TRANSPARENT PROVISIONING OF NETWORK ACCESS TO AN APPLICATION

US 20100103837A1
Filed: 11/12/2009
Published: 04/29/2010
Est. Priority Date: 06/23/2000
Status: Active Grant

First Claim

Patent Images

1. A method of transparently interfacing a first application to a network, the first application being provided by a first application service provider and operative to provide a first service via the network, the first application including a first application network interface capable of connecting the first application to the network, the network carrying a plurality of packets in a first format incompatible with the first application, each being transmitted by a source to at least one intended destination intended by the source, each of the plurality of packets comprising routing data operative to cause the forwarding of the packet via the network towards the at least one intended destination, the method comprising:

interfacing between the network and the first application network interface of the first application;

intercepting each of at least a portion of the plurality of packets prior to a forwarding thereof toward the at least one intended destination;

evaluating each of the intercepted packets based on a first specification of a first subset of the plurality of packets with respect to which the first application is to perform the first service; and

converting the intercepted packet from the first format to a second format compatible with the first application, storing information representative thereof and providing the converted intercepted packet to the first application via the first application network interface to facilitate the performance of the first service with respect to the intercepted packet, if the intercepted packet is one of the specified first subset

View all claims

9 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An apparatus and method for enhancing the infrastructure of a network such as the Internet is disclosed. A packet interceptor/processor apparatus is coupled with the network so as to be able to intercept and process packets flowing over the network. Further, the apparatus provides external connectivity to other devices that wish to intercept packets as well. The apparatus applies one or more rules to the intercepted packets which execute one or more functions on a dynamically specified portion of the packet and take one or more actions with the packets. The apparatus is capable of analyzing any portion of the packet including the header and payload. Actions include releasing the packet unmodified, deleting the packet, modifying the packet, logging/storing information about the packet or forwarding the packet to an external device for subsequent processing. Further, the rules may be dynamically modified by the external devices.

513 Citations

70 Claims

1. A method of transparently interfacing a first application to a network, the first application being provided by a first application service provider and operative to provide a first service via the network, the first application including a first application network interface capable of connecting the first application to the network, the network carrying a plurality of packets in a first format incompatible with the first application, each being transmitted by a source to at least one intended destination intended by the source, each of the plurality of packets comprising routing data operative to cause the forwarding of the packet via the network towards the at least one intended destination, the method comprising:
- interfacing between the network and the first application network interface of the first application;
  
  intercepting each of at least a portion of the plurality of packets prior to a forwarding thereof toward the at least one intended destination;
  
  evaluating each of the intercepted packets based on a first specification of a first subset of the plurality of packets with respect to which the first application is to perform the first service; and
  
  converting the intercepted packet from the first format to a second format compatible with the first application, storing information representative thereof and providing the converted intercepted packet to the first application via the first application network interface to facilitate the performance of the first service with respect to the intercepted packet, if the intercepted packet is one of the specified first subset
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 2. The method of claim 1 further comprising forwarding the intercepted packet to the network if the intercepted packet is not one of the specified first subset.
  - 3. The method of claim 1 further comprising deleting the intercepted packet if the intercepted packet is not one of the specified first subset.
  - 4. The method of claim 1 further comprising:
    - receiving in response to the providing of the converted intercepted packet to the first application, from the first application via the first application interface, a response packet in the second format resulting from the performance of the first service by the first application with respect to the provided converted intercepted packet;
      
      converting the response packet from the second format to the first format based on the stored information; and
      
      forwarding the converted response packet to the network.
  - 5. The method of claim 4 wherein the converting of the intercepted packet further comprises modifying a portion of the intercepted packet from an original state to a modified state, the stored information being representative of the modification.
  - 6. The method of claim 5 wherein the converting of the response packet further comprises restoring the portion from the modified state to the original state.
  - 7. The method of claim 5 wherein the portion comprises at least a portion of the header of the intercepted packet.
  - 8. The method of claim 4 wherein the first format conforms to a first communications protocol and the second format conforms to a second communications protocol different from the first communications protocol.
  - 9. The method of claim 8 wherein the first format comprises IPv6 and the second format comprises IPv4.
  - 10. The method of claim 8 wherein the first format comprises multi-protocol label switching (“
    - MPLS”
      
      ) and the second format comprises Ethernet.
  - 11. The method of claim 4 further comprising modifying the first specification based on the intercepted packet, the response packet or a combination thereof, a subsequent intercepted packet being evaluated in accordance therewith.
  - 12. The method of claim 11 wherein the modification of the first specification excludes the subsequent intercepted packet from the first subset.
  - 13. The method of claim 11 wherein the subsequent intercepted packet was transmitted from the at least one destination to the source.
  - 14. The method of claim 1 wherein the specified first subset comprises all of the plurality of packets.
  - 15. The method of claim 1 wherein the first specification specifies the first subset based on at least the routing data.
  - 16. The method of claim 1 wherein the first specification specifies the first subset based on criteria other than only the routing data.
  - 17. The method of claim 16 wherein the criteria identifies the source of the intercepted packet as a subscriber to the first service.
  - 18. The method of claim 17 wherein the criteria is provided by the first application service provider.
  - 19. The method of claim 1 further comprising modifying the first specification based on the intercepted packet, a subsequent intercepted packet being evaluated in accordance therewith.
  - 20. The method of claim 19 wherein the modification of the first specification excludes the subsequent intercepted packet from the first subset.
  - 21. The method of claim 19 wherein the subsequent intercepted packet was transmitted from the at least one destination to the source.
  - 22. The method of claim 1 further comprising:
    - interfacing between the network and a second application network interface of a second application, the second application being provided by a second application service provider and operative to provide a second service via the network, the second application network interface being capable of connecting the second application to the network, wherein the first format is incompatible with the second application;
      
      wherein the evaluating further comprises evaluating the intercepted packet based on a second specification of a second subset of the plurality of packets with respect to which the second application is to perform the second service; and
      
      wherein the converting further comprises converting the intercepted packet from the first format to a third format compatible with the second application, storing information representative thereof and providing the converted intercepted packet to the second application via the second application network interface to facilitate the performance of the second service with respect to the intercepted packet, if the intercepted packet is one of the specified second subset.
  - 23. The method of claim 22 wherein the first and second services are the same, the first subset being different from the second subset.
  - 24. The method of claim 22 further comprising:
    - receiving, in response to the forwarding of the converted intercepted packet to the first application, from the first application via the first application interface, a response packet in the second format resulting from the performance of the first service by the first application with respect to the forwarded converted intercepted packet;
      
      receiving, in response to the forwarding of the converted intercepted packet to the second application, from the second application via the second application interface, a response packet in the third format resulting from the performance of the second service by the second application with respect to the forwarded converted intercepted packet;
      
      converting the response packet to the first format based on the stored information; and
      
      forwarding the converted response packet to the network.
  - 25. The method of claim 24 further comprising modifying the first specification, the second specification, or a combination thereof, based on the intercepted packet, the response packet or a combination thereof, a subsequent intercepted packet being evaluated in accordance therewith.
  - 26. The method of claim 25 wherein the modification of the first specification or second specification excludes the subsequent intercepted packet from the first subset or second subset respectively.
  - 27. The method of claim 25 where in the modification of the first specification excludes the subsequent intercepted packet from the first subset and the modification of the second specification includes the subsequent intercepted packet in the second subset.
  - 28. The method of claim 25 wherein the subsequent intercepted packet was transmitted from the at least one destination to the source.
  - 29. The method of claim 1, further comprising processing a subsequent packet intercepted subsequent to the intercepted packet based on the stored information.
  - 30. The method of claim 1, wherein the storing further comprises modifying the first specification based on the stored information wherein the first subset is altered thereby.
  - 31. The method of claim 1, wherein the first application is unaware of those intercepted packets which are not included in the first subset.
  - 32. The method of claim 1, wherein the at least one intended destination comprises the first application.
  - 33. The method of claim 1, wherein the first specification is provided by the first application service provider.

34. A system for transparently interfacing a first application to a network, the first application being provided by a first application service provider and operative to provide a first service via the network, the first application including a first application network interface capable of connecting the first application to the network, the network carrying a plurality of packets in a first format incompatible with the first application, each being transmitted by a source to at least one intended destination intended by the source, each of the plurality of packets comprising routing data operative to cause the forwarding of the packet via the network towards the at least one intended destination, the system comprising:
- a system network interface operative to interface between the network and the first application network interface of the first application;
  
  a packet interceptor coupled with the system network interface and operative to intercept each of at least a portion of the plurality of packets prior to a forwarding thereof toward the at least one intended destination;
  
  a packet evaluator coupled with the packet interceptor and operative to evaluate each of the intercepted packets based on a first specification of a first subset of the plurality of packets with respect to which the first application is to perform the first service; and
  
  a packet converter coupled with the packet evaluator and operative to convert the intercepted packet from the first format to a second format compatible with the first application, store information representative thereof and provide the converted intercepted packet to the first application via the first application network interface to facilitate the performance of the first service with respect to the intercepted packet, if the intercepted packet is one of the specified first subset.
- View Dependent Claims (35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57, 58, 59, 60, 61, 62, 63, 64, 65, 66)
- - 35. The system of claim 34 further comprising a packet forwarder coupled with the packet evaluator and operative to forward the intercepted packet to the network if the intercepted packet is not one of the specified first subset.
  - 36. The system of claim 34 a packet remover coupled with the packet evaluator and operative to delete the intercepted packet if the intercepted packet is not one of the specified first subset.
  - 37. The system of claim 34 wherein the packet converter is further operative to receive, in response to having provided the converted intercepted packet to the first application, from the first application via the first application interface, a response packet in the second format as a result of the performance of the first service by the first application with respect to the provided converted intercepted packet, the packet converter being further operative to convert the response packet from the second format to the first format based on the stored information;
    - andwherein the system further comprises a packet forwarder coupled with the packet converter and operative to forward the converted response packet to the network.
  - 38. The system of claim 37 wherein the packet converter is further operative to modify a portion of the intercepted packet from an original state to a modified state, the stored information being representative of the modification.
  - 39. The system of claim 38 wherein the packet converter is further operative to restore the portion from the modified state to the original state.
  - 40. The system of claim 38 wherein the portion comprises at least a portion of the header of the intercepted packet.
  - 41. The system of claim 37 wherein the first format conforms to a first communications protocol and the second format conforms to a second communications protocol different from the first communications protocol.
  - 42. The system of claim 41 wherein the first format comprises IPv6 and the second format comprises IPv4.
  - 43. The system of claim 41 wherein the first format comprises multi-protocol label switching (“
    - MPLS”
      
      ) and the second format comprises Ethernet.
  - 44. The system of claim 37 wherein the packet converter is further operative to modify the first specification based on the intercepted packet, the response packet or a combination thereof, a subsequent intercepted packet being evaluated in accordance therewith.
  - 45. The system of claim 44 wherein the modification of the first specification excludes the subsequent intercepted packet from the first subset.
  - 46. The system of claim 44 wherein the subsequent intercepted packet was transmitted from the at least one destination to the source.
  - 47. The system of claim 34 wherein the specified first subset comprises all of the plurality of packets.
  - 48. The system of claim 34 wherein the first specification specifies the first subset based on at least the routing data.
  - 49. The system of claim 34 wherein the first specification specifies the first subset based on criteria other than only the routing data.
  - 50. The system of claim 49 wherein the criteria identifies the source of the intercepted packet as a subscriber to the first service.
  - 51. The system of claim 50 wherein the criteria is provided by the first application service provider.
  - 52. The system of claim 34 wherein the packet converter is further operative to modify the first specification based on the intercepted packet, a subsequent intercepted packet being evaluated in accordance therewith.
  - 53. The system of claim 52 wherein the modification of the first specification excludes the subsequent intercepted packet from the first subset.
  - 54. The system of claim 52 wherein the subsequent intercepted packet was transmitted from the at least one destination to the source.
  - 55. The system of claim 34 wherein:
    - the system network interface is further operative to interface between the network and a second application network interface of a second application, the second application being provided by a second application service provider and operative to provide a second service via the network, the second application network interface being capable of connecting the second application to the network, wherein the first format is incompatible with the second application;
      
      wherein the packet evaluator is further operative to evaluate the intercepted packet based on a second specification of a second subset of the plurality of packets with respect to which the second application is to perform the second service; and
      
      wherein the packet converter is further operative to convert the intercepted packet from the first format to a third format compatible with the second application, store information representative thereof and provide the converted intercepted packet to the second application via the second application network interface to facilitate the performance of the second service with respect to the intercepted packet, if the intercepted packet is one of the specified second subset.
  - 56. The method of claim 55 wherein the first and second services are the same, the first subset being different from the second subset.
  - 57. The system of claim 55 wherein:
    - the packet converter is further operative to receive, in response to the forwarding of the converted intercepted packet to the first application, from the first application via the first application interface, a response packet in the second format as a result of the performance of the first service by the first application with respect to the forwarded converted intercepted packet;
      
      the packet converter is further operative to receive, in response to the forwarding of the converted intercepted packet to the second application, from the second application via the second application interface, a response packet in the third format as a result of the performance of the second service by the second application with respect to the forwarded converted intercepted packet;
      
      the packet converter being further operative to convert the response packet to the first format based on the stored information; and
      
      wherein the system further comprises a packet forwarder coupled with the packet converter and operative to forward the converted response packet to the network.
  - 58. The system of claim 57 wherein the packet converter is further operative to modify the first specification, the second specification, or a combination thereof, based on the intercepted packet, the response packet or a combination thereof, a subsequent intercepted packet being evaluated in accordance therewith.
  - 59. The system of claim 58 wherein the modification of the first specification or second specification excludes the subsequent intercepted packet from the first subset or second subset respectively.
  - 60. The system of claim 58 where in the modification of the first specification excludes the subsequent intercepted packet from the first subset and the modification of the second specification includes the subsequent intercepted packet in the second subset.
  - 61. The system of claim 58 wherein the subsequent intercepted packet was transmitted from the at least one destination to the source.
  - 62. The system of claim 34, wherein the packet evaluator is further operative to evaluate a subsequent packet intercepted subsequent to the intercepted packet based on the stored information.
  - 63. The system of claim 34, wherein the packet converter is further operative to modify the first specification based on the stored information wherein the first subset is altered thereby.
  - 64. The system of claim 34, wherein the first application is unaware of those intercepted packets which are not included in the first subset.
  - 65. The system of claim 34, wherein the at least one intended destination comprises the first application.
  - 66. The system of claim 34, wherein the first specification is provided by the first application service provider.

67. A system for transparently interfacing a first application to a network, the first application being provided by a first application service provider and operative to provide a first service via the network, the first application including a first application network interface capable of connecting the first application to the network, the network carrying a plurality of packets in a first format incompatible with the first application, each being transmitted by a source to at least one intended destination intended by the source, each of the plurality of packets comprising routing data operative to cause the forwarding of the packet via the network towards the at least one intended destination, the system comprising a processor and a memory coupled with the processor, the system further comprising:
- a system network interface coupled with the processor and operative to interface between the network and the first application network interface of the first application;
  
  first logic stored in the memory and executable by the processor to cause the system network interface to intercept each of at least a portion of the plurality of packets prior to a forwarding thereof toward the at least one intended destination;
  
  second logic stored in the memory and executable by the processor to evaluate each of the intercepted packets based on a first specification of a first subset of the plurality of packets with respect to which the first application is to perform the first service; and
  
  third logic stored in the memory and executable by the processor to convert the intercepted packet from the first format to a second format compatible with the first application, store information representative thereof and provide the converted intercepted packet to the first application via the first application network interface to facilitate the performance of the first service with respect to the intercepted packet, if the intercepted packet is one of the specified first subset.
- View Dependent Claims (68)
- - 68. The system of claim 67 wherein the third logic is further executable by the processor to receive, in response to having provided the converted intercepted packet to the first application, from the first application via the first application interface, a response packet in the second format as a result of the performance of the first service by the first application with respect to the provided converted intercepted packet, the packet converter being further operative to convert the response packet from the second format to the first format based on the stored information;
    - andwherein the system further comprises fourth logic stored in the memory and executable by the processor to forward the converted response packet to the network.

69. A system for transparently interfacing a first application to a network, the first application being provided by a first application service provider and operative to provide a first service via the network, the first application including a first application network interface capable of connecting the first application to the network, the network carrying a plurality of packets in a first format incompatible with the first application, each being transmitted by a source to at least one intended destination intended by the source, each of the plurality of packets comprising routing data operative to cause the forwarding of the packet via the network towards the at least one intended destination, the system comprising:
- means for interfacing between the network and the first application network interface of the first application;
  
  means for intercepting each of at least a portion of the plurality of packets prior to a forwarding thereof toward the at least one intended destination;
  
  means for evaluating each of the intercepted packets based on a first specification of a first subset of the plurality of packets with respect to which the first application is to perform the first service; and
  
  means for converting the intercepted packet from the first format to a second format compatible with the first application, storing information representative thereof and providing the converted intercepted packet to the first application via the first application network interface to facilitate the performance of the first service with respect to the intercepted packet, if the intercepted packet is one of the specified first subset
- View Dependent Claims (70)
- - 70. The system of claim 69 further comprising:
    - means for receiving in response to the providing of the converted intercepted packet to the first application, from the first application via the first application interface, a response packet in the second format resulting from the performance of the first service by the first application with respect to the provided converted intercepted packet;
      
      means for converting the response packet from the second format to the first format based on the stored information; and
      
      means for forwarding the converted response packet to the network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Lookingglass Cyber Solutions, LLC
Original Assignee
Lookingglass Cyber Solutions, LLC
Inventors
Goller, Sean M., Drown, Matthew Donald, Jungck, Peder J.

Granted Patent

US 9,444,785 B2
Time in Patent Office

Days
Field of Search
US Class Current

370/252
CPC Class Codes

H04L 12/2836   Protocol conversion between...

H04L 41/0213   Standardised network manage...

H04L 41/5054   Automatic deployment of ser...

H04L 61/4511   using domain name system [DNS]

H04L 63/0227   Filtering policies mail mes...

H04L 63/0263   Rule management

H04L 63/1458   Denial of Service

H04L 65/60   Network streaming of media ...

H04L 67/565   Conversion or adaptation of...

H04L 69/08   Protocols for interworking;...

H04L 69/169   Special adaptations of TCP,...

H04L 69/18   Multiprotocol handlers, e.g...

TRANSPARENT PROVISIONING OF NETWORK ACCESS TO AN APPLICATION

First Claim

9 Assignments

0 Petitions

Accused Products

Abstract

513 Citations

70 Claims

Specification

Solutions

Use Cases

Quick Links

TRANSPARENT PROVISIONING OF NETWORK ACCESS TO AN APPLICATION

First Claim

9 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

513 Citations

70 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links