Distributed network address translation in computer networks

US 8,289,968 B1
Filed: 10/27/2010
Issued: 10/16/2012
Est. Priority Date: 10/27/2010
Status: Active Grant

First Claim

Patent Images

1. A method of allocating network resources for use in network address translation (NAT), the method comprising:

storing, with one of the plurality of NAT modules executing in a network device, data defining a local pool of two or more unallocated NAT resources for use in performing network address translation but that have not yet been allocated for use in performing network address translation, wherein each of the NAT resources of the local pool of NAT resources includes a network address and a network port number;

receiving, with the one of the plurality of NAT modules, a packet that includes a source address;

determining, with the one of the plurality of NAT modules, whether any of the NAT resources from the local pool of NAT resources are available for use in obscuring the source address;

in response to the determination that none of the NAT resources from the local pool of NAT resources are available for use in obscuring the source address, requesting, with the one of the plurality of NAT modules, one or more additional NAT resources for use in obscuring the source address;

performing, with the one of the plurality of NAT modules, network address translation to obscure the source address of the packet using one of the one or more additional NAT resources to generate a modified packet; and

forwarding, with the network device, the modified packet to a destination identified by a destination address specified within the modified packet.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

In general, techniques are described for performing distributed network address translation (NAT) with a network device. The network device includes an interface card and a control unit. The interface card receives a packet including a source address. The control unit includes NAT modules. each of which stores a local pool of unallocated NAT resources that have not yet been allocated for use in performing network address translation. The NAT resources each include a network address and a network port number. One of the NAT modules receives the packet, determines whether any of the NAT resources from the local pool of NAT resources are available, in response to the determination that none of the NAT resources from the local pool of NAT resources are available, requests additional NAT resources, and performs NAT to obscure the source address of the packet using one of the additional NAT resources to generate a modified packet. The interface card forwards the modified packet.

47 Citations

View as Search Results

27 Claims

1. A method of allocating network resources for use in network address translation (NAT), the method comprising:
- storing, with one of the plurality of NAT modules executing in a network device, data defining a local pool of two or more unallocated NAT resources for use in performing network address translation but that have not yet been allocated for use in performing network address translation, wherein each of the NAT resources of the local pool of NAT resources includes a network address and a network port number;
  
  receiving, with the one of the plurality of NAT modules, a packet that includes a source address;
  
  determining, with the one of the plurality of NAT modules, whether any of the NAT resources from the local pool of NAT resources are available for use in obscuring the source address;
  
  in response to the determination that none of the NAT resources from the local pool of NAT resources are available for use in obscuring the source address, requesting, with the one of the plurality of NAT modules, one or more additional NAT resources for use in obscuring the source address;
  
  performing, with the one of the plurality of NAT modules, network address translation to obscure the source address of the packet using one of the one or more additional NAT resources to generate a modified packet; and
  
  forwarding, with the network device, the modified packet to a destination identified by a destination address specified within the modified packet.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - storing, with a central NAT management module executing within the network device, a central pool of NAT resources;
      
      issuing a single request, with the one of a plurality of NAT modules executing in the network device, to the central NAT management module requesting that two or more of the NAT resources of the central pool of NAT resources be allocated to the one of the plurality of NAT modules;
      
      receiving a response, with the one of the plurality of NAT modules, from the central NAT management module allocating the requested two or more of the NAT resources of the central pool of NAT resources to the one of the plurality of NAT modules;
      
      wherein storing, with the one of the plurality of NAT modules, data defining a local pool of two or more unallocated NAT resources includes storing data defining the local pool of two or more unallocated NAT resources that include the two or more NAT resources allocated by the central NAT management module to the one of the plurality of NAT modules for use in performing network address translation but that have not yet been allocated for use in performing network address translation;
      
      wherein requesting one or more additional NAT resources comprises requesting that the central NAT management module allocate a batch of two or more additional NAT resources from the central pool of NAT resources,wherein the method further comprises updating the local pool of NAT resources with the batch of two or more additional NAT resources to increase a number of NAT resources available to be allocated for use in obscuring the source address within the local pool, andwherein performing network address translation comprises performing network address translation to obscure the source address of the packet using one of the one or more additional NAT resources added to the updated local pool of NAT resources to generate the modified packet.
  - 3. The method of claim 2, further comprising:
    - prior to requesting that the central NAT management module allocate the batch of two or more additional NAT resources, requesting, with the one of the plurality of NAT modules, that one of the remaining ones of the plurality of NAT modules allocate an additional NAT resource from a local pool of NAT resources stored by the one of the remaining ones of the plurality of NAT modules;
      
      receiving a response from the one of the remaining ones of the plurality of NAT modules indicating that the one of the remaining ones of the plurality of NAT modules does not have any NAT resources in its local pool of NAT resources that are available for allocation to the one of the plurality of NAT modules, andwherein requesting one or more additional NAT resources comprises, only after receiving the response indicating that the one of the remaining ones of the plurality of NAT modules does not have any NAT resources in its local pool of NAT resources that are available for allocation to the one of the plurality of NAT modules, requesting that the central NAT management module allocate the batch of two or more additional NAT resources from the central pool of NAT resources.
  - 4. The method of claim 2, further comprising:
    - prior to requesting that the central NAT management module allocate the batch of two or more additional NAT resources, issuing a request, with the one of the plurality of NAT modules, to one or more of the remaining ones of the plurality of NAT modules requesting that at least one of the one or more of the remaining ones of the plurality of NAT modules allocate an additional NAT resource from a local pool of NAT resources stored by the one of the remaining ones of the plurality of NAT modules,wherein requesting one or more additional NAT resources comprises, only after receiving from each of the one or more of the remaining ones of the plurality of NAT modules a response indicating that the each of the one or more of the remaining ones of the plurality of NAT modules does not have any NAT resources in its local pool of NAT resources that are available for allocation to the one of the plurality of NAT modules, requesting that the central NAT management module allocate the batch of two or more additional NAT resources from the central pool of NAT resources.
  - 5. The method of claim 1,wherein requesting one or more additional NAT resources comprises requesting, with the one of the plurality of NAT modules, that one of the remaining ones of the plurality of NAT modules allocate an additional NAT resource from a local pool of NAT resources stored by the one of the remaining ones of the plurality of NAT modules,wherein the method further comprises updating the local pool of NAT resources with the one additional NAT resource allocated by the one of the remaining ones of NAT modules to increase a number of NAT resources available to be allocated for use in obscuring the source address within the local pool, andwherein performing network address translation comprises performing network address translation to obscure the source address of the packet using the additional NAT resources added to the updated local pool of NAT resources to generate the modified packet.
  - 6. The method of claim 5, further comprising, concurrent to requesting that the one of the remaining ones of the plurality of NAT modules allocate the additional NAT resource from the local pool of NAT resources stored by the one of the remaining ones of the plurality of NAT modules, requesting that the central NAT management module allocate a batch of two or more additional NAT resources from the central pool of NAT resources.
  - 7. The method of claim 5, further comprising:
    - storing, for each of the plurality of NAT modules, data defining a local pool of two or more unallocated NAT resources for use in performing network address translation but that have not yet been allocated for use in performing network address translation, including the local pool of two or more unallocated NAT resources for the one of the plurality of NAT modules; and
      
      statically allocating each of the local pools of two or more unallocated NAT resources prior to enabling the network device to begin receiving packets.
  - 8. The method of claim 1,wherein the method further comprises, prior to determining whether any of the NAT resources from the local pool of NAT resources are available, determining, with the one of the plurality of NAT modules, whether one of the NAT resources from the pool of NAT resources has been previously allocated for use in obscuring the source address,wherein determining whether any of the NAT resources from the pool of NAT resources are available comprises, in response to the determination that none of the NAT resources from the pool of NAT resources has been previously allocated for use in obscuring the source address, determining, with the one of the plurality of NAT modules, whether any of the NAT resources from the pool of NAT resources are available for use in obscuring the source address.
  - 9. The method of claim 1, further comprising:
    - determining a session to which the packet corresponds;
      
      based on the determined session, determining whether any one of the plurality of NAT modules has been previously assigned to handle the session to which the packet corresponds;
      
      in response to determining that this session has not been assigned to any one of the plurality of NAT modules, assigning the session to the one of the plurality of NAT modules; and
      
      associating the session with the one of the one or more additional NAT resources used to obscure the source address of the packet.
  - 10. The method of claim 9, further comprising:
    - after receiving the packet, receiving a subsequent packet;
      
      determining that the subsequent packet also corresponds to the same session as the packet;
      
      based on determining that the subsequent packet corresponds to the same session as the packet, forwarding the subsequent packet to the one of the plurality of NAT modules previously assigned to handle the session;
      
      determining, with the one of the plurality of NAT modules, that the session to which the subsequent packet corresponds has been previously associated with the one of the one or more additional NAT resources; and
      
      performing, with the one of the plurality of NAT modules, network address translation to obscure the source address of the subsequent packet using the same one of the one or more additional NAT resources used to obscure the source address of the packet to generate a modified subsequent packet.
  - 11. The method of claim 1,wherein the network device comprises a router that includes a control unit,wherein the control unit is divided into a control plane, a data plane and a service plane, andwherein the plurality of NAT modules execute within the data plane.

12. A network device comprising:
- at least one interface card that receives a packet including a source address; and
  
  a control unit that includes a plurality of NAT modules, wherein each of the plurality of NAT modules stores data defining a local pool of two or more unallocated NAT resources for use in performing network address translation but that have not yet been allocated for use in performing network address translation, wherein each of the NAT resources of the local pools of NAT resources includes a network address and a network port number;
  
  wherein one of the plurality of NAT modules receives the packet, determines whether any of the NAT resources from the local pool of NAT resources are available for use in obscuring the source address of the packet, in response to the determination that none of the NAT resources from the local pool of NAT resources are available for use in obscuring the source address, requests one or more additional NAT resources for use in obscuring the source address, and performs network address translation to obscure the source address of the packet using one of the one or more additional NAT resources to generate a modified packet,wherein the at least one interface card forwards the modified packet to a destination identified by a destination address specified within the modified packet.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The network device of claim 12,wherein the control unit further comprises a central NAT management module that stores a central pool of NAT resources, wherein each of the NAT resources of the central pool of NAT resources includes a network address and a network port number, andwherein the one of the plurality of NAT modules issuing a single request to the central NAT management module requesting that two or more of the NAT resources of the central pool of NAT resources be allocated to the one of the plurality of NAT modules and receives a response from the central NAT management module allocating the requested two or more of the NAT resources of the central pool of NAT resources to the one of the plurality of NAT modules, stores the data defining the local pool of two or more unallocated NAT resources such that the local pool of NAT resources includes the two or more NAT resources allocated by the central NAT management module to the one of the plurality of NAT modules for use in performing network address translation but that have not yet been allocated for use in performing network address translation, requests that the central NAT management module allocate a batch of two or more additional NAT resources from the central pool of NAT resources, updates the local pool of NAT resources with the batch of two or more additional NAT resources to increase a number of NAT resources available to be allocated for use in obscuring the source address within the local pool, and performs network address translation to obscure the source address of the packet using one of the one or more additional NAT resources added to the updated local pool of NAT resources to generate the modified packet.
  - 14. The network device of claim 13, wherein the one of the plurality of NAT modules, prior to requesting that the central NAT management module allocate the batch of two or more additional NAT resources, requests that one of the remaining ones of the plurality of NAT modules allocate an additional NAT resource from a local pool of NAT resources stored by the one of the remaining ones of the plurality of NAT modules, receives a response from the one of the remaining ones of the plurality of NAT modules indicating that the one of the remaining ones of the plurality of NAT modules does not have any NAT resources in its local pool of NAT resources that are available for allocation to the one of the plurality of NAT modules, and, only after receiving the response indicating that the one of the remaining ones of the plurality of NAT modules does not have any NAT resources in its local pool of NAT resources that are available for allocation to the one of the plurality of NAT modules, requests that the central NAT management module allocate the batch of two or more additional NAT resources from the central pool of NAT resources.
  - 15. The network device of claim 13, wherein the one of the plurality of NAT modules, prior to requesting that the central NAT management module allocate the batch of two or more additional NAT resources, issues a request to one or more of the one of the remaining ones of the plurality of NAT modules requesting that at least one of the one or more of the remaining ones of the plurality of NAT modules allocate an additional NAT resource from a local pool of NAT resources stored by the one of the remaining ones of the plurality of NAT modules, and, only after receiving from each of the one or more of the remaining ones of the plurality of NAT modules a response indicating that the each of the one or more of the remaining ones of the plurality of NAT modules does not have any NAT resources in its local pool of NAT resources that are available for allocation to the one of the plurality of NAT modules, requests that the central NAT management module allocate the batch of two or more additional NAT resources from the central pool of NAT resources.
  - 16. The network device of claim 12, wherein the one of the plurality of NAT modules requests that one of the remaining ones of the plurality of NAT modules allocate an additional NAT resource from a local pool of NAT resources stored by the one of the remaining ones of the plurality of NAT modules, updates the local pool of NAT resources with the one additional NAT resource allocated by the one of the remaining ones of NAT modules to increase a number of NAT resources available to be allocated for use in obscuring the source address within the local pool, and performs network address translation to obscure the source address of the packet using the additional NAT resources added to the updated local pool of NAT resources to generate the modified packet.
  - 17. The network device of claim 16,wherein the control unit further comprises a central NAT management module that stores a central pool of NAT resources, wherein each of the NAT resources of the central pool of NAT resources includes a network address and a network port number, andwherein the one of the plurality of NAT modules, concurrent to requesting that the one of the remaining ones of the plurality of NAT modules allocate the additional NAT resource from the local pool of NAT resources stored by the one of the remaining ones of the plurality of NAT modules, requests that the central NAT management module allocate a batch of two or more additional NAT resources from the central pool of NAT resources.
  - 18. The network device of claim 16,wherein each of the plurality of NAT modules stores data defining a local pool of two or more unallocated NAT resources for use in performing network address translation but that have not yet been allocated for use in performing network address translation, including the local pool of two or more unallocated NAT resources for the one of the plurality of NAT modules, andwherein each of the local pools of two or more unallocated NAT resources is statically allocated prior to enabling the network device to begin receiving packets.
  - 19. The network device of claim 12,wherein the one of the plurality of NAT modules, prior to determining whether any of the NAT resources from the local pool of NAT resources are available, determines whether one of the NAT resources from the pool of NAT resources has been previously allocated for use in obscuring the source address, and, in response to the determination that none of the NAT resources from the pool of NAT resources has been previously allocated for use in obscuring the source address, determines whether any of the NAT resources from the pool of NAT resources are available for use in obscuring the source address.
  - 20. The network device of claim 12, wherein the control unit further comprises a session allocation module that determines a session to which the packet corresponds, based on the determined session, determines whether any one of the plurality of NAT modules has been previously assigned to handle the session to which the packet corresponds, in response to determining that this session has not been assigned to any one of the plurality of NAT modules, assigns the session to the one of the plurality of NAT modules, and associates the session with the one of the one or more additional NAT resources used to obscure the source address of the packet.
  - 21. The network device of claim 20, wherein the session allocation module, after receiving the packet, receives a subsequent packet, determines that the subsequent packet also corresponds to the same session as the packet, based on determining that the subsequent packet corresponds to the same session as the packet, and forwards the subsequent packet to the one of the plurality of NAT modules previously assigned to handle the session,wherein the one of the plurality of NAT modules determines that the session to which the subsequent packet corresponds has been previously associated with the one of the one or more additional NAT resources and performs network address translation to obscure the source address of the subsequent packet using the same one of the one or more additional NAT resources used to obscure the source address of the packet to generate a modified subsequent packet.
  - 22. The network device of claim 12,wherein the network device comprises a router,wherein the control unit is divided into a control plane, a data plane and a service plane, andwherein the plurality of NAT modules execute within the data plane.

23. A non-transitory computer-readable storage medium comprising instructions that cause a processor of a network device to:
- store data defining a local pool of two or more unallocated NAT resources for use in performing network address translation but that have not yet been allocated for use in performing network address translation, wherein each of the NAT resources of the local pool of NAT resources includes a network address and a network port number;
  
  receive a packet that includes a source address;
  
  determine whether any of the NAT resources from the local pool of NAT resources are available for use in obscuring the source address;
  
  in response to the determination that none of the NAT resources from the local pool of NAT resources are available for use in obscuring the source address, request one or more additional NAT resources for use in obscuring the source address;
  
  perform network address translation to obscure the source address of the packet using one of the one or more additional NAT resources to generate a modified packet; and
  
  forward the modified packet to a destination identified by a destination address specified within the modified packet.
- View Dependent Claims (24, 25)
- - 24. The non-transitory computer-readable medium of claim 23, further comprising instructions that cause the processor to:
    - store a central pool of NAT resources;
      
      issue a single request to a central NAT management module that maintains the central pool of NAT resources, where the request requests that two or more of the NAT resources of the central pool of NAT resources be allocated to the local pool of NAT resources;
      
      receive a response from the central NAT management module allocating the requested two or more of the NAT resources of the central pool of NAT resources to the local pool of NAT resources;
      
      store data defining the local pool of two or more unallocated NAT resources that include the two or more NAT resources allocated by the central NAT management module to the one of the plurality of NAT modules for use in performing network address translation but that have not yet been allocated for use in performing network address translation;
      
      request that the central NAT management module allocate a batch of two or more additional NAT resources from the central pool of NAT resources;
      
      update the local pool of NAT resources with the batch of two or more additional NAT resources to increase a number of NAT resources available to be allocated for use in obscuring the source address within the local pool; and
      
      perform network address translation to obscure the source address of the packet using one of the one or more additional NAT resources added to the updated local pool of NAT resources to generate the modified packet.
  - 25. The non-transitory computer-readable medium of claim 23, further comprising instructions that cause the processor to:
    - store a plurality of local pools of NAT resources, wherein the plurality of local pools of NAT resources includes the local pool of NAT resources as one of the plurality of local pools of NAT resources;
      
      request an additional NAT resource be allocated to the one of the plurality of local pools of NAT resources from one of the remaining ones of the plurality of local pools of NAT resources;
      
      update the one of the plurality of local pools of NAT resources with the one additional NAT resource allocated by the one of the remaining ones of the plurality of local pools of NAT resources to increase a number of NAT resources available to be allocated for use in obscuring the source address within the local pool; and
      
      perform network address translation to obscure the source address of the packet using the additional NAT resources added to the updated one of the plurality of local pools of NAT resources to generate the modified packet.

26. A network system comprising:
- a public network; and
  
  a private network that includes;
  
  a plurality of end-user devices; and
  
  a router positioned intermediate to the plurality of end-user devices and the public network, wherein the router receives all network traffic originated by the plurality of end-user devices that is destined for the public network, and wherein the router includes;
  
  at least one interface card that receives a packet including a source address; and
  
  a control unit that includes a plurality of NAT modules, wherein each of the plurality of NAT modules stores data defining a local pool of two or more unallocated NAT resources for use in performing network address translation but that have not yet been allocated for use in performing network address translation,wherein one of the plurality of NAT modules receives the packet, determines whether any of the NAT resources from the local pool of NAT resources are available for use in obscuring the source address of the packet, in response to the determination that none of the NAT resources from the local pool of NAT resources are available for use in obscuring the source address, requests one or more additional NAT resources for use in obscuring the source address, and performs network address translation to obscure the source address of the packet using one of the one or more additional NAT resources to generate a modified packet, andwherein the at least one interface card forwards the modified packet to a destination identified by a destination address specified within the modified packet.

27. A method of allocation network resources for use in network address translation (NAT), the method comprising:
- storing, with the one of the plurality of NAT modules, data statically defining an initial local pool of two or more unallocated NAT resources for use in performing network address translation but that have not yet been allocated for use in performing network address translation;
  
  receiving, with the one of the plurality of NAT modules, a packet that includes a source address;
  
  determining, with the one of the plurality of NAT modules, whether any of the NAT resources from the initial local pool of NAT resources are available for use in obscuring the source address;
  
  in response to the determination that none of the NAT resources from the initial local pool of NAT resources are available for use in obscuring the source address, requesting, with the one of the plurality of NAT modules, that one of the remaining ones of the plurality of NAT modules allocate an additional NAT resource from a local pool of NAT resources stored by the one of the remaining ones of the plurality of NAT modules;
  
  updating the initial local pool of NAT resources with the one additional NAT resource allocated by the one of the remaining ones of NAT modules to increase a number of NAT resources available to be allocated for use in obscuring the source address within the local pool;
  
  performing, with the one of the plurality of NAT modules, network address translation to obscure the source address of the packet using the additional NAT resources added to the updated initial local pool of NAT resources to generate the modified packet; and
  
  forwarding, with the network device, the modified packet to a destination identified by a destination address specified within the modified packet.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Zhuang, Yan
Primary Examiner(s)
HO, DUC CHI

Application Number

US12/913,498
Time in Patent Office

720 Days
Field of Search

None
US Class Current

370/392
CPC Class Codes

H04L 45/02   Topology update or discovery

H04L 61/2517   using port numbers

H04L 61/2532   Clique of NAT servers

H04L 61/2539   Hiding addresses; Keeping a...

H04L 61/5014   using dynamic host configur...

Distributed network address translation in computer networks

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

47 Citations

27 Claims

Specification

Solutions

Use Cases

Quick Links

Distributed network address translation in computer networks

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

47 Citations

27 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links