Network address translation techniques for selective network traffic diversion

US 20040177158A1
Filed: 05/06/2003
Published: 09/09/2004
Est. Priority Date: 03/07/2003
Status: Abandoned Application

First Claim

Patent Images

1. A method in a client computing system for conveying network traffic for a plurality of distributed applications, each distributed application comprising a client portion executing on the client computer system and a server portion executing on a separate server computing system, the method comprising:

activating a private application network client for exchanging network traffic for the distributed application with the server computing system;

in response to activation of the private application network client, activating a distinguished network driver;

in the distinguished network driver;

receiving a first network packet generated by one of the client portions;

comparing the header of the first network packet to a plurality of interception rules to identify a distributed application to which the first network packet corresponds;

contacting a tunnel client to obtain a mapped port number to which to forward the first network packet;

generating a mapping for the first network packet containing information from the first network packet'"'"'s header and the obtained mapped port number;

using the generated mapping to mangle the first network packet for delivery to the tunnel client at the obtained mapped port number;

in the tunnel client;

receiving the mangled first network packet at a selected socket listening on the mapped port number;

forwarding the contents of the mangled first network packet via a selected tunnel channel to a selected server portion of the identified distributed application;

receiving response data from the selected server portion of the identified distributed application via the selected tunnel channel;

writing the receiving response data to the selected socket;

in the distinguished network driver;

receiving a second network packet generated by writing the receiving response data to the selected socket;

comparing the generated mapping to the header of the second network packet to recognize the second networkpacket as being related to the first network packet; and

using the generated mapping to mangle the second network packet for delivery to the source of the first network packet.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A facility for diverting a network packet to a diverted destination is described. The facility selects for diversion a network packet that has been submitted for delivery and whose delivery is not yet complete. The network packet has a destination address, a destination port, a source address, and a source port, all with initial values. In the network packet, the facility: substitutes the initial value of the destination port in the source port; substitutes an address for the diverted destination in the destination address; and substitutes a port for the diverted destination in the destination port. After the substitution, the facility releases the network packet for delivery to the diverted destination.

Citations

47 Claims

1. A method in a client computing system for conveying network traffic for a plurality of distributed applications, each distributed application comprising a client portion executing on the client computer system and a server portion executing on a separate server computing system, the method comprising:
- activating a private application network client for exchanging network traffic for the distributed application with the server computing system;
  
  in response to activation of the private application network client, activating a distinguished network driver;
  
  in the distinguished network driver;
  
  receiving a first network packet generated by one of the client portions;
  
  comparing the header of the first network packet to a plurality of interception rules to identify a distributed application to which the first network packet corresponds;
  
  contacting a tunnel client to obtain a mapped port number to which to forward the first network packet;
  
  generating a mapping for the first network packet containing information from the first network packet'"'"'s header and the obtained mapped port number;
  
  using the generated mapping to mangle the first network packet for delivery to the tunnel client at the obtained mapped port number;
  
  in the tunnel client;
  
  receiving the mangled first network packet at a selected socket listening on the mapped port number;
  
  forwarding the contents of the mangled first network packet via a selected tunnel channel to a selected server portion of the identified distributed application;
  
  receiving response data from the selected server portion of the identified distributed application via the selected tunnel channel;
  
  writing the receiving response data to the selected socket;
  
  in the distinguished network driver;
  
  receiving a second network packet generated by writing the receiving response data to the selected socket;
  
  comparing the generated mapping to the header of the second network packet to recognize the second networkpacket as being related to the first network packet; and
  
  using the generated mapping to mangle the second network packet for delivery to the source of the first network packet.
- View Dependent Claims (2)
- - 2. The method of claim 1, further comprising:
    - in the distinguished network driver;
      
      receiving a third network packet generated by one of the client portions;
      
      comparing the generated mapping to the header of the third network packet to recognize the third network packet as being related to the first network packet; and
      
      using the generated mapping to mangle the third network packet for delivery to the tunnel client at the mapped port number contained by the generated mapping.

3. A method in a first network node upon which a client for a selected application is executing, comprising, in a network driver:
- capturing a packet sent by the client for the selected application and addressed to a second network node that is distinct from the first network node, a server for the selected application executing upon the second network node; and
  
  passing the captured packet to a data tunneling program executing on the first network node.
- View Dependent Claims (4, 5, 6)
- - 4. The method of claim 3 further comprising, in the data tunneling program, transmitting data in the passed packet to the second network node for delivery to the server for the selected application executing on the second network node.
  - 5. The method of claim 3 further comprising, in the data tunneling program, transmitting data in the passed packet to a third network node for delivery to a server for the selected application executing on the third network node, the third network node being distinct from the first and second network nodes.
  - 6. The method of claim 3 wherein the captured packet has a header containing delivery information, and wherein passing the captured packet to the data tunneling program comprises:
    - modifying the delivery information contained by the header of the captured packet; and
      
      permitting the captured packet to be delivered to the data tunneling program in accordance with the modified delivery information as local network traffic.

7. A first network node upon which a client for a selected application is executing, comprising:
- a packet capture subsystem that captures a packet sent by the client for the selected application and addressed to a second network node that is distinct from the first network node, a server for the selected application executing upon the second network node; and
  
  a packet passing subsystem that passes the captured packet to a data tunneling program executing on the first network node.

8. A computer-readable medium whose contents cause a first network node upon which a client for a selected application is executing to selectively redirect network traffic by, in a network driver:
- capturing a packet sent by the client for the selected application and addressed to a second network node that is distinct from the first network node, a server for the selected application executing upon the second network node; and
  
  passing contents of the captured packet to a data tunneling program executing on the first network node.

9. A method in a computing system for diverting a network packet to a diverted destination, comprising:
- selecting for diversion a first network packet that has been submitted for delivery and whose delivery is not yet complete, the first network packet having a destination address having an initial value, a destination port having an initial value, a source address having an initial value, and a source port having an initial value;
  
  in the first network packet, substituting the initial value of the destination address in the source address;
  
  in the first network packet, substituting an address for the diverted destination in the destination address;
  
  in the first network packet, substituting a port for the diverted destination in the destination port; and
  
  after substitution within the first network packet is completed, releasing the first network packet for delivery to the diverted destination.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25)
- - 10. The method of claim 9, wherein the first network packet has a checksum covering its destination address, destination port, source address, and source port, the checksum having an initial value, the method further comprising:
    - recalculating the checksum based on the substituted values; and
      
      before the first network packet is released, substituting the recalculated checksum for the checksum'"'"'s initial value.
  - 11. The method of claim 9, further comprising:
    - selecting a second network packet as a reply to the first network packet, the second network packet having a destination address having an initial value equal to the initial value of the first packet'"'"'s destination address, a destination port having an initial value equal to the initial value of the first packet'"'"'s source port, a source address having an initial value equal to the address for the diverted destination, and a source port having an initial value equal to the port for the diverted destination;
      
      in the second network packet, substituting the initial value of the first packet'"'"'s source address in the destination address;
      
      in the second network packet, substituting the initial value of the first packet'"'"'s destination address in the source address;
      
      in the second network packet, substituting the initial value of the first packet'"'"'s destination port in the source port; and
      
      after substitution within the second network packet is completed, releasing the second network packet for delivery to the source of the first packet.
  - 12. The method of claim 11, further comprising, contemporaneous to releasing the first network packet, storing the initial value of the first network packet'"'"'s destination address, the initial value of the first network packet'"'"'s destination port, the initial value of the first network packet'"'"'s source address, the initial value of the first network packet'"'"'s source port, the address for the diverted destination, and the port for the diverted destination, and wherein selecting the second network packet comprises matching the initial value of the second network packet'"'"'s destination address to the stored initial value of the first packet'"'"'s destination address, matching the initial value of the second network packet'"'"'s destination port to the stored initial value of the first packet'"'"'s source port, matching the initial value of the second network packet'"'"'s source address to the stored address for the diverted destination, and matching the initial value of the second network packet'"'"'s source port to the stored port for the diverted destination, and wherein it is the stored initial value of the first packet'"'"'s source address that is substituted in the second network packet'"'"'s destination address;
    - and wherein it is the stored initial value of the first packet'"'"'s destination address that is substituted in the second network packet'"'"'s source address;
      
      and wherein it is the stored initial value of the first packet'"'"'s destination port that is substituted in the second network packet'"'"'s source port.
  - 13. The method of claim 12, further comprising:
    - selecting a third network packet that has been submitted for delivery and whose delivery is not yet complete, the third network packet having a destination address having an initial value, a destination port having an initial value, a source address having an initial value, and a source port having an initial value, based upon determining that;
      
      the initial value of the third network packet'"'"'s destination address matches the stored initial value of the first packet'"'"'s destination address, the initial value of the third network packet'"'"'s destination port matches the stored initial value of the first packet'"'"'s destination port, the initial value of the third network packet'"'"'s source address matches the stored initial value of the first packet'"'"'s source address, and the initial value of the third network packet'"'"'s source port matches the stored initial value of the first packet'"'"'s source port;
      
      in response to selection of the third network packet, in the third network packet;
      
      substituting the stored address for the diverted destination in the destination address, substituting the stored port for the diverted destination in the destination port; and
      
      substituting stored initial value of the first packet'"'"'s destination address in the source address, and after substitution within the third network packet is completed, releasing the third network packet for delivery to the diverted destination.
  - 14. The method of claim 9, further comprising accessing a plurality of rules, each rule specifying a destination address, wherein the first network packet is selected for diversion based upon the initial value of the first packet'"'"'s destination address matching the destination address specified by a distinguished one of the rules.
  - 15. The method of claim 9, further comprising accessing a plurality of rules, each rule specifying a destination address and a destination port, wherein the first network packet is selected for diversion based upon (1) the initial value of the first network packet'"'"'s destination address matching the destination address specified by a distinguished one of the rules, and (2) the initial value of the first network packet'"'"'s destination port matching the destination port specified by the distinguished rule.
  - 16. The method of claim 15, wherein the first network packet has a protocol having an initial value, and wherein each of the plurality of accessed rules further specifies a protocol, and wherein the first network packet is selected for diversion further based upon (3) the initial value of the first packet'"'"'s protocol matching the protocol specified by the distinguished rule.
  - 17. The method of claim 9, further comprising accessing a plurality of rules, each rule specifying a destination address, a mapped destination address, and a mapped destination port, wherein the first network packet is selected for diversion based upon the initial value of the first packet'"'"'s destination address matching the destination address specified by a distinguished one of the rules, and wherein the address for the diverted destination substituted in the destination address of the first network packet is the mapped destination address specified by the distinguished rule, and wherein the port for the diverted destination substituted in the destination port of the first network packet is the mapped destination port specified by the distinguished rule.
  - 18. The method of claim 9 wherein the method is performed in a network device driver interposed before an original network device driver within local packet flow.
  - 19. The method of claim 18 wherein the modified network device driver is activated to intercept packets bound for the original network device driver only while the diverted destination is available to receive diverted network packets.
  - 20. The method of claim 9 wherein an operating system is executing on the computing system, and wherein the method is performed using a network address translation facility provided by the operating system.
  - 21. The method of claim 9 wherein the method is performed in a first network node, and wherein the diverted first network packet is received at a data tunneling program listening to the address and port for the diverted destination for transmission to a second network node distinct from the first network node.
  - 22. The method of claim 9 wherein the first network packet is received from an application client, and wherein the diverted first network packet is received at a data tunneling program listening to the address and port for the diverted destination, the data tunneling program performing application routing for network packets received from the application client.
  - 23. The method of claim 9 wherein the first network packet is received from an application client and contains an application request, and wherein the diverted first network packet is received at a request filtering program listening to the address and port for the diverted destination, the request filtering program blocking network packets containing certain types of application requests.
  - 24. The method of claim 23 wherein the request filtering program blocks network packets containing application requests not appropriate for one or more classes of users.
  - 25. The method of claim 23 wherein the request filtering program blocks network packets containing application requests generated by a trojan horse program.

26. A computer-readable medium whose contents cause a computing system to divert a network packet to a diverted destination by:
- selecting for diversion a first network packet that has been submitted for delivery and whose delivery is not yet complete, the first network packet having a destination address having an initial value, a destination port having an initial value, a source address having an initial value, and a source port having an initial value;
  
  in the first network packet, substituting the initial value of the destination port in the source port;
  
  in the first network packet, substituting an address for the diverted destination in the destination address;
  
  in the first network packet, substituting a port for the diverted destination in the destination port; and
  
  after substitution within the first network packet is completed, releasing the first network packet for delivery to the diverted destination.

27. A computing system for diverting a network packet to a diverted destination, comprising:
- a packet selection subsystem that selects for diversion a first network packet that has been submitted for delivery and whose delivery is not yet complete, the first network packet having a destination address having an initial value, a destination port having an initial value, a source address having an initial value, and a source port having an initial value;
  
  a substitution subsystem that substitutes, in the first network packet;
  
  the initial value of the destination port in the source port, an address for the diverted destination in the destination address, and a port for the diverted destination in the destination port; and
  
  a packet release subsystem that releases the first network packet for delivery to the diverted destination after substitution within the first network packet is completed.

28. A method in a computing system for generating a rule collection data structure, comprising:
- for each of a plurality of distributed applications;
  
  creating a rule;
  
  storing in the created rule information characterizing the header information of request packets sent by clients of the distributed application.
- View Dependent Claims (29, 30, 31, 32, 33)
- - 29. The method of claim 28, further comprising:
    - receiving a network packet; and
      
      using the rules to identify a distributed application of whose request packets the header information of the received network packet is characteristic.
  - 30. The method of claim 28, further comprising:
    - for at least a subset of the distributed applications, storing in the created rule information specifying a manner for forwarding request packets sent by clients of the distributed application to a distributed application request packet router.
  - 31. The method of claim 30, further comprising:
    - receiving a network packet;
      
      selecting a rule whose rule information characterizing the header information of request packets sent by clients of the distributed application matches the received network packet; and
      
      forwarding the received network packet to a distributed application request packet router in accordance with the information stored in the selected rule specifying a manner for forwarding request packets sent by clients of the distributed application to a distributed application request packet router.
  - 32. The method of claim 28, further comprising:
    - receiving a network packet;
      
      using the rules to identify a distributed application of whose request packets the header information of the received network packet is characteristic;
      
      contacting a distributed application request packet router to obtain a specification of a manner for forwarding to the distributed application request packet router request packets sent by clients of the identified distributed application; and
      
      forwarding the received network packet to the distributed application request packet router in accordance with the obtained specification of a manner for forwarding to the distributed application request packet router request packets sent by clients of the identified distributed application.
  - 33. The method of claim 32, further comprising:
    - storing the obtained specification of a manner for forwarding to the distributed application request packet router request packets sent by clients of the identified distributed application in the rule created for the identified distributed application.

34. A computer-readable medium whose contents cause a computing system to generate a rule collection data structure by:
- for each of a plurality of distributed applications;
  
  creating a rule;
  
  storing in the created rule information characterizing the header information of request packets sent by clients of the distributed application.

35. One or more computer memories collectively containing a mapping data structure, the mapping data structure corresponding to a network packet earlier mangled in a forward direction, and comprising:
- a destination address corresponding to a destination address of the network packet, with which the source address of the network packet was replaced during mangling;
  
  a destination port corresponding to a destination port of the network packet;
  
  a source address corresponding to a source address of the network packet;
  
  a source port corresponding a source port of the network packet;
  
  a mapped destination address with which the destination address of the network packet was replaced during mangling; and
  
  a mapped destination port with which the destination port of the network packet was replaced during mangling, such that the contents of the mapping data structure may be used to mangle a response to the earlier-mangled network packet in a backward direction, and such that the contents of the mapping data structure may be used to mangle in a forward direction a subsequent network packet having the same destination address, destination port, source address, and source port as the earlier-mangled network packet.
- View Dependent Claims (36)
- - 36. The computer memories of claim 35 containing a plurality of a mapping data structures each corresponding to a different network packet earlier mangled in a forward direction.

37. One or more computer memories collectively containing a rule collection data structure, the data structure comprising a plurality of entries, each entry corresponding to a particular distributed application and comprising:
- (1) information characterizing the header information of request packets sent by clients of the distributed application; and
  
  (2) either (a) information specifying a manner for forwarding request packets sent by clients of the distributed application to a distributed application request packet router, or (b) an indication that information specifying a manner for forwarding request packets sent by clients of the distributed application to a distributed application request packet router should be obtained from a distributed application request packet router, such that the contents of the data structure can be use to identify and forward to a distributed application request packet router request packets sent by clients of a plurality of distributed applications.
- View Dependent Claims (38, 39, 40, 41, 42, 43, 44, 45)
- - 38. The computer memories of claim 37 wherein the indication is explicit.
  - 39. The computer memories of claim 37 wherein the indication is implicit.
  - 40. The computer memories of claim 37 wherein the information characterizing the header information of request packets sent by clients of the distributed application comprises a destination address.
  - 41. The computer memories of claim 37 wherein the information characterizing the header information of request packets sent by clients of the distributed application comprises a range of destination addresses.
  - 42. The computer memories of claim 37 wherein the information characterizing the header information of request packets sent by clients of the distributed application comprises a destination port.
  - 43. The computer memories of claim 37 wherein the information characterizing the header information of request packets sent by clients of the distributed application comprises a range of destination ports.
  - 44. The computer memories of claim 37 wherein the information characterizing the header information of request packets sent by clients of the distributed application comprises a destination address and a destination port.
  - 45. The computer memories of claim 37 wherein the information specifying a manner for forwarding request packets sent by clients of the distributed application to a distributed application request packet router comprises a mapped destination address and mapped destination port to which to re-address the forwarding request packets sent by clients of the distributed application.

46. One or more generated data signals collectively conveying a mangled network packet data structure generated from an original network packet data structure, the mangled network packet data structure comprising:
- a destination address field containing a value corresponding to an address at which a diversion target program is listening;
  
  a destination port field containing a value corresponding to a port on which the diversion target program is listening;
  
  a source address field containing a value corresponding to a destination address field of the original network packet data structure; and
  
  a source port field containing a value corresponding to a source port field of the original network packet data structure, such that the mangled network packet data structure may be received by the diversion target program and its correspondence to the original network packet data structure discerned.

47. One or more generated data signals collectively conveying a second network packet data structure generated from a first network packet data structure, the second network packet data structure comprising:
- a destination address field containing a first value retrieved from a network address translation mapping matched by the first network packet data structure;
  
  a destination port field containing a value corresponding to a destination port field of the first network packet data structure;
  
  a source address field containing a value corresponding to a destination address field of the first network packet data structure; and
  
  a source port field containing a second value retrieved from the network address translation mapping matched by the first network packet data structure, such that the mangled network packet data structure may be received by a program that formerly sent a third network packet data structure comprising;
  
  a destination address field containing a value corresponding to the source address field of the second network packet data structure;
  
  a destination port field containing a value corresponding to the source port field of the second network packet data structure;
  
  a source address field containing a value corresponding to the destination address field of the second network packet data structure; and
  
  a source port field containing a value corresponding to the destination port field of the second network packet data structure.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
HyperSpace Communications, Inc.
Original Assignee
HyperSpace Communications, Inc.
Inventors
Bauch, David James, Ryd, Warren David

Application Number

US10/430,997
Publication Number

US 20040177158A1
Time in Patent Office

Days
Field of Search
US Class Current

709/245
CPC Class Codes

H04L 67/01   Protocols

H04L 67/10   in which an application is ...

H04L 67/1001   for accessing one among a p...

H04L 67/10015   Access to distributed or re...

H04L 67/1008   based on parameters of serv...

H04L 67/101   based on network conditions

H04L 67/1014   based on the content of a r...

H04L 67/1023   based on a hash applied to ...

H04L 67/1029   using data related to the s...

H04L 67/63   Routing a service request d...

H04L 69/22   Parsing or analysis of headers

H04L 69/329   in the application layer [O...

H04L 9/40   Network security protocols

Network address translation techniques for selective network traffic diversion

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

47 Claims

Specification

Solutions

Use Cases

Quick Links

Network address translation techniques for selective network traffic diversion

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

47 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links