Deterministic network address and port translation

US 9,178,846 B1
Filed: 12/15/2011
Issued: 11/03/2015
Est. Priority Date: 11/04/2011
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving, with a network device, a packet from a subscriber, wherein the packet includes a private source network address and source port;

selecting a network address translation (NAT) rule for the packet;

deterministically computing, with the network device, a public network address and a range of ports assigned to the private network address of the packet using the selected NAT rule by;

(i) computing an offset within a private address space for the NAT rule as a function of the private source network address,(ii) computing an offset within a public address space for the NAT rule as a function of the offset within the private address space,(iii) computing the public network address as a function of the offset within public network address,(iv) computing a port block offset as a function of both the offset within the private address space and a number of public network addresses within the public address space, and(v) computing the range of ports for the subscriber as a function of the port block offset and a port block size for the NAT rule,dynamically selecting an unused port from the range of ports;

generating a translated packet from the packet, wherein the translated packet includes the computed public network address and the selected unused port from the range of ports in place of the private source address and source port; and

forwarding the translated packet from the network device to a public network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A source network address and port translation (NAPT) mechanism is described that reduces or eliminates the need to log any NAT translations. As described herein, a mapping between a subscriber'"'"'s private address to a public address and port range is determined algorithmically. Given a particular mapping rule, as specified by the service provider, a subscriber is repeatedly and deterministically mapped to the same public network address and a specific port range for that network address. Once the public address and port range for a subscriber are computed, the particular ports for each session for that subscriber are allocated dynamically within the computed NAT port range on per session basis.

51 Citations

View as Search Results

22 Claims

1. A method comprising:
- receiving, with a network device, a packet from a subscriber, wherein the packet includes a private source network address and source port;
  
  selecting a network address translation (NAT) rule for the packet;
  
  deterministically computing, with the network device, a public network address and a range of ports assigned to the private network address of the packet using the selected NAT rule by;
  
  (i) computing an offset within a private address space for the NAT rule as a function of the private source network address,(ii) computing an offset within a public address space for the NAT rule as a function of the offset within the private address space,(iii) computing the public network address as a function of the offset within public network address,(iv) computing a port block offset as a function of both the offset within the private address space and a number of public network addresses within the public address space, and(v) computing the range of ports for the subscriber as a function of the port block offset and a port block size for the NAT rule,dynamically selecting an unused port from the range of ports;
  
  generating a translated packet from the packet, wherein the translated packet includes the computed public network address and the selected unused port from the range of ports in place of the private source address and source port; and
  
  forwarding the translated packet from the network device to a public network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, further comprising:
    - logging an activation time period for the NAT rule without maintaining a log file that record network address translation of the private source network address to the public network address.
  - 3. The method of claim 1, further comprising:
    - computing the private address space for the NAT rule by identifying a set of private address prefixes designated by the NAT rule and computing a total number of private addresses for the set of private address prefixes;
      
      computing the public address space for the NAT rule by identifying a NAT pool designated by the NAT rule and computing a total number of public addresses for a set of public address prefixes of the NAT pool;
      
      computing a number of the total number of private addresses for the NAT rule to be assigned to each of the public network addresses of the specified NAT pool based on the number of the total number of public addresses for the NAT rule and the total number of private addresses for the NAT rule; and
      
      computing the port block size per each of the private addresses based on a number of ports available for each of the public addresses for the NAT pool and the total number of private addresses to be assigned to each of the public network address.
  - 4. The method of claim 1, wherein dynamically selecting the unused port from the range of ports comprises:
    - maintaining a bitmap for the port range assigned to the private network address, wherein each bit within the bitmap indicates whether the corresponding port is being used for network address translation of a current communication session from the subscriber; and
      
      based on the bitmap, selecting one of the ports within the port range that is not being used for a current communication session from the subscriber.
  - 5. The method of claim 1, further comprising:
    - when all of the ports within the range of ports assigned to the private network address are currently being used, selecting the public network address and unused port from a fallback pool of public network addresses; and
      
      generating and storing a system log file to record network address translation of the private source network address to the public network address.
  - 6. The method of claim 1, wherein selecting a NAT rule comprise selecting the NAT rule upon matching one or more criteria of the NAT rule to contents of the packet.
  - 7. The method of claim 1, wherein selecting a NAT rule comprise selecting the NAT rule upon matching the criteria of the NAT rule to the source the packet.
  - 8. The method of claim 1, wherein the network device comprises a router or a mobile gateway.
  - 9. The method of claim 3, further comprising:
    - prior to receiving the packet, programming NAT information within a forwarding component of the network device, wherein the NAT information comprises the total number of private addresses for the NAT rule, the total number of public network addresses for the NAT rule and the port block size for the NAT rule; and
      
      algorithmically computing the public network address and the range of ports for the private network address of the packet with the forwarding component using the programmed NAT information.

10. A network device comprising:
- a plurality of interfaces configured to send and receive packets for subscribers of a service provider network;
  
  a control unit that provides a user interface for configuring at least one network address (NAT) rule;
  
  a NAT controller that, upon receiving a packet for a new subscriber session, deterministically computes a public network address and a range of ports assigned to a private network address of a subscriber based on the NAT rule and selects an unused port from the range of ports, wherein the NAT controller deterministically computes the public network address and the range of port for the private network address by computing an offset within a private address space for the NAT rule as a function of the private source network address, computing an offset within a public address space for the NAT rule as a function of the offset within the private address space, and computing the public network address as a function of the offset within public network address, and wherein the NAT controller computes a port block offset as a function of both the offset within the private address space and a number of public network addresses within the public address space, and computes the range of ports for the subscriber as a function of the port block offset and a port block size for the NAT rule; and
  
  a forwarding component to output a translated packet that includes the computed public network address and the selected unused port in place of the private source address and a source port of the packet.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17)
- - 11. The network device of claim 10,wherein the NAT controller pre-computes NAT information for the NAT rule, the NAT information comprising a total number of private network addresses for the subscribers of the service provider network serviced by the NAT rule, a total number of public network addresses for a NAT pool associated with the NAT rule, and a port block size per each of the subscribers, andwherein, upon receiving the packet for the new subscriber session, the NAT controller algorithmically computes the public network address and the range of ports assigned to a private network address of the packet based on the pre-computed NAT information.
  - 12. The network device of claim 10, wherein the NAT controller pre-computes the NAT information by:
    - computing the private address space for the NAT rule by identifying a set of private address prefixes designated by the NAT rule and computing a total number of private addresses for the set of private address prefixes;
      
      computing the public address space for the NAT rule by identifying a NAT pool designated by the NAT rule and computing a total number of public addresses for a set of public address prefixes of the NAT pool;
      
      computing a number of the total number of private addresses for the NAT rule to be assigned to each of the public network addresses of the specified NAT pool based on the number of the total number of public addresses for the NAT rule and the total number of private addresses for the NAT rule; and
      
      computing the port block size per each of the private addresses based on a number of ports available for each of the public addresses for the NAT pool and the total number of private addresses to be assigned to each of the public network address.
  - 13. The network device of claim 10, wherein the NAT controller is configured to generate a system log file to store an activation time period for the NAT rule without recording network address translation of the private source network address to the public network address.
  - 14. The network device of claim 10, further comprising a bitmap for the port range assigned to the private network address, wherein each bit within the bitmap indicates whether the corresponding port is being used for network address translation of a current communication session from the subscriber,wherein, based on the bitmap, the NAT controller selects one of the ports within the port range that is not being used for a current communication session from the subscriber.
  - 15. The network device of claim 10, further comprising:
    - a fallback pool of public network addresses,wherein, when all of the ports within the range of ports assigned to the private network address are currently being used, the NAT controller selects the public network address and unused port from a fallback pool of public network addresses, andwherein the NAT controller generates and stores a system log file to record network address translation of the private source network address to the public network address.
  - 16. The network device of claim 10, wherein the NAT controller selects the NAT rule from a plurality of NAT rules upon matching one or more criteria of the NAT rule to contents of the packet.
  - 17. The network device of claim 10, wherein the network device comprises a router or a mobile gateway.

18. A network router comprising:
- a plurality of interfaces configured to send and receive packets for subscribers of a service provider network;
  
  a routing engine comprising a control unit that executes a routing protocol to maintain routing information specifying routes through a network, wherein the control unit provides a user interface for configuring at least one network address (NAT) rule;
  
  a forwarding component configured by the routing engine to select next hops for the packets in accordance with the routing information, the forwarding component comprising a switch fabric to forward the packets to the interfaces based on the selected next hops; and
  
  a NAT controller of the network router, the NAT controller, upon receiving a packet for a new subscriber session, deterministically computing a public network address and a range of ports assigned to a private network address of a subscriber based on the NAT rule,wherein the NAT controller deterministically computes the public network address and the range of port for the private network address by computing an offset within a private address space for the NAT rule as a function of the private source network address, computing an offset within a public address space for the NAT rule as a function of the offset within the private address space, and computing the public network address as a function of the offset within public network address,wherein the NAT controller computes a port block offset as a function of both the offset within the private address space and a number of public network addresses within the public address space, and computes the range of ports for the subscriber as a function of the port block offset and a port block size for the NAT rule,wherein the NAT controller dynamically selects an unused port from the range of ports and programs the forwarding component with the computed public network address and the unused port selected for the subscriber session; and
  
  wherein the forwarding component outputs a translated packet that includes the computed public network address and the selected unused port in place of the private source address and a source port of the packet.
- View Dependent Claims (19, 20, 21, 22)
- - 19. The network router of claim 18,wherein the NAT controller pre-computes NAT information for the NAT rule prior to receiving the packet for the new subscriber session, the NAT information comprising a total number of private network addresses for the subscribers of the service provider network serviced by the NAT rule, a total number of public network addresses for a NAT pool associated with the NAT rule, and a port block size per each of the subscribers, andwherein, upon receiving the packet for the new subscriber session, the NAT controller algorithmically computes the public network address and the range of ports assigned to a private network address of the packet based on the pre-computed NAT information.
  - 20. The network router of claim 18, wherein the forwarding component includes a flow control module that, upon receiving the packet for the new subscriber session, directs the packet to the NAT controller.
  - 21. The network router of claim 18, wherein the NAT controller executes on a removable service card of the network router.
  - 22. The network router of claim 18,wherein the user interface supports a syntax by which a user specifies the NAT rule and an a fallback pool of public network addresses, andwherein, when all of the ports within the range of ports assigned to the private network address are currently being used, the forwarding component selects the public network address and unused port from a fallback pool of public network addresses and generates a system log file to record network address translation of the private source network address to the public network address.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Kamisetty, Sarat, Mohan, Rajesh, Vinapamula Venkata, Suresh Kumar, Penno, Reinaldo
Primary Examiner(s)
Nguyen, Angela

Application Number

US13/326,903
Time in Patent Office

1,419 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 45/60   Router architectures

H04L 45/74   Address processing for routing

H04L 61/10   of different types

H04L 61/2514   between local and global IP...

H04L 61/2517   using port numbers

H04L 61/255   Maintenance or indexing of ...

H04L 61/2553   Binding renewal aspects, e....

H04L 61/2557   Translation policies or rules

H04L 61/256   NAT traversal

H04L 61/503   using an authentication, au...

H04L 63/02   for separating internal fro...

H04L 63/0263   Rule management

Deterministic network address and port translation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

51 Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Deterministic network address and port translation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

51 Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links