Splicing of TCP/UDP sessions in a firewalled network environment

US 7,305,546 B1
Filed: 08/29/2002
Issued: 12/04/2007
Est. Priority Date: 08/29/2002
Status: Expired due to Fees

First Claim

Patent Images

1. A method of peer-to-peer communication over a data network wherein first and second peers are coupled to said data network by respective firewalls, said method comprising the steps of:

each of said first and second peers establishing a respective persistent control connection with a socket welding control module connected within said data network;

using said persistent connections to perform respective protocol capability exchanges;

one of said first and second peers using said respective persistent control connection to request a communication channel between said peers;

said socket welding control module informing a socket welder of addresses, ports, and protocol capabilities corresponding to said peers;

said socket welding control module informing said peers of connection information corresponding to said socket welder;

each peer sending application packets through its respective firewall to said socket welder;

said socket welder modifying said application packets into a form for tunneling through said firewall of the other peer; and

said socket welder forwarding said modified application packets to the other peer.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Computer peers located behind respective firewalls create special network sessions with a central mediator/translator or socket welder so that the peers can run applications that utilize the transmission of unsolicited data packets to each other through their respective firewalls. For example, two home networking users can dynamically connect to each other for the purpose of exchanging real-time data or communications, or a mobile enterprise user can access, in real-time, firewalled computing resources while the mobile user is outside of the firewalled enterprise environment. The firewall is maintained unaltered for continued protection from unauthorized network traffic while achieving an inexpensive and very secure system for splicing together multiple, firewall-compliant network sessions via the socket welder.

89 Citations

View as Search Results

28 Claims

1. A method of peer-to-peer communication over a data network wherein first and second peers are coupled to said data network by respective firewalls, said method comprising the steps of:
- each of said first and second peers establishing a respective persistent control connection with a socket welding control module connected within said data network;
  
  using said persistent connections to perform respective protocol capability exchanges;
  
  one of said first and second peers using said respective persistent control connection to request a communication channel between said peers;
  
  said socket welding control module informing a socket welder of addresses, ports, and protocol capabilities corresponding to said peers;
  
  said socket welding control module informing said peers of connection information corresponding to said socket welder;
  
  each peer sending application packets through its respective firewall to said socket welder;
  
  said socket welder modifying said application packets into a form for tunneling through said firewall of the other peer; and
  
  said socket welder forwarding said modified application packets to the other peer.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1 wherein said modifying step is comprised of address translation and packet re-sequencing.
  - 3. The method of claim 1 wherein said modifying step is comprised of encrypting said application packets.
  - 4. The method of claim 1 wherein said persistent control connections employ encrypted communication.
  - 5. The method of claim 1 wherein said step of establishing said persistent control connections includes authentication of each respective peer.
  - 6. The method of claim 1 further comprising the step of said peer that did not request said communication channel sending an acceptance using its respective persistent control connection to said socket welding control module.
  - 7. The method of claim 6 further comprising the step of providing authentication data of said peer requesting said communication channel to said peer accepting said request.

8. A method for routing network packets between first and second peers via a data network through at least one firewall separating at least one of said first and second peers from said data network, said method comprising the steps of:
- each of said first and second peers establishing a respective channel setup session with a control module coupled to said data network, wherein said control module determines network protocol capabilities of said peers within each respective channel setup session;
  
  said first peer sending a first connection request message to said control module identifying said second peer;
  
  said control module forwarding a second connection request message to said second peer;
  
  said second peer transmitting a connection accept message to said control module;
  
  in response to said connection accept message, said control module
  
  1) forwarding peer information to a socket welder including data network addresses and port numbers and protocol capabilities of said first and second peers, and
  
  2) forwarding socket welder information to said first and second peers including at least one data network address and port number corresponding to a dedicated data communication channel through said socket welder;
  
  said socket welder receiving network packets from each one of said first and second peers directed to said dedicated data communication channel;
  
  said socket welder modifying said network packets, including alteration of source and destination address and port data in said network packets; and
  
  forwarding said modified packets to the other one of said first and second peers.
- View Dependent Claims (9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 9. The method of claim 8 wherein said modification of said network packets includes re-sequencing network packets in a TCP protocol according to the respective sequencing of network packet exchange between said socket welder and said respective first and second peers.
  - 10. The method of claim 8 wherein said modification of said network packets includes adjusting a window size of said network packets.
  - 11. The method of claim 8 wherein said modification of said network packets includes modifying a frame format in response to said determined network protocol capabilities.
  - 12. The method of claim 8 wherein said modification of said network packets includes fragmentation and reassembly of said network packets.
  - 13. The method of claim 8 wherein said modification of said network packets includes encryption of data within said network packets.
  - 14. The method of claim 8 further comprising the step of said first peer providing an out-of-band message to said second peer having link information for establishing said persistent control connection with said control module.
  - 15. The method of claim 14 wherein said out-of-band message is comprised of an e-mail message.
  - 16. The method of claim 14 wherein said out-of-band message is comprised of an instant message.
  - 17. The method of claim 8 wherein each respective channel setup session includes a series of query-response tests including test packets formatted according to predetermined protocols.
  - 18. The method of claim 17 wherein said predetermined protocols are tested in a ranked order.
  - 19. The method of claim 18 wherein each respective channel setup session is initiated by a respective initiation message from a respective peer to said control module, and wherein said ranked order or a respective query-response test is determined in response to a protocol of said respective initiation message.
  - 20. The method of claim 19 wherein if said initiation message is in a TCP format, then said ranked order is comprised of TCP/BEEP followed by TCP/HTTP/BEEP.
  - 21. The method of claim 19 wherein if said initiation message is in a UDP format, then said ranked order is comprised of UDP followed by TCP/BEEP/UDP followed by TCP/HTTP/BEEP/UDP.
  - 22. The method of claim 8 wherein said control module maintains persistent control connections with a plurality of active peers, and wherein said method further comprises the step of said control module providing identification to each individual peer of other ones of said active peers.
  - 23. The method of claim 8 wherein said step of establishing said persistent control connections includes authentication of each respective peer.
  - 24. The method of claim 8 further comprising the step of said peer that did not request said communication channel sending an acceptance using its respective persistent control connection to said control module.
  - 25. The method of claim 24 further comprising the step of providing authentication data of said peer requesting said communication channel to said peer accepting said request.
  - 26. The method of claim 25 wherein said authentication data is provided during handshaking between said first and second peers after said communication channel is accepted.

27. Apparatus for routing network packets between first and second peers via a data network, said apparatus comprising:
- a control module coupled to said data network and having a first predetermined data network address; and
  
  a socket welder coupled to said control module and to said data network, said socket welder having a second predetermined data network address;
  
  said control module
  
       1) accepting first and second channel setup sessions initiated to said first predetermined data network address by said first and second peers, respectively, for determining network protocol capabilities of said first and second peers,
  
       2) processing a first connection request message from said first peer for connecting with said second peer,
  
       3) forwarding a second connection request message to said second peer,
  
       4) if said second peer responds with a connection accept message then sending peer information to said socket welder including data network addresses and port numbers and protocol capabilities of said first and second peers and sending socket welder information to said first and second peers including at least one data network address and port number corresponding to a dedicated data communication channel through said socket welder;
  
  said socket welder receiving network packets from each one of said first and second peers directed to said dedicated data communication channel and modifying said network packets for forwarding to the other one of said first and second peers.

28. A network server for coupling within a data network and comprising a program including a control module and a socket welder module for performing the steps of:
- establishing respective persistent control connections with a plurality of peers connected within said data network;
  
  using said persistent connections to perform respective protocol capability exchanges with said peers;
  
  receiving a request via a respective persistent control connection from one of said peers for a communication channel between at least two of said peers;
  
  said control module informing said socket welder module of addresses, ports, and protocol capabilities corresponding to said peers;
  
  said control module informing said peers of connection information corresponding to said socket welder;
  
  said socket welder module receiving application packets from said peers; and
  
  said socket welder module modifying application packets from one peer into a form for tunneling through a firewall of another peer; and
  
  said socket welder forwarding said modified application packets to said another peer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Sprint Communications Company LP (Deutsche Telekom AG), Symbol Technologies, Inc. (Zebra Technologies Corporation)
Original Assignee
Sprint Communications Company LP (Deutsche Telekom AG)
Inventors
Miller, Eric E.
Primary Examiner(s)
Barron; Gilberto
Assistant Examiner(s)
AVERY, JEREMIAH L

Application Number

US10/230,914
Time in Patent Office

1,923 Days
Field of Search

726/15
US Class Current

713/153
CPC Class Codes

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/166   at the transport layer

H04L 69/16   Implementation or adaptatio...

H04L 69/162   involving adaptations of so...

Splicing of TCP/UDP sessions in a firewalled network environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

89 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Splicing of TCP/UDP sessions in a firewalled network environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

89 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links