System and method for IP network address translation using selective masquerade
First Claim
1. An address management method, comprising the steps of:
- selectively masquerading subsets of two or more private addresses among a plurality of public addresses associated with a single gateway system in accordance with a plurality of masquerade rules; and
processing at said gateway system incoming and outgoing datagrams with respect to said masquerade rules.
2 Assignments
0 Petitions
Accused Products
Abstract
An address management system and method. ADDRESS statements and HIDE rule statements are processed to generate a file of masquerade rules for associating subsets of internal addresses among a plurality of public addresses. Responsive to these masquerade rules, network address translation is performed for incoming and outgoing IP datagrams. IP Network Address Translation (NAT) and IP Filtering functions provide firewall-type capability to a gateway system, such as the IBM AS/400 system. A customer'"'"'s system administrator specifies specific NAT and Filtering rules (via the AS/400 Operational Navigator GUI). A type of NAT, called masquerade NAT, defines a many-to-one mapping in such a way as to allow the ‘many’ to specify subsets of IP addresses. This allows traffic separation, which improves throughput to and from external networks (e.g. the Internet), and also improves flexibility in IP address management.
-
Citations
13 Claims
-
1. An address management method, comprising the steps of:
-
selectively masquerading subsets of two or more private addresses among a plurality of public addresses associated with a single gateway system in accordance with a plurality of masquerade rules; and
processing at said gateway system incoming and outgoing datagrams with respect to said masquerade rules.
-
-
2. An address management method, comprising the steps of:
-
associating a plurality of subsets of private addresses with two or more public names, each said subset including two or more private addresses;
specifying a plurality of masquerade rules for hiding said subsets of addresses behind said public names associated with a single gateway system; and
processing at said gateway system datagrams with respect to said masquerade rules.
-
-
3. An address management method, comprising the steps of:
-
processing ADDRESS statements and HIDE rule statements to generate a file of masquerade rules for associating subsets of internal addresses, each said subset including a plurality of private addresses, among a plurality of public addresses on a single physical interface; and
responsive to said masquerade rules, performing network address translation for incoming and outgoing IP datagrams. - View Dependent Claims (4, 5)
for each ADDRESS statement, creating a new address-entry with said public address name and said associated private addresses in a rules file; and
for each HIDE statement, creating a hide-entry including said rhs address-entry and said lhs address-entry in a symbol file, said rhs address-entry being a public address name and said lhs address entry being a set of private addresses.
-
-
5. The address management method of claim 4, each said datagram including a source address and a destination address, said performing step comprising the steps of:
-
selectively creating a conversation or finding a conversation, said conversation including a source address and an associated rhs address-entry;
said finding step including matching the source address of said datagram with the source address of said conversation;
said creating step including locating a hide-entry with a source address matching the source address of said datagram; and
translating said datagram source address to said rhs address-entry.
-
-
6. An address management method, comprising the steps of:
-
processing ADDRESS statements and HIDE rule statements to generate a file of masquerade rules;
said ADDRESS statements including an address name and one or more associated addresses and said HIDE statements including a left hand side (lhs) address-entry and a right hand side (rhs) address-entry;
said rhs address-entry being a public address name and said lhs address entry being a set of private addresses; and
responsive to said masquerade rules, performing network address translation for each IP datagram;
said processing step comprising the steps of;
for each ADDRESS statement, creating a new address-entry with said public address name and said associated private addresses in a rules file; and
for each HIDE statement, creating a hide-entry including said rhs address-entry and said lhs address-entry in a symbol file;
each said datagram including a source address, a source port, a destination address and a destination port;
with respect to outbound datgrams, said performing step comprising the steps of;
selectively creating a conversation or finding a conversation, said conversation including a source address, a source port and an associated rhs address-entry and rhs port;
said finding step including matching the source address and source port of said datagram with the source address and source port of said conversation;
said creating step including locating a hide-entry with a source address matching the source address of said datagram; and
translating said datagram source address to said rhs address-entry and entering to said rhs port a port selected from a pool of available ports;
with respect to inbound datagrams, said processing step comprising the steps of;
finding a matching conversation based upon the datagram destination address and datagram destination port; and
translating said datagram destination address and datagram destination port; and
sending said datagram.
-
-
7. An address management system, comprising:
-
means for selectively masquerading subsets of private addresses among a plurality of public addresses associated with a single gateway system in accordance with a plurality of masquerade rules, each said subset including two or more addresses; and
means for processing at said gateway system incoming and outgoing datagrams with respect to said masquerade rules.
-
-
8. An address management system, comprising
a rule compiler for associating a plurality of subsets of two or more private addresses with two or more public names associated with a single gateway system, and for specifying a plurality of masquerade rules for hiding said subsets of addresses behind said public names; - and
a NAT interpreter for processing at said gateway system datagrams with respect to said masquerade rules.
- and
-
9. An address management system, comprising:
-
a rule compiler for processing ADDRESS statements and HIDE rule statements to generate a file of masquerade rules;
said ADDRESS statements including an address name and one or more associated addresses and said HIDE statements including a left hand side (lhs) address-entry and a right hand side (rha) address-entry;
said rhs address-entry being a public address name and said lhs address entry being a set of private addresses; and
a network address translation (NAT) interpreter operable responsive to said masquerade rules for performing network address translation for each IP datagram;
said rule compiler;
for each ADDRESS statement, creating a new address-entry with said public address name and said associated private addresses in a rules file; and
for each HIDE statement, creating a hide-entry including said rhs address-entry and said lhs address-entry in a symbol file;
each said datagram including a source address, a source port, a destination address and a destination port;
with respect to outbound datagrams, said NAT interpreter;
selectively creating a conversation or finding a conversation, said conversation including a source address, a source port and an associated rhs address-entry and rhs port;
for finding, said NAT interpreter matching the source address and source port of said datagram with the source address and source port of said conversation;
for creating, said NAT interpreter locating a hide-entry with a source address matching the source address of said datagram; and
translating said datagram source address to said rhs address-entry and entering to said rhs port a port selected from a pool of available ports;
with respect to inbound datagrams, said NAT interpreter;
finding a matching conversation based upon the datagram destination address and datagram destination port; and
translating said datagram destination address and datagram destination port; and
means for sending said datagram.
-
-
10. A program storage device readable by a machine, tangibly embodying a program of instructions executable by a machine to perform method steps for managing addresses, said method steps comprising:
-
processing ADDRESS statements and HIDE rule statements to generate a file of masquerade rules for associating subsets of internal addresses among a plurality of public addresses on a single physical interface, each said subset including entries of two or more addresses; and
responsive to said masquerade rules, performing network address translation for incoming and outgoing IP datagrams.
-
-
11. An article of manufacture comprising:
-
a computer useable medium having computer readable program code means embodied therein for managing addresses, the computer readable program means in said article of manufacture comprising;
computer readable program code means for causing a computer to effect processing ADDRESS statements and HIDE rule statements to generate a file of masquerade rules for associating subsets including two or more entries of internal addresses among a plurality of public addresses on a single physical interface; and
computer readable program code means for causing a computer to effect responsive to said masquerade rules, performing network address translation for incoming and outgoing IP datagrams.
-
-
12. An address management method, comprising the steps of:
-
processing ADDRESS statements and HIDE rule statements to generate a file of masquerade rules for associating subsets of internal addresses among a plurality of public addresses, each said subset including two or more public address entries;
responsive to said masquerade rules, performing network address translation for incoming and outgoing IP datagrams;
said ADDRESS statements including a public address name and one or more associated private addresses and said HIDE statements including a left hand side (lhs) address-entry and a right hand side (rhs) address-entry, said processing step further including;
for each ADDRESS statement, creating a new address-entry with said public address name and said associated private addresses in a rules file; and
for each HIDE statement, creating a hide-entry including said rhs address-entry and said lhs address-entry in a symbol file, said rhs address-entry being a public address name and said lhs address entry being a set of private addresses. - View Dependent Claims (13)
selectively creating a conversation or finding a conversation, said conversation including a source address and an associated rhs address-entry;
said finding step including matching the source address of said datagram with the source address of said conversation;
said creating step including locating a hide-entry with a source address matching the source address of said datagram; and
translating said datagram source address to said rhs address-entry.
-
Specification