Tunnelling of Information

US 20160373406A1
Filed: 09/02/2016
Published: 12/22/2016
Est. Priority Date: 06/15/1999
Status: Active Grant

First Claim

Patent Images

1-20. -20. (canceled)

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This invention provides a method for providing network security services, such as those provided by the IPSEC protocol, through network address translation (NAT). The method is based on determining the transformations that occur on a packet and compensating for the transformations. Because only TCP and UDP protocols work through NATs, the IPSEC AH/ESP packets are encapsulated into UDP packets for transport. Special operations are performed to allow reliable communications in such environments.

8 Citations

42 Claims

1-20. -20. (canceled)

21. A device comprising:
- a communication interface configured to communicate meaningful data-carrying User Datagram Protocol (UDP) datagrams with another device, wherein the communication involves at least one network address translation by at least one intermediate network address translator (NAT) arranged to maintain a mapping for the network address translation, wherein the at least one intermediate NAT is configured to reverse the mapping for reply UDP datagrams, and comprises a timer that times out the mapping after a period has passed without the at least one intermediate NAT performing a network address translation for the communication, anda controller configured to force sending of keepalive UDP datagrams from the device to the another device through the at least one intermediate NAT frequently enough to prevent the timer from timing out the mapping for the network address translation when no meaningful data-carrying UDP datagrams are communicated between the device and the another device, thereby forcing the at least one intermediate NAT to maintain the mapping for an additional period.
- View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
- - 22. The device according to claim 21, wherein the keepalive UDP datagrams comprise, in headers of the keepalive UDP datagrams, IP address and port information that equals address information in the headers of the meaningful data-carrying UDP datagrams, wherein the keepalive UDP datagrams are handled in the same way as the meaningful data-carrying UDP datagrams.
  - 23. The device according to claim 22, wherein the at least one intermediate NAT comprises a port NAT.
  - 24. The device according to claim 22, wherein the sending of the keepalive UDP datagrams serves solely to prevent the time out of the mapping.
  - 25. The device according to claim 24, configured to send said keepalive UDP datagrams solely as keepalives without conveying any meaningful information to the another device.
  - 26. The device according to claim 21, wherein the controller is configured to determine that network address translations are occurring on the UDP datagrams.
  - 27. The device according to claim 21, wherein the controller is configured to cause sending of the keepalive UDP datagrams frequently enough so that the mapping of the network address translation remains in a cache of the at least one intermediate network address translator device.
  - 28. The device according to claim 21, wherein the controller is configured to send the keepalive UDP datagrams at a determined optimal frequency.
  - 29. The device according to claim 21, wherein the controller is configured to cause sending of multiple keepalive UDP datagrams within an estimated shortest time out period.
  - 30. The device according to claim 29, wherein the shortest time out period is 30 seconds.

31. A method for a communication device, comprising:
- communicating meaningful data-carrying User Datagram Protocol (UDP) datagrams with another device, wherein the communication involves at least one network address translation by at least one intermediate network address translator (NAT) configured to maintain a mapping for the network address translation so that the at least one intermediate NAT can reverse the mapping for reply UDP datagrams, the intermediate NAT having a timer that times out the mapping after a period has passed without the at least one intermediate NAT performing a network address translation for the communication, andsending keepalive UDP datagrams from the communication device to the another device through the at least one intermediate NAT frequently enough to prevent the timer from timing out the mapping for the network address translation when no meaningful data-carrying UDP datagrams are communicated between the communication device and the another device, thereby forcing the at least one intermediate NAT to maintain the mapping for an additional period.
- View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 32. The method according to claim 31, wherein the keepalive UDP datagrams comprise, in headers of the keepalive UDP datagrams, IP address and port information that equals address information in headers of the meaningful data-carrying UDP datagrams such that the keepalive UDP datagrams are handled in the same way as the meaningful data-carrying UDP datagrams.
  - 33. The method according to claim 32, wherein the at least one intermediate NAT comprises a port NAT.
  - 34. The method according to claim 32, wherein the sending of the keepalive UDP datagrams serves solely to prevent the time out of the mapping.
  - 35. The method according to claim 34, comprising sending the keepalive UDP datagrams solely as keepalives without conveying any meaningful information to the other device.
  - 36. The method according to claim 31, comprising determining that network address translations are occurring on the UDP datagrams.
  - 37. The method according to claim 31, comprising sending the keepalive UDP datagrams frequently enough so that the mapping of the network address translation remains in a cache of the at least one intermediate network address translator.
  - 38. The method according to claim 31, comprising determining an optimal frequency of sending of the keepalive UDP datagrams.
  - 39. The method according to claim 38, wherein the determining comprises experimenting.
  - 40. The method according to claim 31, comprising causing sending of multiple keepalive UDP datagrams within an estimated shortest time out period.
  - 41. The method according to claim 40, wherein the shortest time out period is 30 seconds.

42. A non-transitory computer readable media comprising program code for causing an apparatus comprising a processor to perform instructions for:
- communication of meaningful data-carrying User Datagram Protocol (UDP) datagrams between a device and another device, wherein the communication involves at least one network address translation by at least one intermediate network address translator (NAT) configured to maintain a mapping for the network address translation so that the at least one intermediate NAT can reverse the mapping for reply UDP datagrams, wherein the NAT comprises a timer that times out the mapping after a period has passed without the at least one intermediate NAT performing a network address translation for the communication, andsending keepalive UDP datagrams from the device to the another device through the at least one NAT frequently enough to prevent the timer from timing out the mapping for the at least one network address translation when no meaningful data-carrying UDP datagrams are communicated between the device and the another device, thereby forcing the at least one intermediate NAT to maintain the mapping for an additional period.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SSH Communications Security Oyj
Original Assignee
SSH Communications Security Oyj
Inventors
Kivinen, Tero, Ylonen, Tatu

Granted Patent

US 9,667,594 B2
Time in Patent Office

Days
Field of Search
US Class Current

1/1
CPC Class Codes

H04L 12/4633   Interconnection of networks...

H04L 2101/663   Transport layer addresses, ...

H04L 45/026   Details of "hello" or keep-...

H04L 61/00   Network arrangements, proto...

H04L 61/25   of the same type

H04L 61/2514   between local and global IP...

H04L 61/2553   Binding renewal aspects, e....

H04L 61/256   NAT traversal

H04L 61/2564   for a higher-layer protocol...

H04L 61/2575   using address mapping retri...

H04L 61/2578   without involvement of the ...

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/0272   Virtual private networks

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/04   for providing a confidentia...

H04L 63/0428   wherein the data content is...

H04L 63/164   at the network layer

H04L 67/568   Storing data temporarily at...

H04L 69/16   Implementation or adaptatio...

H04L 69/161   Implementation details of T...

H04L 69/165 : Combined use of TCP and UDP...

View All

Tunnelling of Information

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

8 Citations

42 Claims

Specification

Solutions

Use Cases

Quick Links

Tunnelling of Information

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

8 Citations

42 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links