Method of network communication

US 20070002857A1
Filed: 02/28/2006
Published: 01/04/2007
Est. Priority Date: 06/30/2005
Status: Active Grant

First Claim

Patent Images

1. A method of network communication between a secure network and remote clients by way of an intermediate transport network, wherein the remote clients share a common source address on the intermediate transport network;

wherein in the secure network, the method comprises;

a) analyzing packets received from a remote client to identify packets that start a new secure communication session;

b) assigning a session-unique address to the new secure communication session; and

c) translating subsequent packets in the secure communication session by exchanging the source address with the local session address.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of network communication and a network gateway are disclosed. The method and gateway operate between a secure network and remote clients by way of an intermediate transport network, such as the Internet. The remote clients connect through a NAT router so share a common source address on the intermediate transport network. In the secure network, the method analyses packets received from a remote client to identify packets that start a new secure communication session. Then, the method assigns a session-unique address and port to the new secure communication session. Subsequent packets are translated in the secure communication session by exchanging the source address with the local session address. Thus, the secure network perceived each session as originating from a distinct address and port, whereby several such sessions can coexist simultaneously.

Citations

21 Claims

1. A method of network communication between a secure network and remote clients by way of an intermediate transport network, wherein the remote clients share a common source address on the intermediate transport network;
- wherein in the secure network, the method comprises;
  
  a) analyzing packets received from a remote client to identify packets that start a new secure communication session;
  
  b) assigning a session-unique address to the new secure communication session; and
  
  c) translating subsequent packets in the secure communication session by exchanging the source address with the local session address.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 14, 15, 16, 18, 19, 20, 21)
- - 2. A method according to claim 1 in which the session-unique address includes one or both of a local IP address and a local port number.
  - 3. A method according to claim 1 in which session-unique address are assigned from a private IP address range.
  - 4. A method according to claim 1 in which packets inbound to the secure network may be translated such that packets of a session inbound to the secure network are modified by changing the source IP address and source port to the assigned IP address and port and outbound packets of a session may be modified by changing the destination IP address and destination port to the originating client'"'"'s IP address.
  - 5. A method according to claim 1 in which correspondences between source addresses and the local session addresses are stored in a mapping table.
  - 6. A method according to claim 1 in which the secure communication session is a NAT-T IKE session.
  - 7. A method according to claim 6 in which the type of session negotiated by NAT-T IKE between the secure network and remote clients is Ipsec.
  - 8. A method according to claim 7 in which initiator and responder cookies in an ISAKMP header of a packet are used to identify a packet as part of an established session.
  - 9. A method according to claim 6 in which the type of session between the secure network and remote clients is IPsec transport mode ESP.
  - 10. A method according to claim 7 in which the type of session between the peers is L2TP over IPsec transport mode ESP.
  - 11. A method according to claim 9 in which an SPI and sequence number in an ESP header of a packet is used to identify a packet as part of an established session.
  - 12. A method according to claim 1 in which sessions are maintained and terminated on a variable time basis.
  - 14. A method according to claim 12 in which the variable time period is determined by the routing of packets in alternating directions to ensure both peers are alive.
  - 15. A method according to claim 12 in which sessions are maintained for a constant timer period.
  - 16. A method of network address and port translation according to claim 1 in which sessions are located using a multitude of strategies to delivery session resilience in the event of client IP address and port changes.
  - 18. A method according to claim 1 in which a state machine is associated with a new session in order to monitor the state of the session.
  - 19. A network gateway device comprising a first network interface for communication with clients on a secure local network and a second network interface for communication with remote clients over a wide-area network, and a processing unit that can transfer data between the first and second network interfaces, wherein the processing unit is operative to transfer packets to implement a method according to any preceding claim.
  - 20. A network gateway device according to claim 19 constituted by a general-purpose computer executing an operating system and suitable application software.
  - 21. A computer software product that when executed on a hardware platform performs a method according to claim 1.

13. A method according to claim 13 in which the variable time is determined according to the state of the session.

17. A method of network address and port translation according to 14 in which a multiple location strategy consist of client IP address and client port location strategy in conjunction with SPI and sequence number of ESP packets location strategy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Akamai Technologies Ireland Ltd. (Akamai Technologies, Inc.)
Original Assignee
Asavie R&D Limited (Akamai Technologies, Inc.)
Inventors
Maher, Thomas

Granted Patent

US 7,908,651 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/389
CPC Class Codes

H04L 12/4633   Interconnection of networks...

H04L 61/2517   using port numbers

H04L 61/2564   for a higher-layer protocol...

H04L 61/2585   through application level g...

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/164   at the network layer

Method of network communication

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Method of network communication

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links