Stateless deterministic network address translation

US 9,258,272 B1
Filed: 06/27/2012
Issued: 02/09/2016
Est. Priority Date: 10/21/2011
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

a plurality of customer premise equipment (CPEs) positioned within respective customer networks, each of the customer networks having subscriber devices coupled to the respective CPE of the customer network; and

a network address translation (NAT) device positioned within a service provider network, wherein the CPEs and the NAT device operate as ingress and egress for network tunnels having network packets that conform to a first network transport protocol that encapsulate network packets from the subscriber devices that conform to a second network transport protocol,wherein the NAT device stores a mapping table that maps, for each of the CPEs, a public network address of the first transport protocol to a public network address and a restricted port range of the second transport protocol,wherein the NAT device outputs a control message to communicate the respective restricted port range to each of the CPEs, andwherein each of the CPEs performs network address translation on the network packets from the subscriber devices within the respective customer network based on the restricted port range received from the NAT device of the service provider network by translating between private network addresses of the subscriber devices and the public network address and ports within the restricted port range communicated to the CPE by the NAT device.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Stateless deterministic network address translation (NAT) within a service provider network is described. A plurality of customer premise equipment (CPEs) positioned within customer networks and a NAT device positioned within a service provider network operate as ingress and egress for tunnels having network packets of a first network transport protocol that encapsulate inner network packets of a second network transport protocol. The NAT device stores a mapping table that maps, for each of the CPEs, a public network address of the first transport protocol to a public network address and restricted port range of the second transport protocol. The NAT device outputs control messages to communicate the respective restricted port range to each of the CPEs, and the CPEs provide network address translation within the customer networks at the ingress of the tunnels based on the restricted port range received from the NAT device of the service provider network.

57 Citations

View as Search Results

19 Claims

1. A system comprising:
- a plurality of customer premise equipment (CPEs) positioned within respective customer networks, each of the customer networks having subscriber devices coupled to the respective CPE of the customer network; and
  
  a network address translation (NAT) device positioned within a service provider network, wherein the CPEs and the NAT device operate as ingress and egress for network tunnels having network packets that conform to a first network transport protocol that encapsulate network packets from the subscriber devices that conform to a second network transport protocol,wherein the NAT device stores a mapping table that maps, for each of the CPEs, a public network address of the first transport protocol to a public network address and a restricted port range of the second transport protocol,wherein the NAT device outputs a control message to communicate the respective restricted port range to each of the CPEs, andwherein each of the CPEs performs network address translation on the network packets from the subscriber devices within the respective customer network based on the restricted port range received from the NAT device of the service provider network by translating between private network addresses of the subscriber devices and the public network address and ports within the restricted port range communicated to the CPE by the NAT device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The system of claim 1, wherein the NAT device stores the mapping table having a single entry for each CPE without storing any per-session NAT binding for each communication session from the CPEs.
  - 3. The system of claim 1, wherein each of the CPEs perform network address translation by, upon receiving a packet of a new packet flow from a subscriber device, dynamically selecting a port within the restricted port range received from the NAT device, and storing a per-session NAT binding that maps a private network address for the subscriber device to the public network address and the selected port.
  - 4. The system of claim 1, wherein the control message comprises an error message output by the NAT device in the form of an Internet Control Message Protocol (ICMP) message.
  - 5. The system of claim 1, wherein the NAT device outputs the control message to one of the CPEs in response to receiving an outbound packet from the CPE that violates the restricted port range for the CPE.
  - 6. The system of claim 1, wherein the NAT device constructs the control message to specify a transport protocol with which the restricted port range is associated.
  - 7. The system of claim 1, wherein the first transport protocol comprises IPv6 and the second transport protocol comprises IPv4.
  - 8. The system of claim 1,wherein the NAT device is one of a plurality of NAT devices within the service provider network,wherein each of the NAT devices is configured with the network address and the same mapping table that maps, for each of the CPEs, the public network address of the first transport protocol to the public network address and restricted port range of the second transport protocol, andwherein the CPE communicates the network packets with any of the NAT devices.

9. A network address translation (NAT) device comprising:
- a plurality of interfaces to communicate subscriber packets with a plurality of customer premise equipment (CPEs) positioned within respective customer networks, each of the customer networks have subscriber devices coupled to the respective CPE;
  
  a computer-readable storage device to store a mapping table that maps, for each of the CPEs, a public network address of a first transport protocol to a public network address and restricted port range of a second transport protocol, andprogram code to execute on a processor of the NAT device to output control messages to the CPEs to communicate the respective restricted port range to each of the CPEs for locally performing NAT on network packets from the subscriber devices within the customer networks by translating between private network addresses of the subscriber devices and the public network address and ports within the restricted port range communicated to the CPE by the NAT device,wherein the NAT device stores the mapping table without storing any per-session NAT bindings for communication sessions from the CPEs.
- View Dependent Claims (10, 11)
- - 10. The NAT device of claim 9, wherein the control message comprises an error message output by the NAT device in the form of an Internet Control Message Protocol (ICMP) message.
  - 11. The NAT device of claim 9, wherein the first transport protocol comprises IPv6 and the second transport protocol comprises IPv4.

12. A method comprising:
- operating a network address translation (NAT) device of a service provider network as an ingress and egress for tunneling subscriber data traffic through the service provider network to a plurality of customer premise equipment (CPEs) positioned within respective customer networks, wherein each of the customer networks comprise subscriber devices coupled to the respective CPE of the customer network, and wherein the subscriber data traffic is tunneled as network packets that conform to a first network transport protocol and that encapsulate network packets from the subscriber devices that conform to a second network transport protocol;
  
  storing a mapping table within the NAT device, wherein the mapping table maps, for each of the CPEs, a public network address of the first transport protocol to a public network address and restricted port range of the first transport protocol without storing any per-session NAT bindings on the NAT device for communication sessions from the CPEs; and
  
  outputting a control message to communicate the respective restricted port range to each of the CPEs for performing local network address translation within the respective customer network based on the restricted port range by translating between private network addresses of the subscriber devices and the public network address and ports within the restricted port range communicated to the CPE by the NAT device.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The method of claim 12, wherein the control message comprises an error message output by the NAT device in the form of an Internet Control Message Protocol (ICMP) message.
  - 14. The method of claim 12, wherein outputting the control message comprises outputting the control message from the NAT device to one of the CPEs in response to receiving from the CPE an outbound packet that violates the restricted port range specified within the mapping table for that CPE.
  - 15. The method of claim 12, further comprising constructing the control message to specify a transport protocol with which the restricted port range is associated.
  - 16. The method of claim 12, wherein the first transport protocol comprises IPv6 and the second transport protocol comprises IPv4.
  - 17. The method of claim 12, further comprising:
    - upon receiving a packet of a new packet flow of the subscriber data traffic from a subscriber device with one of the CPEs, dynamically selecting a port within the restricted port range received from the NAT device and storing a per-session NAT binding within the CPE that maps a private network address for the subscriber device to the public network address of the second transport protocol and the selected port;
      
      performing, with the CPE device, network address translation on the packet for the packet flow based on the NAT binding to form a translated packet;
      
      encapsulating the translated packet to form a tunnel packet in accordance with the first transport protocol; and
      
      forwarding the tunnel packet to the NAT device.
  - 18. The method of claim 12, further comprisingconfiguring a plurality of other NAT devices within the service provider network with a same mapping table that maps, for each of the CPEs, the public network address of the first transport protocol to the public network address and restricted port range of the second transport protocol, andcommunicating the subscriber data traffic for any of the CPE between that CPE and any of the NAT devices.

19. A residential gateway device comprising:
- a network interface to communicate subscriber packets with a network address translation (NAT) device positioned within service provider network, wherein the residential gateway device is positioned within a customer network having a plurality of subscriber devices, and wherein the network interface is assigned a public network address of a first transport protocol and a public network address of a second transport protocol for tunneling the subscriber packets through the service provider network to the NAT device;
  
  program code executing on a processor of the residential gateway device to receive an error message output by the NAT device in the form of an Internet Control Message Protocol (ICMP) message, wherein the ICMP message encodes a restricted port range for the second transport protocol, andprogram code executing on the processor to locally perform NAT on the subscriber packets in accordance with the restricted port range prior to tunneling the subscriber packets to the NAT device by translating between private network addresses and ports of the subscriber packets and the public network address of the first transport protocol and the ports within the restricted port range communicated to the residential gateway by the NAT device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Juniper Networks Incorporated
Original Assignee
Juniper Networks Incorporated
Inventors
Durand, Alain, Penno, Reinaldo
Primary Examiner(s)
Alam, Uzma

Application Number

US13/534,999
Time in Patent Office

1,322 Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 2101/659   Internet protocol version 6...

H04L 61/251   between different IP versions

H04L 61/2514   between local and global IP...

H04L 61/2517   using port numbers

H04L 61/5014   using dynamic host configur...

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/30   for supporting lawful inter...

Stateless deterministic network address translation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

57 Citations

19 Claims

Specification

Use Cases

Quick Links

Others

Stateless deterministic network address translation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

57 Citations

19 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others