Translating packet addresses based upon a user identifier

US 6,154,839 A
Filed: 04/23/1998
Issued: 11/28/2000
Est. Priority Date: 04/23/1998
Status: Expired due to Term

First Claim

Patent Images

1. A method for translating addresses for a data packet based upon a user identifier in the data packet in order to forward the data packet through a firewall, comprising:

receiving the data packet sent by a user from a source node outside the firewall to a protected destination node within the firewall, the data packet including, a source address of the source node, a destination address of the protected destination node and the user identifier that identifies the user;

reading the user identifier from the data packet;

using the user identifier to determine communication privileges associated with the user;

replacing the source address in the data packet with a privileged address from a set of privileged addresses recognized by the firewall if the communication privileges allow the user to communicate with the protected destination node;

wherein the firewall is configured to allow only data packets from the set of privileged addresses to pass through the firewall; and

forwarding the data packet to the protected destination node through the firewall;

whereby the privileged address in the source field of the data packet allows the data packet to pass through the firewall.

View all claims

19 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

One embodiment of the present invention includes a system that translates addresses in a data packet based upon a user identifier in the data packet. The system receives the data packet sent from a source node to a destination node by a user. This data packet includes a source address of the source node, a destination address of the destination node and the user identifier that identifies the user. The system uses the user identifier to look up communication privileges associated with the user. If the communication privileges allow the user to communicate with the destination node, the system replaces the source address in the data packet with a privileged address, and forwards the data packet to the destination node. In a variation on this embodiment, the privileged address is recognized by a system firewall so that it facilitates passage of the packet through firewall. In another variation, the privileged address specifies a return address of a given address translation unit and thereby facilitates load balancing across multiple address translation units. In a further variation, the system receives a reply packet from the destination node directed to the privileged address, and replaces the privileged address in the reply packet with the source address so that the reply packet is directed to the source node, before forwarding the reply packet to the source node. In another variation, receiving the reply packet includes acting as a proxy for the privileged address under the address resolution protocol. Another variation further includes authenticating, encrypting and optionally compressing the data packet.

421 Citations

25 Claims

1. A method for translating addresses for a data packet based upon a user identifier in the data packet in order to forward the data packet through a firewall, comprising:
- receiving the data packet sent by a user from a source node outside the firewall to a protected destination node within the firewall, the data packet including, a source address of the source node, a destination address of the protected destination node and the user identifier that identifies the user;
  
  reading the user identifier from the data packet;
  
  using the user identifier to determine communication privileges associated with the user;
  
  replacing the source address in the data packet with a privileged address from a set of privileged addresses recognized by the firewall if the communication privileges allow the user to communicate with the protected destination node;
  
  wherein the firewall is configured to allow only data packets from the set of privileged addresses to pass through the firewall; and
  
  forwarding the data packet to the protected destination node through the firewall;
  
  whereby the privileged address in the source field of the data packet allows the data packet to pass through the firewall.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, further comprising:
    - receiving a reply packet from the protected destination node directed to the privileged address through the firewall;
      
      replacing the privileged address in the reply packet with the source address so that the reply packet is directed to the source node; and
      
      forwarding the reply packet to the source node.
  - 3. The method of claim 2, wherein receiving the reply packet includes acting as a proxy for the privileged address under the address resolution protocol.
  - 4. The method of claim 1, further comprising authenticating the data packet by looking up an authentication key for the data packet, and using the authentication key to authenticate the data packet.
  - 5. The method of claim 4, wherein looking up the authentication key includes looking up the authentication key based upon the user identifier.
  - 6. The method of claim 1, further comprising encrypting the data packet.
  - 7. The method of claim 1, further comprising:
    - associating the user identifier with the source node; and
      
      if a packet is subsequently received with the user identifier from a node other than the source node, indicating a possible network attack.
  - 8. The method of claim 1, wherein receiving the data packet includes receiving the data packet at a virtual private network unit, the virtual private network unit being coupled to a public network and providing secure communications on the public network for communications that pass through the virtual private network unit.
  - 9. The method of claim 1, wherein receiving the data packet includes receiving the data packet at a network router.
  - 10. The method of claim 1, wherein the privileged address is retrieved from a pool of privileged addresses.
  - 11. The method of claim 1, wherein the source node is a remote client that can assume different source addresses for different connection sessions.

12. A method for translating addresses for a data packet based upon a user identifier in the data packet in order to forward the data packet through a firewall, comprising:
- receiving the data packet sent by a user from a source node outside the firewall to a protected destination node within the firewall, the data packet including, a source address of the source node, a destination address of the protected destination node and the user identifier that identifies the user;
  
  reading the user identifier from the data packet;
  
  authenticating the data packet by looking up an authentication key for the data packet using the user identifier, and using the authentication key to authenticate the data packet;
  
  using the user identifier to determine communication privileges associated with the user;
  
  replacing the source address in the data packet with a privileged address from a set of privileged addresses recognized by the firewall if the communication privileges allow the user to communicate with the protected destination node;
  
  wherein the firewall is configured to allow only data packets from the set of privileged addresses to pass through the firewall;
  
  forwarding the data packet to the protected destination node through the firewall;
  
  whereby the privileged address in the source field of the data packet allows the data packet to pass through the firewall;
  
  receiving a reply packet from the protected destination node directed to the privileged address through the firewall;
  
  replacing the privileged address in the reply packet with the source address so that the reply packet is directed to the source node; and
  
  forwarding the reply packet to the source node.
- View Dependent Claims (13)
- - 13. The method of claim 12, further comprising encrypting the data packet.

14. An apparatus that translates addresses for a data packet based upon a user identifier in the data packet in order to forward the data packet through a firewall, comprising:
- a packet receiving mechanism, for receiving the data packet sent by a user from a source node outside the firewall to a protected destination node within the firewall, the data packet including, a source address of the source node, a destination address of the protected destination node and the user identifier that identifies the user;
  
  a packet storage unit, coupled to the packet receiving mechanism, for storing the data packet;
  
  a communication privilege determination mechanism, in communication with the packet storage unit, that is configured to determines communication privileges associated with the user based upon the user identifier;
  
  a replacement mechanism, in communication with the packet storage unit, that replaces the source address in the data packet with a privileged address from a set of privileged addresses recognized by the firewall if the communication privileges allow the user to communicate with the protected destination node;
  
  wherein the firewall is configured to allow only data packets from the set of privileged addresses to pass through the firewall; and
  
  a packet forwarding unit, coupled to the packet storage unit, that forwards the data packet to the protected destination node through the firewall;
  
  whereby the privileged address in the source field of the data packet allows the data packet to pass through the firewall.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22, 23, 24)
- - 15. The apparatus of claim 14, further comprising:
    - a reply receiving mechanism, for receiving a reply packet from the protected destination node directed to the privileged address through the firewall; and
      
      wherein the replacement mechanism is configured to replace the privileged address in the reply packet with the source address so that the reply packet is directed to the source node.
  - 16. The apparatus of claim 15, wherein the reply receiving mechanism is configured to act as a proxy for the privileged address under the address resolution protocol.
  - 17. The apparatus of claim 14, further comprising an authentication mechanism, coupled to the packet storage unit, for authenticating the data packet.
  - 18. The apparatus of claim 17, wherein the authentication mechanism is configured to look up the authentication key based upon the user identifier.
  - 19. The apparatus of claim 14, further comprising an encryption mechanism in communication with the packet storage unit, for encrypting the packet.
  - 20. The apparatus of claim 14, further comprising a user identifier association unit, for associating the user identifier with the source node, and if a data packet is subsequently received with the user identifier from a node other than the source node, indicating a possible network attack.
  - 21. The apparatus of claim 14, wherein the apparatus is part of a virtual private network unit, the virtual private network unit being coupled to a public network and providing secure communications on the public network for communications that pass through the virtual private network unit.
  - 22. The apparatus of claim 14, wherein the apparatus is part of a network router.
  - 23. The apparatus of claim 14, wherein the replacement mechanism is configured to retrieve the privileged address from a pool of privileged addresses.
  - 24. The apparatus of claim 14, wherein the source node is a remote client that can assume different source addresses for different connection sessions.

25. A program storage device storing instructions that when executed by a computer perform a method for translating addresses for a data packet based upon a user identifier in the data packet in order to forward the data packet through a firewall, the method comprising:
- receiving the data packet sent by a user from a source node outside the firewall to a protected destination node within the firewall, the data packet including, a source address of the source node, a destination address of the protected destination node and the user identifier that identifies the user;
  
  reading the user identifier from the data packet;
  
  using the user identifier to determine communication privileges associated with the user;
  
  replacing the source address in the data packet with a privileged address from a set of privileged addresses recognized by the firewall if the communication privileges allow the user to communicate with the protected destination node;
  
  wherein the firewall is configured to allow only data packets from the set of privileged addresses to pass through the firewall; and
  
  forwarding the data packet to the protected destination node through the firewall;
  
  whereby the privileged address in the source field of the data packet allows the data packet to pass through the firewall.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Avaya Incorporated
Original Assignee
VPNet Technologies, Inc. (Avaya Incorporated)
Inventors
Huntley, Bruce T., Hunt, William E., Hoke, Mark R., Bots, Henk J., Arrow, Leslie J.
Primary Examiner(s)
Barron, Jr., Gilberto

Application Number

US09/065,898
Time in Patent Office

950 Days
Field of Search

713/153, 713/162, 713/200, 713/201, 713/154, 709/245
US Class Current

713/154
CPC Class Codes

H04L 12/4641   Virtual LANs, VLANs, e.g. v...

H04L 61/2514   between local and global IP...

H04L 61/255   Maintenance or indexing of ...

H04L 61/2557   Translation policies or rules

H04L 63/0272   Virtual private networks

Translating packet addresses based upon a user identifier

First Claim

19 Assignments

0 Petitions

Accused Products

Abstract

421 Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Translating packet addresses based upon a user identifier

First Claim

19 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

421 Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links