Network System

US 20090113203A1
Filed: 10/22/2008
Published: 04/30/2009
Est. Priority Date: 10/26/2007
Status: Abandoned Application

First Claim

Patent Images

1. A network system including a first computer, a second computer and a first packet forwarding apparatus, each of which has a communication interface and is connected through a network:

wherein individual network addresses are allocated to said communication interfaces of said first and second computers;

said first computer has a first software operating on said first computer and said second computer has a second software operating on said second computer;

each of said first software and said second software executes communication by using a communication packet containing a network address representing a communication interface of a source computer, a network address representing a communication interface of a destination computer, an identifier representing a source software and an identifier representing a destination software;

said first computer has a first encryption/decryption processing unit or is connected to said first encryption/decryption processing unit and said second computer has a second encryption/decryption processing unit or is connected to said second encryption/decryption processing unit;

said first encryption/decryption processing unit encrypts the entire communication packet sent by said first software to said second software, adds afresh a network address and an identifier representing a source and a destination of said communication packet, forwards said communication packet, removes a network address and an identifier representing a source and a destination from the communication packet sent by said second software to said first software and decrypts the remaining part, and forwards said communication packet;

said second encryption/decryption processing unit encrypts the entire communication packet sent by said second software to said first software, adds afresh a network address and an identifier representing a source and a destination of said communication packet, forwards said communication packet, removes a network address and an identifier representing a source and a destination from the communication packet sent by said first software to said second software and decrypts the remaining part, and forwards said communication packet;

a network address is further allocated to said communication interface of said first packet forwarding apparatus;

said first packet forwarding apparatus translates the network address representing the communication interface of said first computer and the identifier representing said first software as the source of said communication packet and added afresh by said first encryption/decryption processing unit in the communication packet sent by said first software to said second software into a network address of the communication interface of said first packet forwarding apparatus and into an identifier arbitrarily allocate by said first packet forwarding apparatus and forwards said communication packet; and

further translates the network address of the communication interface of said first packet forwarding apparatus and the identifier allocated arbitrarily as a destination of said communication packet added afresh by said second encryption/decryption processing unit to the communication packet sent by said second software to said first packet forwarding apparatus into a network address representing the communication interface of said first computer and into an identifier representing said first software, and forwards said communication packet;

when removing said network address and said identifier representing the source and the destination added by said first encryption/decryption processing unit and translated by said first packet forwarding apparatus from the communication packet sent by said first software to said second software and decrypting the remaining part, said second encryption/decryption processing unit replaces the network address of the source contained in said communication packet after decryption by the source network address added by said first encryption/decryption processing unit to said communication packet before decryption and translated by said first packet forwarding apparatus, allocates a unique value different from other communications having the same source network address as a new identifier and replaces the source identifier contained in said communication packet after decryption by said new identifier; and

a replacing rule of said network address and said identifier is stored, and is applied in a reverse direction to the source network address and the identifier of the communication packet sent from said second software to said first software.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An encryption communication module on the side of a service providing server reports a global IP address allocated to an NAPT router on the service providing server side and a port number of an outside UDP header used on the global side to an authentication/key exchange server. When receiving an encryption packet from an encryption communication module on the user terminal side, the encryption communication module on the service providing server side overwrite a source/destination IP address of an inside IP header by a source/destination IP address of an outside IP header. The encryption communication module further changes a source port number of an inside TCP•UDP header to a unique value for each communication session in the encryption communication having the same source IP address in the outside IP header. The inverse header change is made when the packet is transmitted to the encryption communication module of the user terminal side.

109 Citations

7 Claims

1. A network system including a first computer, a second computer and a first packet forwarding apparatus, each of which has a communication interface and is connected through a network:
- wherein individual network addresses are allocated to said communication interfaces of said first and second computers;
  
  said first computer has a first software operating on said first computer and said second computer has a second software operating on said second computer;
  
  each of said first software and said second software executes communication by using a communication packet containing a network address representing a communication interface of a source computer, a network address representing a communication interface of a destination computer, an identifier representing a source software and an identifier representing a destination software;
  
  said first computer has a first encryption/decryption processing unit or is connected to said first encryption/decryption processing unit and said second computer has a second encryption/decryption processing unit or is connected to said second encryption/decryption processing unit;
  
  said first encryption/decryption processing unit encrypts the entire communication packet sent by said first software to said second software, adds afresh a network address and an identifier representing a source and a destination of said communication packet, forwards said communication packet, removes a network address and an identifier representing a source and a destination from the communication packet sent by said second software to said first software and decrypts the remaining part, and forwards said communication packet;
  
  said second encryption/decryption processing unit encrypts the entire communication packet sent by said second software to said first software, adds afresh a network address and an identifier representing a source and a destination of said communication packet, forwards said communication packet, removes a network address and an identifier representing a source and a destination from the communication packet sent by said first software to said second software and decrypts the remaining part, and forwards said communication packet;
  
  a network address is further allocated to said communication interface of said first packet forwarding apparatus;
  
  said first packet forwarding apparatus translates the network address representing the communication interface of said first computer and the identifier representing said first software as the source of said communication packet and added afresh by said first encryption/decryption processing unit in the communication packet sent by said first software to said second software into a network address of the communication interface of said first packet forwarding apparatus and into an identifier arbitrarily allocate by said first packet forwarding apparatus and forwards said communication packet; and
  
  further translates the network address of the communication interface of said first packet forwarding apparatus and the identifier allocated arbitrarily as a destination of said communication packet added afresh by said second encryption/decryption processing unit to the communication packet sent by said second software to said first packet forwarding apparatus into a network address representing the communication interface of said first computer and into an identifier representing said first software, and forwards said communication packet;
  
  when removing said network address and said identifier representing the source and the destination added by said first encryption/decryption processing unit and translated by said first packet forwarding apparatus from the communication packet sent by said first software to said second software and decrypting the remaining part, said second encryption/decryption processing unit replaces the network address of the source contained in said communication packet after decryption by the source network address added by said first encryption/decryption processing unit to said communication packet before decryption and translated by said first packet forwarding apparatus, allocates a unique value different from other communications having the same source network address as a new identifier and replaces the source identifier contained in said communication packet after decryption by said new identifier; and
  
  a replacing rule of said network address and said identifier is stored, and is applied in a reverse direction to the source network address and the identifier of the communication packet sent from said second software to said first software.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. A network system according to claim 1, which further includes a second packet forwarding apparatus interposed between said first packet forwarding apparatus and said second computer, a communication interface of said second packet forwarding apparatus having a network address allocated thereto, wherein:
    - said second packet forwarding apparatus translates the network address of the communication interface of said second packet forwarding apparatus and an identifier set in advance inside said second packet forwarding apparatus as the destination of said communication packet to a network address representing said second computer and an identifier representing said second software, respectively, in the communication packet sent by said first software to said second software, forwards said communication packet, translates the source of the communication packet to the network address of the communication interface of said second packet forwarding apparatus and the identifier set in advance for the communication packet sent from said second software to said first packet forwarding apparatus, and forwards the communication packet;
      
      when removing said network address and said identifier representing the source and the destination added by said first encryption/decryption processing unit and translated by said first packet forwarding apparatus and said second packet forwarding apparatus for the communication packet sent by said first software to said second software and decrypting the remaining part, said second encryption/decryption processing unit replaces the network address of the destination contained in said communication packet after decryption by the destination network address added by said first encryption/decryption processing unit to said communication packet before decryption and translated by said first packet forwarding apparatus and said second packet forwarding apparatus.
  - 3. A network system according to claim 2, which further includes a third computer connected to said network and used for mutual authentication of said first and second encryption/decryption processing units and exchange of key information and wherein:
    - said second encryption/decryption processing unit reports the network address of the communication interface of said second packet forwarding apparatus and the identifier set in advance to said second packet forwarding apparatus as a destination network address and a destination identifier of the communication packet to said first encryption/decryption processing unit through said third computer.
  - 4. A network system according to claim 1, wherein said first packet forwarding apparatus, said second packet forwarding apparatus and said second encryption/decryption processing unit translate or replace a source or destination network address or an identifier contained in the communication packet and then recalculate appropriately an error detection code contained in the communication packet.
  - 5. A network system according to claim 1, wherein said an IP (Internet protocol) address is used for said network address and a port number of TCP (Transmission Control Protocol) or UDP (User Datagram Protocol) is used for said identifier.
  - 6. A network system according to claim 5, wherein IPsec (IP Security Protocol) to which a UDP header is added is used for an encryption protocol of said communication packet.
  - 7. A network system according to claim 5, wherein SIP (Session Initiation Protocol) or a protocol created by encrypting SIP by TLS (Transport Layer Security) is used for a protocol for the information exchange between said second encryption/decryption processing unit and said first encryption/decryption processing unit.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Hitachi, Ltd.
Original Assignee
Hitachi, Ltd.
Inventors
Hoshino, Kazuyoshi, Kaji, Tadashi, Tsuge, Munetoshi

Application Number

US12/255,788
Publication Number

US 20090113203A1
Time in Patent Office

Days
Field of Search
US Class Current

713/151
CPC Class Codes

H04L 61/2517   using port numbers

H04L 61/2535   Multiple local networks, e....

H04L 61/256   NAT traversal

H04L 63/0428   wherein the data content is...

H04L 63/08   for authentication of entit...

H04L 63/164   at the network layer

Network System

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

109 Citations

7 Claims

Specification

Solutions

Use Cases

Quick Links

Network System

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

109 Citations

7 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links