NETWORK GATEWAY APPARATUS

US 20130195109A1
Filed: 03/14/2013
Published: 08/01/2013
Est. Priority Date: 08/22/2011
Status: Active Grant

First Claim

Patent Images

1. A network gateway apparatus, comprising:

a first network interface card connected to a first network and configured to communicate with devices connected to the first network;

a second network interface card connected to a second network and configured to communicate with devices connected to the second network;

a processor includingan initialization unit configured to initialize the first and second network interface cards to an unprotected state, anda TCP/IP protocol stack configured to perform communication processing between the first and second network interface cards,wherein when a packet is received via the first network interface card, the processorreplaces an origin MAC address of the packet with a first temporary MAC address, an origin IP address with a first temporary IP address, a destination MAC address with a MAC address of the second network interface card, and a destination IP address with an IP address of the second network interface card,then transmits the packet to the TCP/IP protocol stack, andthe TCP/IP protocol stack transmits the packet to the second network interface card based on the destination MAC address and the destination IP address of the packet after rewriting by the processor.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network gateway apparatus which adds encryption to easily implement secure communication without affecting network environment settings includes two network interface cards to communicate on two networks. The processor of the network gateway apparatus initializes communications through the network interface cards and uses a TCP/IP protocol stack to communicate through the network interface cards. When a packet is received by one of the network interface cards, the processor replaces the origin MAC and IP addresses and the destination MAC and IP addresses with temporary values. Then the processor encrypts the payload. The packet is sent to the TCP/IP protocol stack, which sends the packet to one of the two network interface cards according to the temporary values. The MAC an IP addresses of the final destination of the packet are rewritten to the packet and the packet is transmitted.

Citations

13 Claims

1. A network gateway apparatus, comprising:
- a first network interface card connected to a first network and configured to communicate with devices connected to the first network;
  
  a second network interface card connected to a second network and configured to communicate with devices connected to the second network;
  
  a processor includingan initialization unit configured to initialize the first and second network interface cards to an unprotected state, anda TCP/IP protocol stack configured to perform communication processing between the first and second network interface cards,wherein when a packet is received via the first network interface card, the processorreplaces an origin MAC address of the packet with a first temporary MAC address, an origin IP address with a first temporary IP address, a destination MAC address with a MAC address of the second network interface card, and a destination IP address with an IP address of the second network interface card,then transmits the packet to the TCP/IP protocol stack, andthe TCP/IP protocol stack transmits the packet to the second network interface card based on the destination MAC address and the destination IP address of the packet after rewriting by the processor.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The network gateway apparatus according to claim 1, further comprising:
    - a memory device configured to store at least one address mapping table,wherein the processor creates a record in the at least one address mapping table and assigns a unique port number to the packet, the record storing the origin MAC address and the origin IP address in association with the destination MAC address and the destination IP address, the unique port number serving as an index to the at least one address mapping table to identify the record.
  - 3. The network gateway apparatus according to claim 2, wherein the processor further includes an extended TCP processing unit configured to perform predetermined encryption on a payload of the packet upon receipt of the packet from the TCP/IP protocol stack, and to return the packet to the TCP/IP protocol stack after performing the predetermined encryption.
  - 4. The network gateway apparatus according to claim 3, wherein the processor further includes:
    - an address conversion unit configured to establish a TCP connection with the first network interface card, and to establish a TCP connection with the second network interface card, the address conversion unit acting as a server with respect to the first network interface card and acting as a client with respect to the second network interface card, anda socket processing unit configured to open and close TCP connections with the TCP/IP protocol stack, the socket processing unit establishing a TCP connection between the first network interface card and the TCP/IP protocol stack via the address conversion unit and establishing a TCP connection between the TCP/IP protocol stack and the second network interface card via the address conversion unit.
  - 5. The network gateway apparatus according to claim 4, wherein the address conversion unit adds a record to the at least one mapping table when the packet is a TCP SYN packet.
  - 6. The network gateway apparatus according to claim 5, wherein after encryption of the payload of the packet, the TCP/IP protocol stack provides the packet to the socket processing unit, and the socket processing unit providing the packet to the second network interface card.
  - 7. The network gateway apparatus according to claim 4, wherein the TCP connection with the second network interface card is established in response to receipt of a TCP SYN packet at the first network interface card,the address conversion unit receives an ARP request packet from the TCP/IP protocol stack, andthe address conversion unit responds to the TCP/IP protocol stack with an ARP response packet including an artificial MAC address.
  - 8. The network gateway apparatus according to claim 4, wherein the address conversion unit adds a new record to the at least one address mapping table upon receipt of a TCP SYN packet at the first network interface card.
  - 9. The network gateway apparatus according to claim 1, further comprising:
    - a memory device configured to store a first address mapping table and a second address mapping table,wherein the first address mapping table stores, in association, a first origin MAC address, a first origin IP address, a first destination MAC address, a first destination IP address, and a first unique port number assigned to the packet to identify the first origin MAC and IP addresses and to identify the first destination MAC and IP addresses, the first address mapping table corresponding to the first network interface card,the second address mapping table stores, in association, a second origin MAC address, a second origin IP address, a second destination MAC address, a second destination IP address and a second unique port number assigned to the packet to identify the second origin MAC and IP addresses and the second destination MAC and IP addresses, the second address mapping table corresponding to the second network interface card, the TCP/IP protocol stack assigning the second unique port number as a dynamic port number, andthe processor converts the origin port number of the packet to the first unique port number stored in the first address mapping table, searches the second address mapping table using a destination port number included in the packet to identify a corresponding record stored therein, and rewrites the corresponding record.
  - 10. The network gateway apparatus according to claim 1, wherein the memory further stores an extended TCP processing object master including an origin IP, an origin port number, a destination IP and a destination port number,when an origin IP address, an origin port number, a destination IP address and a destination port number of an outgoing packet are registered in the extended TCP processing object master, the address conversion unit replaces the origin IP address, an origin MAC address, the destination IP address and an destination MAC address in the outgoing packet and provides the outgoing packet to the second network interface card, andwhen the origin IP address, origin port number, destination IP address and destination port number of the outgoing packet are not registered in the extended TCP processing object master, the address conversion unit provides the outgoing packet to the second network interface card without replacement of the origin IP address, the origin MAC address, the destination IP address and the destination MAC address.
  - 11. The network gateway apparatus according to claim 10, wherein when an origin IP address, a destination IP address and port numbers of an incoming packet are registered in the extended TCP processing object master, the address conversion unit replaces an origin MAC address, the origin IP address, a destination MAC address and the destination IP address in the incoming packet and provides the incoming packet to the TCP/IP protocol stack, andwhen the origin IP address, the destination IP address and the port numbers of the incoming packet are not registered in the extended TCP processing object master, the address conversion unit does not replace the origin MAC address, the origin IP address, the destination MAC address and the destination IP address in the incoming packet before providing the packet to the TCP/IP protocol stack.

12. A method of providing secure communication in a network environment, comprising:
- connecting a first network interface card to a first network;
  
  connecting a second interface card to a second network;
  
  initializing the first and second network interface cards to an unprotected state;
  
  receiving a packet via the first network interface card;
  
  replacing, in the packet, an origin MAC address with a first temporary MAC address, an origin IP address with a first temporary IP address, a destination MAC address with a MAC address of the second network interface card and a destination IP address with an IP address of the second interface card;
  
  transmitting the packet to a TCP/IP protocol stack; and
  
  transmitting the packet from the TCP/IP protocol stack to the second network interface card based on the destination MAC address and the destination IP address of the packet after the replacing step.

13. A non-transitory computer-readable medium encoded with computer-readable instructions thereon that when executed by a computer cause the computer to perform a method comprising:
- connecting a first network interface card to a first network;
  
  connecting a second interface card to a second network;
  
  initializing the first and second network interface cards to an unprotected state;
  
  receiving a packet via the first network interface card;
  
  replacing, in the packet, an origin MAC address with a first temporary MAC address, an origin IP address with a first temporary IP address, a destination MAC address with a MAC address of the second network interface card and a destination IP address with an IP address of the second interface card;
  
  transmitting the packet to a TCP/IP protocol stack; and
  
  transmitting the packet from the TCP/IP protocol stack to the second network interface card based on the destination MAC address and the destination IP address of the packet after the replacing step.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Into Company Limited
Original Assignee
Keiko Ogawa
Inventors
OGAWA, Keiko

Granted Patent

US 9,264,356 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/392
CPC Class Codes

H04L 12/4625   Single bridge functionality...

H04L 12/6418   Hybrid transport

H04L 12/66   Arrangements for connecting...

H04L 2101/622   Layer-2 addresses, e.g. med...

H04L 2101/668   Internet protocol [IP] addr...

H04L 45/745   Address table lookup; Addre...

H04L 61/2525   Translation at a client

H04L 63/0281   Proxies

H04L 63/0471   applying encryption by an i...

H04L 69/08   Protocols for interworking;...

H04L 69/162   involving adaptations of so...

H04L 69/22   Parsing or analysis of headers

NETWORK GATEWAY APPARATUS

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

13 Claims

Specification

Solutions

Use Cases

Quick Links

NETWORK GATEWAY APPARATUS

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

13 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links