NETWORK ADDRESS TRANSLATION GATEWAY FOR LOCAL AREA NETWORKS USING LOCAL IP ADDRESSES AND NON-TRANSLATABLE PORT ADDRESSES
1 Assignment
0 Petitions
Accused Products
Abstract
A network address translation gateway provides normal network translation for IP datagrams traveling from a local area network using local IP addresses to an external network, but suspends source service address (port) translation when the port is reserved for a specific protocol, such as the ISAKMP “handshaking” protocol that is part of the IPSec protocol model. ISAKMP exchanges require both source and target computers to use the same service address (port). By providing a network interface that does not translate the source service address (port), this gateway enables the initiation and maintenance of secure, encrypted transmissions using IPSec protocol between a local area network using local IP addresses and servers on the internet.
37 Citations
52 Claims
-
1-12. -12. (canceled)
-
13. A method, comprising:
-
receiving a first internet protocol (IP) packet at a gateway connecting a first network to a second network, wherein the first packet is sent from a source in the first network, is directed to a destination in the second network, and includes source and destination port numbers; determining whether the first packet is an initiation request for a communication protocol, wherein the communication protocol specifies that, for an initiation request to succeed, a packet corresponding to the initiation request includes source and destination port numbers having a common, predetermined port number, and further specifies that the source and destination port numbers cannot be changed; if the first packet is an initiation request for the communication protocol and if no other initiation requests for the communication protocol are pending; forwarding the initiation request to its destination without changing the source and destination port numbers; and preventing initiation requests for the communication protocol from other sources from succeeding while the initiation request corresponding to the first packet is pending. - View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. A method, comprising:
-
receiving a first internet protocol (IP) packet at a gateway coupled to a first network and a second network, wherein the first packet is received from a source in the first network and is directed to a destination in the second network; if the first packet is an ISAKMP packet; forwarding the first packet to the destination without changing source and destination port numbers included in the first packet; and changing the source and/or destination port numbers in any subsequent ISAKMP packets received at the gateway while a response to the first packet is pending. - View Dependent Claims (24, 25, 26)
-
-
27. A method comprising:
-
receiving, at a gateway, a first IPSec packet that includes a Security Parameter Index (SPI); and the gateway performing a network address translation of the first packet based, at least in part, on the SPI. - View Dependent Claims (28, 29, 30, 31, 32, 33)
-
-
34. An apparatus, comprising:
-
an interface to a first network; an interface to a second network; a gateway unit configured to; receive a first IP packet, wherein the first packet is sent from a source in the first network, is directed to a destination in the second network, and includes source and destination port numbers; determine whether the first packet is an initiation request for a communication protocol, wherein the communication protocol specifies that, for an initiation request to succeed, a packet corresponding to the initiation request includes source and destination port numbers having a common, predetermined port number, and further specifies that the source and destination port numbers cannot be changed during the initiation request; if the first packet is an initiation request for the communication protocol and if no other initiation requests for the communication protocol are pending; forward the initiation request to its destination without changing the source and destination port numbers; and prevent initiation requests for the communication protocol from other sources from succeeding while the initiation request corresponding to the first packet is pending. - View Dependent Claims (35, 36, 37, 38, 39, 40, 41, 42, 43)
-
-
44. An apparatus, comprising:
-
an interface to a first network; an interface to a second network; a gateway unit configured to; receive a first internet protocol (IP) packet, wherein the first packet is received from a source in the first network and directed to a destination in the second network; if the first packet is an ISAKMP packet; forward the first packet to the destination without changing source and destination port numbers included in the first packet; and change the source and/or destination port numbers in any subsequent ISAKMP packets received at the gateway until a response is received to the first packet. - View Dependent Claims (45, 46, 47)
-
-
48. An apparatus, comprising:
-
an interface to a first network; an interface to a second network; a gateway unit configured to; receive a first IPSec packet that includes a Security Parameter Index (SPI); perform a network address translation of the first packet that is based, at least in part, on the SPI. - View Dependent Claims (49, 50, 51, 52)
-
Specification