecting packet telephony calls between secure and non-secure networks
KR20030075810A (en) * 2002-03-20 2003-09-26 유디에스 주식회사 Communication system and its method between Internet protocol network and Private Network
US7113763B2 (en) 2002-06-03 2006-09-26 Nokia Corporation Bluetooth access point and remote bluetooth modules for powerline based networking
US7729331B2 (en) 2002-09-06 2010-06-01 Panasonic Corporation Home terminal apparatus and communication system
WO2004023728A2 (en) * 2002-09-06 2004-03-18 Matsushita Electric Industrial Co., Ltd. Home terminal apparatus and communication system
WO2004023728A3 (en) * 2002-09-06 2004-07-08 Matsushita Electric Ind Co Ltd Home terminal apparatus and communication system
WO2004100500A2 (en) * 2003-05-05 2004-11-18 Thomson Licensing S.A. System and method for communicating with a display device via a network
WO2004100500A3 (en) * 2003-05-05 2005-04-28 Thomson Licensing Sa System and method for communicating with a display device via a network

Also Published As

Publication number Publication date
JPH11508753A (en) 1999-07-27
DE69708281D1 (en) 2001-12-20
CN1216657A (en) 1999-05-12
EP0895684A2 (en) 1999-02-10
EP0895684B1 (en) 2001-11-14
DE69708281T2 (en) 2002-05-16
KR20000010612A (en) 2000-02-25
US6128298A (en) 2000-10-03
CA2248577C (en) 2002-11-05
AU707905B2 (en) 1999-07-22
AU2563297A (en) 1997-11-12
KR100317443B1 (en) 2002-01-16
WO1997040610A3 (en) 1997-11-27
CA2248577A1 (en) 1997-10-30

Similar Documents

Publication Publication Date Title
US6128298A (en) Internet protocol filter
US7139828B2 (en) Accessing an entity inside a private network
US6381638B1 (en) System and method for options based address reuse
US7853714B1 (en) Providing services for multiple virtual private networks
EP1234246B1 (en) System and method for network access without reconfiguration
US7701952B2 (en) Packet communication method and apparatus and a recording medium storing a packet communication program
US6857009B1 (en) System and method for network access without reconfiguration
US6430623B1 (en) Domain name routing
US6157950A (en) Methods and apparatus for interfacing a computer or small network to a wide area network such as the internet
USRE41024E1 (en) Communication using two addresses for an entity
US20070094411A1 (en) Network communications system and method
US20030193965A1 (en) Packet communication method and apparatus and a recording medium storing a packet communication program
US20080133774A1 (en) Method for implementing transparent gateway or proxy in a network
WO2011035528A1 (en) Method, system and relay server for network address translation (nat) traversal by way of relay
US20060268863A1 (en) Transparent address translation methods
Cisco AppleTalk Commands
Cisco AppleTalk Commands
Cisco IP Commands
Cisco IP Commands
Cisco IP Commands
Cisco IP Commands
Cisco AppleTalk Commands
Cisco AppleTalk Commands
Cisco AppleTalk Commands
Cisco AppleTalk Commands

Legal Events

Date Code Title Description
WWE Wipo information: entry into national phase

Ref document number: 97194075.4

Country of ref document: CN

AK Designated states

Kind code of ref document: A2

Designated state(s): AU CA CN JP KR

AL Designated countries for regional patents

Kind code of ref document: A2

Designated state(s): AT BE CH DE DK ES FI FR GB GR IE IT LU MC NL PT SE

AK Designated states

Kind code of ref document: A3

Designated state(s): AU CA CN JP KR

AL Designated countries for regional patents

Kind code of ref document: A3

Designated state(s): AT BE CH DE DK ES FI FR GB GR IE IT LU MC NL PT SE

DFPE Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101)
121 Ep: the epo has been informed by wipo that ep was designated in this application
ENP Entry into the national phase

Ref document number: 2248577

Country of ref document: CA

Ref document number: 2248577

Country of ref document: CA

Kind code of ref document: A

WWE Wipo information: entry into national phase

Ref document number: 1997917189

Country of ref document: EP

ENP Entry into the national phase

Ref document number: 1997 537534

Country of ref document: JP

Kind code of ref document: A

WWE Wipo information: entry into national phase

Ref document number: 1019980708503

Country of ref document: KR

WWP Wipo information: published in national office

Ref document number: 1997917189

Country of ref document: EP

WWP Wipo information: published in national office

Ref document number: 1019980708503

Country of ref document: KR

WWG Wipo information: grant in national office

Ref document number: 1019980708503

Country of ref document: KR

WWG Wipo information: grant in national office

Ref document number: 1997917189

Country of ref document: EP