System and method to proxy inbound connections to privately addressed hosts

US 20030154306A1
Filed: 01/21/2003
Published: 08/14/2003
Est. Priority Date: 02/11/2002
Status: Abandoned Application

First Claim

Patent Images

1. A method for establishing an inbound connection from a device on the public network to a device on a private network, said private network using a system of private addressing, said methodology comprising:

a proxy server apparatus represented by a physical connection to both a public and private network segment with at least one host interface controller to receive and/or transmit data containing message headers, so as to move those messages across networks from a source device on the public network to a destination device on a private network, said device on the private network identified by a private address, and vice versa;

a request receiving means for receiving a plurality of address discovery requests from at least one of a plurality of client apparatuses residing on the public network, and a request receiving means for receiving a plurality of address resolution responses from at least one of a plurality of look-up or name servers residing on the private network;

a means for intercepting the address resolution from the look-up or name server, rewriting any network address that represent a private address listed in an address resolution response and replacing said address with the public address of the proxy server apparatus, assigning a unique port to identify the connection and transmitting the created socket address, including the public IP address of the proxy server apparatus and the dynamically assigned port, to the client;

a redirect methodology of creating means for sequentially mapping a plurality of resolution and access requests, each redirect specifying a reverse or regular mapping, including a methodology for the proxy server apparatus to trap for redirects from said name server or from said device on the private network, and a methodology for the proxy server apparatus to log reverse and regular mapping redirects of the socket address, created by the proxy server, to the hosts private address, provided by the look-up or name server.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method for network address translation that enables an inbound connection from the public network to a privately addressed host residing on a private network. The stated invention functions as a reverse proxy mechanism assigning a dynamic port number to uniquely identify each inbound connection from the public network to a host on the private network. The defined proxy device uses regular and reverse mapping and employs use of the passive command to notify the client on the public network of the said unique port number assigned for the inbound connection. When the session is completed, the port is returned to the pool to be reassigned as needed.

Citations

5 Claims

1. A method for establishing an inbound connection from a device on the public network to a device on a private network, said private network using a system of private addressing, said methodology comprising:
- a proxy server apparatus represented by a physical connection to both a public and private network segment with at least one host interface controller to receive and/or transmit data containing message headers, so as to move those messages across networks from a source device on the public network to a destination device on a private network, said device on the private network identified by a private address, and vice versa;
  
  a request receiving means for receiving a plurality of address discovery requests from at least one of a plurality of client apparatuses residing on the public network, and a request receiving means for receiving a plurality of address resolution responses from at least one of a plurality of look-up or name servers residing on the private network;
  
  a means for intercepting the address resolution from the look-up or name server, rewriting any network address that represent a private address listed in an address resolution response and replacing said address with the public address of the proxy server apparatus, assigning a unique port to identify the connection and transmitting the created socket address, including the public IP address of the proxy server apparatus and the dynamically assigned port, to the client;
  
  a redirect methodology of creating means for sequentially mapping a plurality of resolution and access requests, each redirect specifying a reverse or regular mapping, including a methodology for the proxy server apparatus to trap for redirects from said name server or from said device on the private network, and a methodology for the proxy server apparatus to log reverse and regular mapping redirects of the socket address, created by the proxy server, to the hosts private address, provided by the look-up or name server.
- View Dependent Claims (2, 3, 4, 5)
- - 2. A method according to claim 1, of accessing said device located on a private network from the public network by routing inbound packets by port address, said methodology assigning a unique port address to identify each inbound data session established by a plurality of clients on the public network connecting to a plurality of devices on a private network, said proxy apparatus using the passive command to notify the client of the unique port address assigned to the session, the method to comprise the steps of:
    - a client on the public network opens two random unprivileged ports locally (N>
      
      1024 and N+1), said first port to contact a proxy server apparatus and issue the passive command, said passive command instructs the proxy server apparatus to prepare for a new socket connection by creating a new socket and listen for a connection from the client at said socket number;
      
      said proxy server apparatus in response to the passive command issued by said client then opens a random unprivileged port (P>
      
      1024) and sends a port command (port P) back to the client, said reply includes a new and unique socket number comprised of an IP address and a port number, encoded as 6 digits, separated by commas;
      
      said client then initiates the inbound connection from port N+1 to port P on the proxy apparatus to establish a continuous synchronous or asynchronous data connection;
      
      said port number is then used to uniquely identify each inbound packet in the session.
  - 3. A method, according to claim 2, of redirecting an inbound connection request to a device, or devices, on a private network that requires a minimum of two ports be allocated on the client side requesting the connection and a minimum of two ports be allocated on the proxy server side receiving said connection, comprising the steps of:
    - allocating two ports for connection establishment of each session, said first port being a command channel between said client and said proxy server apparatus to query a host or resource name for location information of a privately addressed device and to exchange the passive command information to assign a unique port for the data connection and communicate that unique port assignment to the client as defined in claim 2;
      
      the second port being a data channel between said client and said proxy server apparatus to establish a continuous synchronous or asynchronous session with said privately addressed device, said second port is a dynamic port assigned to uniquely identify the session established with said device on the private network as defined in claim 2.
  - 4. A redirect methodology according to claim 1 and claim 2, comprising:
    - an address table, or set of address tables, to carry out packet redirection based upon a method for choosing a next-hop destination for each packet, each address table to store at least one pointer to at least one of said plurality of host devices for message distribution;
      
      said methodology to include a process of recording the non-routable IP address and port number of the internal host residing on the private network to said address table;
      
      said methodology to include a process of recording the unique session identification or port number that it has assigned for this session as defined in claim 2 to said address table;
      
      said address table to perform mapping of non-routable IP address and port number of internal host to the unique port number assigned to the session as defined in claim 2 for translation of packets based upon this mapping for redirection and forwarding.
  - 5. A process and methodology of network address translation according to claim 1 and claim 2 and claim 4, where a device on the public network attempts to connect to a device on an internal private network that has been assigned an IP address that is not unique and should be considered non-routable, comprising the steps of;
    - said proxy server apparatus, as defined in claim 1, receives a packet from said source device on the public network;
      
      said methodology of unique port assignment, as defined in claim 2, using dynamically established ports to create a unique socket number for identifying network connections to internal devices on a private network assigned a private non-routable address;
      
      said methodology of port mapping using address tables for connection redirection, as defined in claim 4, where a packet form a source device on the public network is received and the destination port on the packet is checked against listings in an address table;
      
      said methodology comprising a process of reverse port address translation for inbound connection sessions to devices on a private network assigned non-routable private IP addresses by rewriting the destination address and destination port to the ones recorded in said address table, as defined in claim 4, and forwarding the packet to the mapped internal host;
      
      said destination device residing on the internal private network receives the packet from said proxy server apparatus, as defined in claim 1;
      
      said process repeats as long as said internal device is communicating with said external device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Stephen Hastings Perry
Original Assignee
Stephen Hastings Perry
Inventors
Perry, Stephen Hastings

Application Number

US10/347,374
Publication Number

US 20030154306A1
Time in Patent Office

Days
Field of Search
US Class Current

709/245
CPC Class Codes

H04L 2101/663   Transport layer addresses, ...

H04L 61/00   Network arrangements, proto...

H04L 61/25   of the same type

H04L 61/2514   between local and global IP...

H04L 61/255   Maintenance or indexing of ...

H04L 61/2567   for reachability, e.g. inqu...

H04L 61/45   Network directories; Name-t...

H04L 61/4552   Lookup mechanisms between a...

H04L 63/0281   Proxies

H04L 67/2895   Intermediate processing fun...

H04L 67/56   Provisioning of proxy servi...

System and method to proxy inbound connections to privately addressed hosts

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

Citations

5 Claims

Specification

Solutions

Use Cases

Quick Links

System and method to proxy inbound connections to privately addressed hosts

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

5 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links