Deterministic network address and port translation
First Claim
Patent Images
1. A method comprising:
- storing, with a network device, a network address translation (NAT) rule that specifies a contiguous range of private network addresses and a contiguous range of public network addresses, wherein the range of public network addresses specified by the NAT rule has a total number of public network addresses that is less than a total number of private network addresses of the range of private network addresses specified by the NAT rule;
receiving, with the network device, an initial packet for a new packet flow from a subscriber, wherein the initial packet includes a private source network address and a source port;
responsive to the initial packet for the new packet flow, deterministically computing, with the network device and using the NAT rule, a public network address and a range of ports for network address translation of packets of the packet flow, wherein deterministically computing the public network address and the range of ports comprises applying operations that repeatably and deterministically compute a corresponding public network address within the contiguous range of public network addresses and a corresponding range of ports for any one of the private network addresses in the contiguous range of private network address specified by the NAT rule by;
(i) computing, based on the private source network address of the initial packet, a first offset representing a position of the private source network address within the private address space specified by the NAT rule, (ii) computing, based the computed position within the private network address space for the private network address of the packet and based on a total number of public network addresses within the public address space specified by the NAT rule, a second offset representing a position within the public address space specified by the NAT rule, and (iii) computing, based on the second offset representing the position within the public network address space, the public network address for performing NAT of the packet;
dynamically selecting, for network address translation of the initial packet of the new packet flow, an unused port from the range of ports;
generating a translated packet from the initial packet, wherein the translated packet includes the computed public network address and the selected unused port from the range of ports in place of the private source address and the source port; and
forwarding the translated packet from the network device to a public network.
0 Assignments
0 Petitions
Accused Products
Abstract
A source network address and port translation (NAPT) mechanism is described that reduces or eliminates the need to log any NAT translations. As described herein, a mapping between a subscriber'"'"'s private address to a public address and port range is determined algorithmically. Given a particular mapping rule, as specified by the service provider, a subscriber is repeatedly and deterministically mapped to the same public network address and a specific port range for that network address. Once the public address and port range for a subscriber are computed, the particular ports for each session for that subscriber are allocated dynamically within the computed NAT port range on per session basis.
-
Citations
24 Claims
-
1. A method comprising:
-
storing, with a network device, a network address translation (NAT) rule that specifies a contiguous range of private network addresses and a contiguous range of public network addresses, wherein the range of public network addresses specified by the NAT rule has a total number of public network addresses that is less than a total number of private network addresses of the range of private network addresses specified by the NAT rule; receiving, with the network device, an initial packet for a new packet flow from a subscriber, wherein the initial packet includes a private source network address and a source port; responsive to the initial packet for the new packet flow, deterministically computing, with the network device and using the NAT rule, a public network address and a range of ports for network address translation of packets of the packet flow, wherein deterministically computing the public network address and the range of ports comprises applying operations that repeatably and deterministically compute a corresponding public network address within the contiguous range of public network addresses and a corresponding range of ports for any one of the private network addresses in the contiguous range of private network address specified by the NAT rule by;
(i) computing, based on the private source network address of the initial packet, a first offset representing a position of the private source network address within the private address space specified by the NAT rule, (ii) computing, based the computed position within the private network address space for the private network address of the packet and based on a total number of public network addresses within the public address space specified by the NAT rule, a second offset representing a position within the public address space specified by the NAT rule, and (iii) computing, based on the second offset representing the position within the public network address space, the public network address for performing NAT of the packet;dynamically selecting, for network address translation of the initial packet of the new packet flow, an unused port from the range of ports; generating a translated packet from the initial packet, wherein the translated packet includes the computed public network address and the selected unused port from the range of ports in place of the private source address and the source port; and forwarding the translated packet from the network device to a public network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method comprising:
-
receiving, with a network device, a network address translation (NAT) rule that specifies;
(i) a contiguous range of private network addresses, (ii) a contiguous range of public network addresses having a total number of public network addresses that is less than a total number of private network addresses of the range of private network addresses specified by the NAT rule, and (iii) a port block size;prior to receiving an initial packet for a new packet flow, programming NAT information within a forwarding component of the network device, wherein the NAT information comprises the total number of private addresses for the NAT rule, the total number of public network addresses for the NAT rule and the port block size for the NAT rule; receiving, with the forwarding component of the network device, the initial packet for the new packet flow from a subscriber, wherein the packet includes a private source network address and a source port; and responsive to the initial packet for the new packet flow, deterministically computing, with the forwarding component of the network device and using the programmed NAT information, a public network address and a range of ports for network address translation of packets of the packet flow, wherein deterministically computing the public network address and the range of ports comprises applying operations that repeatably and deterministically compute a corresponding public network address within the contiguous range of public network addresses and a corresponding range of ports for any one of the private network addresses in the contiguous range of private network address specified by the NAT rule.
-
-
11. A network device comprising:
-
a plurality of interfaces configured to send and receive packets for subscribers of a service provider network; a control unit that provides a user interface for configuring at least one network address translation (NAT) rule for performing NAT on the packets of the subscribers, wherein the NAT rule that specifies a contiguous range of private addresses and a contiguous range of public network addresses, and wherein range of the public network addresses specified by the NAT rule has a total number of public network addresses that is less than a total number of private network addresses of the range of private network addresses specified by the NAT rule; a NAT controller that, upon receiving an initial packet for a new subscriber session, deterministically computes a public network address and a range of ports and selects an unused port from the range of ports for network address translation of packets of the new subscriber session, wherein deterministically computing the public network address and range of ports comprises applying one or more operations that repeatably and deterministically compute corresponding public network addresses within the contiguous range of public network addresses and range of ports for any respective one of the private network addresses in the contiguous range of private network address specified by the NAT rule by;
(i) computing, based on the private source network address of the initial packet, a first offset representing a position of the private source network address within the private address space specified by the NAT rule, (ii) computing, based the computed position within the private network address space for the private network address of the initial packet and based on a total number of public network addresses within the public address space specified by the NAT rule, a second offset representing a position within the public address space specified by the NAT rule, and (iii) computing, based on the second offset representing the position within the public network address space, the public network address for performing NAT of the initial packet; anda forwarding component to output a translated packet that includes the computed public network address and the selected unused port in place of the private source address and a source port of the initial packet. - View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A network router comprising:
-
a plurality of interfaces configured to send and receive packets for subscribers of a service provider network; a routing engine comprising a control unit that executes a routing protocol to maintain routing information specifying routes through a network, wherein the control unit provides a user interface for configuring at least one network address translation (NAT) rule that specifies a contiguous range of private addresses and a contiguous range of public network addresses; a forwarding component configured by the routing engine to select next hops for the packets in accordance with the routing information, the forwarding component comprising a switch fabric to forward the packets to the interfaces based on the selected next hops; and a NAT controller of the network router that, when processing initial packets for new packet flows from the subscribers, assigns a corresponding one of the public network addresses specified by the NAT rule and a corresponding range of ports for network address translation of the respective new packet flow, wherein, when processing the initial packets and assigning the public network addresses and port ranges for network address translation of the new packet flows, the NAT controller applies operations to source private network addresses within the new packet flows to repeatably and deterministically compute, for each new packet flow, the corresponding public network address within the contiguous range of public network address and the corresponding range of ports to be used for network address translation by;
(i) computing a first offset representing a position of a private source network address within a private address space specified by the NAT rule, (ii) computing, based the first offset and based on a total number of public network addresses within a public address space specified by the NAT rule, a second offset representing a position within the public address space specified by the NAT rule, and (iii) computing, based on the second offset, the public network address for performing NAT on packets of the new packet flow. - View Dependent Claims (21, 22, 23, 24)
-
Specification