NETWORK ADDRESS TRANSLATION GATEWAY FOR LOCAL AREA NETWORKS USING LOCAL IP ADDRESSES AND NON-TRANSLATABLE PORT ADDRESSES

US 20090059940A1
Filed: 11/12/2008
Published: 03/05/2009
Est. Priority Date: 03/03/2000
Status: Active Grant

First Claim

Patent Images

1-12. -12. (canceled)

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A network address translation gateway provides normal network translation for IP datagrams traveling from a local area network using local IP addresses to an external network, but suspends source service address (port) translation when the port is reserved for a specific protocol, such as the ISAKMP “handshaking” protocol that is part of the IPSec protocol model. ISAKMP exchanges require both source and target computers to use the same service address (port). By providing a network interface that does not translate the source service address (port), this gateway enables the initiation and maintenance of secure, encrypted transmissions using IPSec protocol between a local area network using local IP addresses and servers on the internet.

37 Citations

View as Search Results

52 Claims

1-12. -12. (canceled)

13. A method, comprising:
- receiving a first internet protocol (IP) packet at a gateway connecting a first network to a second network, wherein the first packet is sent from a source in the first network, is directed to a destination in the second network, and includes source and destination port numbers;
  
  determining whether the first packet is an initiation request for a communication protocol, wherein the communication protocol specifies that, for an initiation request to succeed, a packet corresponding to the initiation request includes source and destination port numbers having a common, predetermined port number, and further specifies that the source and destination port numbers cannot be changed;
  
  if the first packet is an initiation request for the communication protocol and if no other initiation requests for the communication protocol are pending;
  
  forwarding the initiation request to its destination without changing the source and destination port numbers; and
  
  preventing initiation requests for the communication protocol from other sources from succeeding while the initiation request corresponding to the first packet is pending.
- View Dependent Claims (14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 14. The method of claim 13, wherein the communication protocol is IPSec, the first packet is an ISAKMP packet, the first network is a wide-area network, and the second network is a local-area network.
  - 15. The method of claim 13, further comprising, if the first packet is not an initiation request for the communication protocol, performing a network address translation on the first packet.
  - 16. The method of claim 13, wherein said preventing includes changing the port number of the first packet as part of a network address translation performed by the gateway.
  - 17. The method of claim 13, wherein the initiation request corresponding to the first packet is no longer pending upon receiving a response from the destination of the first packet.
  - 18. The method of claim 13, wherein the initiation request corresponding to the first packet is no longer pending upon the expiration of a predetermined time period during which a response to the initiation request of the first packet is not received by the gateway.
  - 19. The method of claim 13, further comprising, if the first packet is an initiation request for the communication protocol and another initiation request for the communication protocol is pending, preventing the initiation request corresponding to the first packet from being successful.
  - 20. The method of claim 13, further comprising, if the first packet is not an initiation request for the communication protocol, forwarding the first packet to its destination in the second network, including performing a network address translation on the first packet.
  - 21. The method of claim 13, wherein the communication protocol is IPSec, andthe method further comprising receiving a response to the initiation request of the first packet, wherein the response causes the initiation of an IPSec communication between the source and the destination.
  - 22. The method of claim 21, further comprising:
    - receiving an IPSec packet that includes a Security Parameter Index (SPI); and
      
      performing a network address translation of the IPSec packet based, at least in part, on the SPI.

23. A method, comprising:
- receiving a first internet protocol (IP) packet at a gateway coupled to a first network and a second network, wherein the first packet is received from a source in the first network and is directed to a destination in the second network;
  
  if the first packet is an ISAKMP packet;
  
  forwarding the first packet to the destination without changing source and destination port numbers included in the first packet; and
  
  changing the source and/or destination port numbers in any subsequent ISAKMP packets received at the gateway while a response to the first packet is pending.
- View Dependent Claims (24, 25, 26)
- - 24. The method of claim 23, further comprising receiving a response to the first packet, wherein the response causes the initiation of an IPSec communication between the source and destination.
  - 25. The method of claim 24, further comprisingreceiving an IPSec packet that includes a Security Parameter Index (SPI);
    - andperforming a network address translation of the IPSec packet based, at least in part, on the SPI.
  - 26. The method of claim 25, wherein the IPSec packet is associated with a virtual private network.

27. A method comprising:
- receiving, at a gateway, a first IPSec packet that includes a Security Parameter Index (SPI); and
  
  the gateway performing a network address translation of the first packet based, at least in part, on the SPI.
- View Dependent Claims (28, 29, 30, 31, 32, 33)
- - 28. The method of claim 27, wherein said performing includes accessing one or more stored values indicating associations between SPIs and source and/or destination addresses of packets received by the gateway.
  - 29. The method of claim 28, wherein the first IPSec packet is from a source address in a first network and directed to a destination address in a second network;
    - wherein the method further comprises;
      
      if the source address and the SPI of the IPSec packet are not currently stored, storing information indicative of the source address, the SPI, and the destination address of the IPSec packet.
  - 30. The method of claim 29, further comprising:
    - receiving, at the gateway, a second IPSec packet that includes a second SPI, wherein the second IPSec packet is from a source address in the second network that corresponds to the destination address of the first IPSec packet; and
      
      storing information associating the SPI of the second IPSec packet with the source address of the first IPSec packet and/or the destination address of the second IPSec packet.
  - 31. The method of claim 28, wherein the first IPSec packet is from a source address in a first network, and wherein the method further comprises:
    - if the source address and the SPI are not currently stored by the gateway, preventing transmission of the first IPSec packet.
  - 32. The method of claim 28, wherein the first IPSec packet is from a source address in a first network;
    - and the method further comprising;
      
      if the source address and the SPI are currently stored by the gateway, determining a destination address in a second network for the first IPSec packet; and
      
      transmitting the first IPSec packet to the destination address.
  - 33. The method of claim 27, further comprising:
    - transmitting the first IPSec packet to a destination based on the network address translation; and
      
      changing a source address of the first IPSec packet to an address of the gateway.

34. An apparatus, comprising:
- an interface to a first network;
  
  an interface to a second network;
  
  a gateway unit configured to;
  
  receive a first IP packet, wherein the first packet is sent from a source in the first network, is directed to a destination in the second network, and includes source and destination port numbers;
  
  determine whether the first packet is an initiation request for a communication protocol, wherein the communication protocol specifies that, for an initiation request to succeed, a packet corresponding to the initiation request includes source and destination port numbers having a common, predetermined port number, and further specifies that the source and destination port numbers cannot be changed during the initiation request;
  
  if the first packet is an initiation request for the communication protocol and if no other initiation requests for the communication protocol are pending;
  
  forward the initiation request to its destination without changing the source and destination port numbers; and
  
  prevent initiation requests for the communication protocol from other sources from succeeding while the initiation request corresponding to the first packet is pending.
- View Dependent Claims (35, 36, 37, 38, 39, 40, 41, 42, 43)
- - 35. The apparatus of claim 34, wherein the communication protocol is IPSec, the first packet is an ISAKMP packet, the first network is a wide-area network, and the second network is a local-area network.
  - 36. The apparatus of claim 34, wherein the gateway unit is further configured to perform a network address translation on the first packet if the first packet is not an initiation request for the communication protocol.
  - 37. The apparatus of claim 34, wherein the gateway unit is further configured to change the port number of the first packet as part of preventing initiation requests from succeeding.
  - 38. The apparatus of claim 34, wherein the initiation request corresponding to the first packet is pending until a response to the initiation request is received or the initiation request times out.
  - 39. The apparatus of claim 34, wherein, if the first packet is an initiation request for the communication protocol and another initiation request for the communication protocol is pending, the gateway unit is configured to prevent the initiation request corresponding to the first packet from being successful.
  - 40. The apparatus of claim 34, wherein, if the first packet is not an initiation request for the communication protocol, the gateway unit is configured to forward the first packet to its destination in the second network.
  - 41. The apparatus of claim 40, wherein the gateway unit is further configured to perform a network address translation on the first packet.
  - 42. The apparatus of claim 34, wherein the communication protocol is IPSec;
    - andwherein a response to the initiation request of the first packet causes the initiation of an IPSec communication between the source and the destination.
  - 43. The apparatus of claim 42, wherein the gateway unit is further configured to:
    - receive an IPSec packet that includes a Security Parameter Index (SPI); and
      
      perform a network address translation of the IPSec packet that is based, at least in part, on the SPI.

44. An apparatus, comprising:
- an interface to a first network;
  
  an interface to a second network;
  
  a gateway unit configured to;
  
  receive a first internet protocol (IP) packet, wherein the first packet is received from a source in the first network and directed to a destination in the second network;
  
  if the first packet is an ISAKMP packet;
  
  forward the first packet to the destination without changing source and destination port numbers included in the first packet; and
  
  change the source and/or destination port numbers in any subsequent ISAKMP packets received at the gateway until a response is received to the first packet.
- View Dependent Claims (45, 46, 47)
- - 45. The apparatus of claim 44, wherein the gateway unit is further configured to receive a response to the first packet that causes the initiation of an IPSec communication between the source and the destination.
  - 46. The apparatus of claim 45, wherein the gateway unit is further configured to:
    - receive an IPSec packet that includes a Security Parameter Index (SPI); and
      
      perform a network address translation of the IPSec packet that is based, at least in part, on the SPI.
  - 47. The apparatus of claim 46, wherein the IPSec packet is associated with a virtual private network.

48. An apparatus, comprising:
- an interface to a first network;
  
  an interface to a second network;
  
  a gateway unit configured to;
  
  receive a first IPSec packet that includes a Security Parameter Index (SPI);
  
  perform a network address translation of the first packet that is based, at least in part, on the SPI.
- View Dependent Claims (49, 50, 51, 52)
- - 49. The apparatus of claim 48, wherein the gateway unit is further configured to store information associating a source address of a packet and a destination address of the first IPSec packet to an SPI;
    - andwherein the network address translation is based, at least in part, on the stored information.
  - 50. The apparatus of claim 49, wherein the first IPSec packet is received from a source address in the first network and is directed to a destination address in the second network;
    - andwherein, if the source address and the SPI of the IPSec packet are not currently stored by the apparatus, the gateway unit is configured to store the source address, the SPI, and the destination address of the IPSec packet.
  - 51. The apparatus of claim 50, wherein the gateway unit is further configured to:
    - receive a second IPSec packet including a second SPI, wherein the second IPSec packet is from a source address in the second network that corresponds to the destination address of the first IPSec packet; and
      
      store information associating the second SPI with the source address of the first IPSec packet.
  - 52. The apparatus of claim 49, wherein the first IPSec packet is from a source address in the first network and is directed to a destination address in the second network;
    - andwherein the gateway unit is further configured to prevent transmission of the first IPSec packet if the source address and the SPI are not currently stored by the apparatus.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Israel Daniel Sultan
Inventors
Sultan, Israel Daniel

Granted Patent

US 8,165,140 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/401
CPC Class Codes

H04L 2101/663   Transport layer addresses, ...

H04L 61/00   Network arrangements, proto...

H04L 61/2514   between local and global IP...

H04L 61/2517   using port numbers

H04L 61/255   Maintenance or indexing of ...

H04L 61/2564   for a higher-layer protocol...

H04L 63/0272   Virtual private networks

H04L 63/0442   wherein the sending and rec...

H04L 69/16   Implementation or adaptatio...

H04L 69/161   Implementation details of T...

H04L 69/162   involving adaptations of so...

NETWORK ADDRESS TRANSLATION GATEWAY FOR LOCAL AREA NETWORKS USING LOCAL IP ADDRESSES AND NON-TRANSLATABLE PORT ADDRESSES

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

37 Citations

52 Claims

Specification

Use Cases

Quick Links

Others

NETWORK ADDRESS TRANSLATION GATEWAY FOR LOCAL AREA NETWORKS USING LOCAL IP ADDRESSES AND NON-TRANSLATABLE PORT ADDRESSES

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

37 Citations

52 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others