Method of network communication

US 7,908,651 B2
Filed: 02/28/2006
Issued: 03/15/2011
Est. Priority Date: 06/30/2005
Status: Active Grant

First Claim

Patent Images

1. A method of network communication between a secure network and remote clients by way of an intermediate transport network, wherein the secure network is connected to the intermediate transport network through a security gateway and a NAT-T (Network Address Translation-Traversal) proxy is between the security gateway and the intermediate transport network, wherein a secure communication session is a NAT-T IKE (Internet Key Exchange protocol) session in which the type of session negotiated by NAT-T IKE between the secure network and remote clients is IPsec (IP Security), and in which initiator and responder cookies in an ISAKMP (Internet Security Association and Key Management Protocol) header of a packet are used to identify a packet as part of an established session, wherein the remote clients share a common source address on the intermediate transport network;

and wherein in the NAT-T proxy, the method comprises;

a) analyzing packets received from a remote client to identify those packets that represent the start of a new secure communication session;

b) assigning a session-unique IP address to the new secure communication session to be established by the identified packet;

c) translating all packets in the secure communication session by exchanging their source address with the local session-unique IP address; and

d) routing the translated packets to the security gatewaywhereby packets received by the security gateway have, for each established session, a unique IP address.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of network communication and a network gateway are disclosed. The method and gateway operate between a secure network and remote clients by way of an intermediate transport network, such as the Internet. The remote clients connect through a NAT router so share a common source address on the intermediate transport network. In the secure network, the method analyses packets received from a remote client to identify packets that start a new secure communication session. Then, the method assigns a session-unique address and port to the new secure communication session. Subsequent packets are translated in the secure communication session by exchanging the source address with the local session address. Thus, the secure network perceived each session as originating from a distinct address and port, whereby several such sessions can coexist simultaneously.

53 Citations

View as Search Results

9 Claims

1. A method of network communication between a secure network and remote clients by way of an intermediate transport network, wherein the secure network is connected to the intermediate transport network through a security gateway and a NAT-T (Network Address Translation-Traversal) proxy is between the security gateway and the intermediate transport network, wherein a secure communication session is a NAT-T IKE (Internet Key Exchange protocol) session in which the type of session negotiated by NAT-T IKE between the secure network and remote clients is IPsec (IP Security), and in which initiator and responder cookies in an ISAKMP (Internet Security Association and Key Management Protocol) header of a packet are used to identify a packet as part of an established session, wherein the remote clients share a common source address on the intermediate transport network;
- and wherein in the NAT-T proxy, the method comprises;
  
  a) analyzing packets received from a remote client to identify those packets that represent the start of a new secure communication session;
  
  b) assigning a session-unique IP address to the new secure communication session to be established by the identified packet;
  
  c) translating all packets in the secure communication session by exchanging their source address with the local session-unique IP address; and
  
  d) routing the translated packets to the security gatewaywhereby packets received by the security gateway have, for each established session, a unique IP address.
- View Dependent Claims (2, 3, 4)
- - 2. A network gateway device comprising a first network interface for communication with clients on a secure local network and a second network interface for communication with remote clients over a wide-area network, and a processing unit that can transfer data between the first and second network interfaces, wherein the processing unit is operative to transfer packets to implement a method according to claim 1.
  - 3. A network gateway device according to claim 2 constituted by a general-purpose computer executing an operating system and suitable application software.
  - 4. A computer software product stored on a non-transitory storage medium that when executed on a hardware platform performs a method according to claim 1.

5. A method of network communication between a secure network and remote clients by way of an intermediate transport network, wherein the secure network is connected to the intermediate transport network through a security gateway and a NAT-T (Network Address Translation-Traversal) proxy is between the security gateway and the intermediate transport network, wherein a secure communication session is a NAT-T IKE (Internet Key Exchange protocol) session in which the type of session between the secure network and remote clients is IPsec (IP Security) transport mode ESP (Encapsulating Security Payload), wherein the remote clients share a common source address on the intermediate transport network;
- and wherein in the NAT-T proxy, the method comprises;
  
  a) analyzing packets received from a remote client to identify those packets that represent the start of a new secure communication session;
  
  b) assigning a session-unique IP address to the new secure communication session to be established by the identified packet;
  
  c) translating all packets in the secure communication session by exchanging their source address with the local session-unique IP address; and
  
  d) routing the translated packets to the security gatewaywhereby packets received by the security gateway have, for each established session, a unique IP address.

6. A method of network communication between a secure network and remote clients by way of an intermediate transport network, wherein the secure network is connected to the intermediate transport network through a security gateway and a NAT-T (Network Address Translation-Traversal) proxy is between the security gateway and the intermediate transport network, wherein a secure communication session is a NAT-T IKE (Internet Key Exchange protocol) session in which the type of session negotiated by NAT-T IKE between the secure network and remote clients is IPsec (IP Security) and in which the type of session between peers is L2TP (Layer 2 Tunneling Protocol) over IPsec transport mode ESP (Encapsulating Security Payload), wherein the remote clients share a common source address on the intermediate transport network;
- and wherein in the NAT-T proxy, the method comprises;
  
  a) analyzing packets received from a remote client to identify those packets that represent the start of a new secure communication session;
  
  b) assigning a session-unique IP address to the new secure communication session to be established by the identified packet;
  
  c) translating all packets in the secure communication session by exchanging their source address with the local session-unique IP address; and
  
  d) routing the translated packets to the security gatewaywhereby packets received by the security gateway have, for each established session, a unique IP address.

7. A method of network communication between a secure network and remote clients by way of an intermediate transport network, wherein the secure network is connected to the intermediate transport network through a security gateway and a NAT-T (Network Address Translation-Traversal) proxy is between the security gateway and the intermediate transport network, and the remote clients share a common source address on the intermediate transport network;
- wherein in the NAT-T proxy, the method comprises;
  
  a) analyzing packets received from a remote client to identify those packets that represent the start of a new secure communication session;
  
  b) assigning a session-unique IP address to the new secure communication session to be established by the identified packet;
  
  c) translating all packets in the secure communication session by exchanging their source address with the local session-unique IP address; and
  
  d) routing the translated packets to the security gatewaywhereby packets received by the security gateway have, for each established session, a unique IP address, andwherein sessions are maintained and terminated on a variable time basis.

8. A method of network communication between a secure network and remote clients by way of an intermediate transport network, wherein the secure network is connected to the intermediate transport network through a security gateway and a NAT-T (Network Address Translation-Traversal) proxy is between the security gateway and the intermediate transport network, and the remote clients share a common source address on the intermediate transport network;
- wherein in the NAT-T proxy, the method comprises;
  
  a) analyzing packets received from a remote client to identify those packets that represent the start of a new secure communication session;
  
  b) assigning a session-unique IP address to the new secure communication session to be established by the identified packet;
  
  c) translating all packets in the secure communication session by exchanging their source address with the local session-unique IP address; and
  
  d) routing the translated packets to the security gatewaywhereby packets received by the security gateway have, for each established session, a unique IP address, andwherein sessions are located using a multitude of strategies to deliver session resilience in the event of client IP address and port changes.

9. A method of network communication between a secure network and remote clients by way of an intermediate transport network, wherein the secure network is connected to the intermediate transport network through a security gateway and a NAT-T (Network Address Translation-Traversal) proxy is between the security gateway and the intermediate transport network, and the remote clients share a common source address on the intermediate transport network;
- wherein in the NAT-T proxy, the method comprises;
  
  a) analyzing packets received from a remote client to identify those packets that represent the start of a new secure communication session;
  
  b) assigning a session-unique IP address to the new secure communication session to be established by the identified packet;
  
  c) translating all packets in the secure communication session by exchanging their source address with the local session-unique IP address; and
  
  d) routing the translated packets to the security gatewaywhereby packets received by the security gateway have, for each established session, a unique IP address, andwherein a state machine is associated with a new session in order to monitor the state of the session.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Akamai Technologies Ireland Ltd. (Akamai Technologies, Inc.)
Original Assignee
Asavie R&D Limited
Inventors
Maher, Thomas
Primary Examiner(s)
Pyzocha; Michael
Assistant Examiner(s)
Branske; Hilary

Application Number

US11/364,745
Publication Number

US 20070002857A1
Time in Patent Office

1,841 Days
Field of Search

370/389, 370/351, 370/392, 370/400, 370/401, 370/475, 726/12, 726/2, 726/3, 726/4, 726/11, 726/13, 726/14, 726/15, 709/227, 709/228, 709/229, 709/238, 709/244, 709/245, 709/249, 713/154, 713/160, 713/162, 713/168, 713/169, 713/170, 713/171
US Class Current

726/12
CPC Class Codes

H04L 12/4633   Interconnection of networks...

H04L 61/2517   using port numbers

H04L 61/2564   for a higher-layer protocol...

H04L 61/2585   through application level g...

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/164   at the network layer

Method of network communication

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

53 Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Method of network communication

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

53 Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links