Apparatus and methods for performing network address translation (NAT) in a fully connected mesh with NAT virtual interface (NVI)

US 7,334,049 B1
Filed: 12/21/2001
Issued: 02/19/2008
Est. Priority Date: 12/21/2001
Status: Expired due to Fees

First Claim

Patent Images

1. A method for performing network address translation on data, the method comprising:

receiving a first data having a first source address and a first destination address, wherein the first data is sent by a first node in a first domain to a second node in a second domain, and wherein the first data is received into a first interface associated with the first domain and output from a second interface associated with the second domain, and wherein the first domain differs from the second domain, and wherein the first and second interfaces are virtual interfaces that are each configurably associated with one or more domains;

obtaining routing information for the first data;

if the first source address is a private address and if a binding between the first source address, the first interface, and a first public address is found, translating the first source address into the first public address specified by the found binding prior to sending the first data to the second domain destination;

if the first source address is a private address and if a binding between the first source address, the first interface, and a first public address is not found, translating the first source address into a selected public address and forming and storing a first binding between the first source address, the selected public address, and the first interface, wherein the translation is performed prior to sending the first data to the second domain destination;

if a destination binding between the first destination address, a first private address, and the second interface is found, translating the first destination address into the first private address specified by the destination binding, wherein the translation of the first destination address is performed prior to sending the first data out the second interface to the second node; and

sending the first data to the second node based on the routing information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed are methods and apparatus for performing network address translation (NAT) in a fully connected mesh with NAT virtual interface (NVI). In general terms, mechanisms (e.g., within a combination router/NAT device) are provided for translating network addresses of traffic going between two private domains or realms. These mechanisms may also be used to translate traffic going between a private and public domain. When a particular private address is translated into a public address, a binding is formed between the pre-translation address, the post-translation address, and the interface associated with the private or public address (e.g., an interface of the router/NAT device). Since bindings of different interfaces are tracked, a private address and its associated particular interface may be associated with a particular public address. Accordingly, the translation mechanisms of the present invention may be applied to two duplicate private addresses from two different private domains because the two identical private addresses are distinguished based on their different interfaces.

76 Citations

View as Search Results

36 Claims

1. A method for performing network address translation on data, the method comprising:
- receiving a first data having a first source address and a first destination address, wherein the first data is sent by a first node in a first domain to a second node in a second domain, and wherein the first data is received into a first interface associated with the first domain and output from a second interface associated with the second domain, and wherein the first domain differs from the second domain, and wherein the first and second interfaces are virtual interfaces that are each configurably associated with one or more domains;
  
  obtaining routing information for the first data;
  
  if the first source address is a private address and if a binding between the first source address, the first interface, and a first public address is found, translating the first source address into the first public address specified by the found binding prior to sending the first data to the second domain destination;
  
  if the first source address is a private address and if a binding between the first source address, the first interface, and a first public address is not found, translating the first source address into a selected public address and forming and storing a first binding between the first source address, the selected public address, and the first interface, wherein the translation is performed prior to sending the first data to the second domain destination;
  
  if a destination binding between the first destination address, a first private address, and the second interface is found, translating the first destination address into the first private address specified by the destination binding, wherein the translation of the first destination address is performed prior to sending the first data out the second interface to the second node; and
  
  sending the first data to the second node based on the routing information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12)
- - 2. A method as recited in claim 1, further comprising:
    - receiving a second data having a second source address and a second destination address, wherein the second data is sent by a third node in a third domain to a fourth node in a fourth domain, and wherein the first data is received into a third interface associated with the third domain and output from a fourth interface associated with the fourth domain, and wherein the third domain differs from the first domain but the second source address is the same as the first source address;
      
      obtaining routing information for the second data;
      
      if the second source address is a private address and if a binding between the second source address, the third interface, and a second public address is found, translating the second source address into the second public address specified by the found binding prior to sending the second data from the fourth domain interface;
      
      if the second source address is a private address and if a binding between the second source address, the third interface, and a second public address is not found, translating the second source address into a selected public address and forming and storing a second binding between the second source address, the selected public address, and the third interface, wherein the translation is performed prior to sending the second data from the fourth interface;
      
      if a second destination binding between the second destination address, a second private address, and the fourth interface is found, translating the second destination address into the second private address specified by the second destination binding, wherein the translation of the second destination address is performed prior to sending the second data out the fourth interface to the fourth node; and
      
      sending the second data to the fourth node based on the routing information.
  - 3. A method as recited in claim 1, wherein the first public address is selected from a pool of available public addresses.
  - 4. A method as recited in claim 1, wherein when the first data has a DNS payload, the method further comprises:
    - translating the DNS payload of the first data into a second public address, wherein the translation of the first destination address is performed prior to sending the first data to the second node; and
      
      forming a second binding between the DNS payload address, the second public address, and the first interface.
  - 5. A method as recited in claim 1, wherein the first data is a DNS request, the method further comprising:
    - receiving a second data after the first data, wherein the second data has a second source address, a second destination address, and a DNS payload address, wherein the second data is sent by a third node in the second domain to the first node in the first domain, and wherein the second data is a DNS reply received into the second interface and output from the first interface;
      
      obtaining routing information for the second data;
      
      translating the DNS payload address into a second public address and forming a second binding between the DNS payload address, the second public address, and the second interface, wherein the translation is performed prior to sending the second data out the first interface to the first node; and
      
      sending the second data to the first node based on the routing information obtained for the second data.
  - 6. A method as recited in claim 5, wherein the first binding between the first source address, the first public address, and the first interface is formed by creating a first entry in a first table that includes a first identifier for both the first public address and the first destination address, a destination pointer that references information on how to translate a destination address of a first subsequently received data from the first public address to the first source address, and a source pointer that references a null value.
  - 7. A method as recited in claim 6, wherein the source pointer referencing a null value indicates that the source address of the first subsequently received data does not require translation.
  - 8. A method as recited in claim 7, the method further comprising modifying the first binding, wherein the first binding is modified and the second binding is formed by:
    - creating a second entry in the first table that includes a second identifier for both the first source address and the second public address, a destination pointer that references information on how to translate a destination address of a second subsequently received data from the second public address into the DNS payload address, and a source pointer that references information on how to translate a source address of the same second subsequently received data from the first source address into the first public address; and
      
      creating a third entry in the first table that includes a third identifier for both the DNS payload address and the first public address, a destination pointer that references information on how to translate a destination address of a third subsequently received data from the first public address into the first source address, and a source pointer that references information on how to translate a source address of the third subsequently received data from the DNS payload address into the second public address.
  - 9. A method as recited in claim 8, wherein the destination and source pointers each reference a pair having a private address of a particular interface and a corresponding public address, wherein the pair provide pre-translation and post-translation addresses for a particular source or destination address.
  - 10. A method as recited in claim 1, wherein each virtual interface defines which interfaces may communicate with which other interfaces.
  - 11. A method as recited in claim 10, wherein each virtual interface defines which interfaces may communicate with which other interfaces by specifying each interface as belonging to one or more groups so that a particular interface is specified as being allowed to communicate with another interface if the particular interface and other interface belong to a same group.
  - 12. A method as recited in claim 11, the method further comprising selecting a pool of public addresses for each group.

13. A network address translation (NAT) system operable to perform network address translation on data, the NAT system comprising:
- one or more processors;
  
  one or more memory, wherein at least one of the processors and memory are adapted to;
  
  receive a first data having a first source address and a first destination address, wherein the first data is sent by a first node in a first domain to a second node in a second domain, and wherein the first data is received into a first interface associated with the first domain and output from a second interface associated with the second domain, and wherein the first domain differs from the second domain, and wherein the first and second interfaces are virtual interfaces that are each configurably associated with one or more domains;
  
  obtain routing information for the first data;
  
  if the first source address is a private address and if a binding between the first source address, the first interface, and a first public address is found, translate the first source address into the first public address specified by the found binding prior to sending the first data to the second domain destination;
  
  if the first source address is a private address and if a binding between the first source address, the first interface, and a first public address is not found, translate the first source address into a selected public address and form and store a first binding between the first source address, the selected public address, and the first interface, wherein the translation is performed prior to sending the first data to the second domain destination;
  
  if a destination binding between the first destination address, a first private address, and the second interface is found, translate the first destination address into the first private address specified by the destination binding, wherein the translation of the first destination address is performed prior to sending the first data out the second interface to the second node; and
  
  send the first data to the second node based on the routing information.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22, 23)
- - 14. A NAT system as recited in claim 13, wherein when the first data has a DNS payload, one or more memory, wherein at least one of the processors and memory are further adapted to:
    - translate the DNS payload of the first data into a second public address, wherein the translation of the first destination address is performed prior to sending the first data to the second node; and
      
      form a second binding between the DNS payload address, the second public address, and the first interface.
  - 15. A NAT system as recited in claim 13, wherein the first data is a DNS request, wherein at least one of the processors and memory are further adapted to:
    - receive a second data after the first data, wherein the second data has a second source address, a second destination address, and a DNS payload address, wherein the second data is sent by a third node in the second domain to the first node in the first domain, and wherein the second data is a DNS reply received into a the second interface and output from the first interface;
      
      obtain routing information for the second data;
      
      translate the DNS payload address into a second public address and forming a second binding between the DNS payload address, the second public address, and the second interface, wherein the translation is performed prior to sending the second data out the first interface to the first node; and
      
      send the second data to the first node based on the routing information obtained for the second data.
  - 16. A NAT system as recited in claim 15, wherein the first binding between the first source address, the first public address, and the first interface is formed by creating a first entry in a first table that includes a first identifier for both the first public address and the first destination address, a destination pointer that references information on how to translate a destination address of a first subsequently received data from the first public address to the first source address, and a source pointer that references a null value.
  - 17. A NAT system as recited in claim 16, wherein the source pointer referencing a null value indicates that the source address of the first subsequently received data does not require translation.
  - 18. A NAT system as recited in claim 17, wherein at least one of the processors and memory are further adapted to modify the first binding, wherein the first binding is modified and the second binding is formed by:
    - creating a second entry in the first table that includes a second identifier for both the first source address and the second public address, a destination pointer that references information on how to translate a destination address of a second subsequently received data from the second public address into the DNS payload address, and a source pointer that references information on how to translate a source address of the same second subsequently received data from the first source address into the first public address; and
      
      creating a third entry in the first table that includes a third identifier for both the DNS payload address and the first public address, a destination pointer that references information on how to translate a destination address of a third subsequently received data from the first public address into the first source address, and a source pointer that references information on how to translate a source address of the third subsequently received data from the DNS payload address into the second public address.
  - 19. A NAT system as recited in claim 18, wherein the destination and source pointers each reference a pair having a private address of a particular interface and a corresponding public address, wherein the pair provide pre-translation and post-translation addresses for a particular source or destination address.
  - 20. A NAT system as recited in claim 13, wherein each virtual interface defines which interfaces may communicate with which other interfaces.
  - 21. A NAT system as recited in claim 20, wherein each virtual interface defines which interfaces may communicate with which other interfaces by specifying each interface as belonging to one or more groups so that a particular interface is specified as being allowed to communicate with another interface if the particular interface and other interface belong to a same group.
  - 22. A NAT system as recited in claim 21, wherein at least one of the processors and memory are further adapted to select a pool of public addresses for each group.
  - 23. A NAT system as recited in claim 13, wherein at least one of the processors and memory are further adapted to:
    - receive a second data having a second source address and a second destination address, wherein the second data is sent by a third node in a third domain to a fourth node in a fourth domain, and wherein the first data is received into a third interface associated with the third domain and output from a fourth interface associated with the fourth domain, and wherein the third domain differs from the first domain but the second source address is the same as the first source address;
      
      obtain routing information for the second data;
      
      if the second source address is a private address and if a binding between the second source address, the third interface, and a second public address is found, translate the second source address into the second public address specified by the found binding prior to sending the second data from the fourth domain interface;
      
      if the second source address is a private address and if a binding between the second source address, the third interface, and a second public address is not found, translate the second source address into a selected public address and form and store a second binding between the second source address, the selected public address, and the third interface, wherein the translation is performed prior to sending the second data from the fourth interface;
      
      if a second destination binding between the second destination address, a second private address, and the fourth interface is found, translate the second destination address into the second private address specified by the second destination binding, wherein the translation of the second destination address is performed prior to sending the second data out the fourth interface to the fourth node; and
      
      send the second data to the fourth node based on the routing information.

24. A computer program product for performing network address translation on data, the computer program product comprising:
- at least one machine-readable medium;
  
  computer program instructions stored within the at least one machine-readable medium configured to cause a network address translation system to;
  
  receive a first data having a first source address and first destination address, wherein the first data is sent by a first node in a first domain to a second node in a second domain, and wherein the first data is received into a first interface associated with the first domain and output from a second interface associated with the second domain, and wherein the first domain differs from the second domain, and wherein the first and second interfaces are virtual interfaces that are each configurably associated with one or more domains;
  
  obtain routing information for the first data;
  
  if the first source address is a private address and if a binding between the first source address, the first interface, and a first public address is found, translate the first source address into the first public address specified by the found binding prior to sending the first data to the second domain destination;
  
  if the first source address is a private address and if a binding between the first source address, the first interface, and a first public address is not found, translate the first source address into a selected public address and form and store a first binding between the first source address, the selected public address, and the first interface, wherein the translation is performed prior to sending the first data to the second domain destination;
  
  if a destination binding between the first destination address, a first private address, and the second interface is found, translate the first destination address into the first private address specified by the destination binding, wherein the translation of the first destination address is performed prior to sending the first data out the second interface to the second node; and
  
  send the first data to the second node based on the routing information.
- View Dependent Claims (25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 25. A computer program product as recited in claim 24, wherein when the first data has a DNS payload, one or more memory, wherein the computer program instructions are further configured to cause the network address translation system totranslate the DNS payload of the first data into a second public address, wherein the translation of the first destination address is performed prior to sending the first data to the second node;
    - andform a second binding between the DNS payload address, the second public address, and the first interface.
  - 26. A computer program product as recited in claim 24, wherein the first data is a DNS request, wherein the computer program instructions are further configured to cause the network address translation system toreceive a second data after the first data, wherein the second data has a second source address, a second destination address, and a DNS payload address, wherein the second data is sent by a third node in the second domain to the first node in the first domain, and wherein the second data is a DNS reply received into a the second interface and output from the first interface;
    - obtain routing information for the second data;
      
      translate the DNS payload address into a second public address and forming a second binding between the DNS payload address, the second public address, and the second interface, wherein the translation is performed prior to sending the second data out the first interface to the first node; and
      
      send the second data to the first node based on the routing information obtained for the second data.
  - 27. A computer program product as recited in claim 26, wherein the first binding between the first source address, the first public address, and the first interface is formed by creating a first entry in a first table that includes a first identifier for both the first public address and the first destination address, a destination pointer that references information on how to translate a destination address of a first subsequently received data from the first public address to the first source address, and a source pointer that references a null value.
  - 28. A computer program product as recited in claim 27, wherein the source pointer referencing a null value indicates that the source address of the first subsequently received data does not require translation.
  - 29. A computer program product as recited in claim 28, wherein the computer program instructions are further configured to cause the network address translation system to modify the first binding, wherein the first binding is modified and the second binding is formed by:
    - creating a second entry in the first table that includes a second identifier for both the first source address and the second public address, a destination pointer that references information on how to translate a destination address of a second subsequently received data from the second public address into the DNS payload address, and a source pointer that references information on how to translate a source address of the same second subsequently received data from the first source address into the first public address; and
      
      creating a third entry in the first table that includes a third identifier for both the DNS payload address and the first public address, a destination pointer that references information on how to translate a destination address of a third subsequently received data from the first public address into the first source address, and a source pointer that references information on how to translate a source address of the third subsequently received data from the DNS payload address into the second public address.
  - 30. A computer program product as recited in claim 29, wherein the destination and source pointers each reference a pair having a private address of a particular interface and a corresponding public address, wherein the pair provide pre-translation and post-translation addresses for a particular source or destination address.
  - 31. A computer program product as recited in claim 24, wherein each virtual interface defines which interfaces may communicate with which other interfaces.
  - 32. A computer program product as recited in claim 31, wherein each virtual interface defines which interfaces may communicate with which other interfaces by specifying each interface as belonging to one or more groups so that a particular interface is specified as being allowed to communicate with another interface if the particular interface and other interface belong to a same group.
  - 33. A computer program product as recited in claim 32, wherein the computer program instructions are further configured to cause the network address translation system to select a pool of public addresses for each group.
  - 34. A computer program product as recited in claim 24, the computer program instructions stored within the at least one computer readable product further configured to cause the network address translation system to:
    - receive a second data having a second source address and a second destination address, wherein the second data is sent by a third node in a third domain to a fourth node in a fourth domain, and wherein the first data is received into a third interface associated with the third domain and output from a fourth interface associated with the fourth domain, and wherein the third domain differs from the first domain but the second source address is the same as the first source address;
      
      obtain routing information for the second data;
      
      if the second source address is a private address and if a binding between the second source address, the third interface, and a second public address is found, translate the second source address into the second public address specified by the found binding prior to sending the second data from the fourth domain interface;
      
      if the second source address is a private address and if a binding between the second source address, the third interface, and a second public address is not found, translate the second source address into a selected public address and form and store a second binding between the second source address, the selected public address, and the third interface, wherein the translation is performed prior to sending the second data from the fourth interface;
      
      if a second destination binding between the second destination address, a second private address, and the fourth interface is found, translate the second destination address into the second private address specified by the second destination binding, wherein the translation of the second destination address is performed prior to sending the second data out the fourth interface to the fourth node; and
      
      send the second data to the fourth node based on the routing information.

35. An apparatus for performing network address translation on data, the apparatus comprising:
- means for receiving a first data having a first source address and a first destination address, wherein the first data is sent by a first node in a first domain to a second node in a second domain, and wherein the first data is received into a first interface associated with the first domain and output from a second interface associated with the second domain, and wherein the first domain differs from the second domain, and wherein the first and second interfaces are virtual interfaces that are each configurably associated with one or more domains;
  
  means for obtaining routing information for the first data;
  
  means for, if the first source address is a private address and if a binding between the first source address, the first interface, and a first public address is found, translating the first source address into the first public address specified by the found binding prior to sending the first data to the second domain destination;
  
  means for translating the first source address into a selected public address and forming a first binding between the first source address, the selected public address, and the first interface if the first source address is a private address and if a binding between the first source address, the first interface, and a first public address is not found, wherein the translation is performed prior to sending the first data to the second domain destination;
  
  means for translating the first destination address into the first private address specified by the destination binding if a destination binding between the first destination address, a first private address, and the second interface is found, wherein the translation of the first destination address is performed prior to sending the first data out the second interface to the second node; and
  
  means for sending the first data to the second node based on the routing information.
- View Dependent Claims (36)
- - 36. An apparatus as recited in claim 35, wherein the first data is a DNS request, the apparatus further comprising:
    - means for receiving a second data after the first data, wherein the second data has a second source address, a second destination address, and a DNS payload address, wherein the second data is sent by a third node in the second domain to the first node in the first domain, and wherein the second data is a DNS reply received into the second interface and output from the first interface;
      
      means for obtaining routing information for the second data;
      
      means for translating the DNS payload address into a second public address and forming a second binding between the DNS payload address, the second public address, and the second interface, wherein the translation is performed prior to sending the second data out the first interface to the first node; and
      
      means for sending the second data to the first node based on the routing information obtained for the second data.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Jayasenan, Siva S., Somasundaram, Mahadev, Sivakumar, Senthil M.
Primary Examiner(s)
Jaroenchonwanit; Bunjob
Assistant Examiner(s)
TRUONG, LAN DAI T

Application Number

US10/026,272
Time in Patent Office

2,251 Days
Field of Search

709/245, 709/227, 709/238
US Class Current

709/245
CPC Class Codes

H04L 69/16   Implementation or adaptatio...

H04L 69/161   Implementation details of T...

H04L 69/22   Parsing or analysis of headers

Apparatus and methods for performing network address translation (NAT) in a fully connected mesh with NAT virtual interface (NVI)

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

76 Citations

36 Claims

Specification

Use Cases

Quick Links

Others

Apparatus and methods for performing network address translation (NAT) in a fully connected mesh with NAT virtual interface (NVI)

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

76 Citations

36 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others