Session and transport layer proxies via TCP glue
First Claim
1. A method of gluing a first and a second connection in a packet communication network into a single end-to-end connection wherein the first and second connections both terminate at a common host and wherein the first and second connections terminate at a first end point and a second end point, respectively, the method comprising the steps of:
- modifying, at the common host, headers of first packets received from the first end point of the first connection to correspond to headers of packets of the second connection and transmitting the first packets to the second end point of the second connection; and
modifying, at the common host, headers of second packets received from the second end point of the second connection to correspond to headers of packets of the first connection and transmitting the second packets to the first end point of the first connection, the headers being modified on-the-fly as packets are received at the common host.
2 Assignments
0 Petitions
Accused Products
Abstract
A method of merging two separate TCP connections terminating at a common host and "gluing" them into a single connection between two end systems, where the single connection preserves TCP end-to-end semantics. The technique retains the session setup functions of the transport layer proxy, but provides a method to push the data copying into kernel space to improve the relay operation. More specifically, a byte stream arriving on one end of the split connection is mapped directly into the sequence number space of the other split connection. This process of mapping, or TCP gluing, involves updating a subset of TCP and IP header fields; that is, source and destination addresses, port numbers, sequence numbers and checksum. The changes to the TCP/IP packet headers are on-the-fly as packets are relayed over the glued connection between the original separate TCP connections.
458 Citations
38 Claims
-
1. A method of gluing a first and a second connection in a packet communication network into a single end-to-end connection wherein the first and second connections both terminate at a common host and wherein the first and second connections terminate at a first end point and a second end point, respectively, the method comprising the steps of:
-
modifying, at the common host, headers of first packets received from the first end point of the first connection to correspond to headers of packets of the second connection and transmitting the first packets to the second end point of the second connection; and modifying, at the common host, headers of second packets received from the second end point of the second connection to correspond to headers of packets of the first connection and transmitting the second packets to the first end point of the first connection, the headers being modified on-the-fly as packets are received at the common host. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16)
-
-
17. In a packet communication network using Transmission Control Protocol (TCP), a method for managing a connection between first and second end systems and a session layer proxy comprising the steps of:
-
enabling synchronization between the first and second end systems and the session layer proxy; mapping TCP sequence space of the first or second end system to the second or first end system, respectively, at the session layer proxy; as each TCP segment is received at the session layer proxy from the first or second end system, modifying header information of the segment to address the segment to the second or first end system, respectively; and tearing down completed connections between the first and second end systems when the connection between the first and second end systems is closed. - View Dependent Claims (18, 19, 20, 21, 22, 23)
-
-
24. In a packet communications network, a method of splicing a first and second connection into a single end-to-end connection at a session layer proxy, where said first and second connections terminate at first and second hosts respectively, the method comprising the steps of:
-
enabling synchronization between the first and second hosts and the session layer proxy; and modifying headers of packets of the first connection and the second connection to correspond to headers of packets of the second and the first connection, respectively, wherein the header information is modified on-the-fly as packets are received at said session layer proxy.
-
-
25. A packet communications network comprising:
-
a local host attached to a local network; a network firewall connected to said local host and protecting said local network; a remote host connected to a network outside the network firewall but reachable by the network firewall; a session layer proxy running on the network firewall and having the access right to send and receive data across the network firewall, said session layer proxy acting as a mediator between said local host and said remote host, said session layer proxy enabling synchronization between the local host and the remote host and the session layer proxy and operative to modify headers of packets of a first connection between the local host and the network firewall to correspond to headers of packets of a second connection between the remote host and the network firewall, where said header information is modified on-the-fly as said packets are received at said session layer proxy.
-
-
26. A method implemented on a network firewall in a packet communication system and providing a first connection between a local host and the network firewall and a second connection between a remote host and the network firewall, and wherein a proxy has an access right to send and receive data across the network firewall and acts as mediator between the local host and the remote host, the method comprising the steps of:
-
(a) the proxy rejecting all attempted connections from hosts other than approved local hosts and terminates all connections that fail authentication and/or authorization checks; (b) approved local hosts making data connections to the proxy and specifying the address of the remote host they wish to communicate with; (c) the proxy modifying headers of all packets received from the local host so they appear to originate from the proxy and forwarding them to the remote host; (d) the proxy modifying the headers of all packets sent to the remote host as part of the data connection begun by the local host so that the packets appear to originate from the proxy and forwarding them to the local host; (e) repeating steps (c) and (d), respectively, for any packet from the local host to the remote host that is part of the data connection begun by the local host; and (f) treating any packet arriving at the proxy that is not part of a data connection that has passed authorization and/or authentication checks as an attempted security violation. - View Dependent Claims (27, 28, 29, 30)
-
-
31. In a packet communications network using Transmission Control Protocol (TCP), a method of glueing together a TCP connection between a remote host and a proxy and a TCP connection between a local host and the proxy comprising the steps of:
-
exchanging arbitrary data between the proxy and remote host over the proxy/remote host TCP connection; exchanging arbitrary data between the proxy and local host over the proxy/local host TCP connection; and glueing together the two TCP connections by the proxy after which point packets sent to the proxy by the local host are altered and forwarded to the remote host by the proxy and packets sent to the proxy by the remote host are altered and forwarded to the local host by the proxy. - View Dependent Claims (32, 33, 34, 35, 36, 37, 38)
-
Specification