Method and systems for routing packets from a gateway to an endpoint

US 8,363,650 B2
Filed: 07/22/2005
Issued: 01/29/2013
Est. Priority Date: 07/23/2004
Status: Active Grant

First Claim

Patent Images

1. A method for routing packets from a gateway to an endpoint, the method comprising:

(a) assigning, by an addressing element executing in user mode memory space of a gateway, a private internet protocol (IP) address of a private network to an endpoint having a public IP address, the gateway not providing the private IP address to the endpoint;

(b) capturing, by a driver executing in kernel mode memory space of the gateway at a Media Access Control (MAC) layer, a packet from a server on the private network destined for an application of the endpoint communicated via a first transport layer connection between the gateway and the server, to forward to a management process executing in user mode memory space of the gateway, the management process having requested notification from the driver when a packet addressed to the private IP address of the endpoint arrives from the server;

(c) applying, by a policy engine executing in user mode memory space of the gateway and in communication with the management process, a policy to the packet to determine whether to transmit the packet to the endpoint based on whether the packet originated from a trusted source;

(d) modifying, by the addressing element executing in user mode memory space, responsive to the determination, the packet to be addressed to the public IP address of the endpoint; and

(e) transmitting, by the gateway, the packet to the public IP address of the endpoint via a second transport layer connection between the gateway and a client application of the endpoint, responsive to the modification, the client application terminating a third transport layer connection with the application.

View all claims

7 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for routing packets from a gateway to an endpoint includes the step of associating a private internet protocol (IP) address with an endpoint having a public IP address. A packet addressed to the private IP address of the endpoint is captured. A policy is applied to the packet. The packet is transmitted to the public IP address of the endpoint, responsive to the application of the policy to the packet.

687 Citations

33 Claims

1. A method for routing packets from a gateway to an endpoint, the method comprising:
- (a) assigning, by an addressing element executing in user mode memory space of a gateway, a private internet protocol (IP) address of a private network to an endpoint having a public IP address, the gateway not providing the private IP address to the endpoint;
  
  (b) capturing, by a driver executing in kernel mode memory space of the gateway at a Media Access Control (MAC) layer, a packet from a server on the private network destined for an application of the endpoint communicated via a first transport layer connection between the gateway and the server, to forward to a management process executing in user mode memory space of the gateway, the management process having requested notification from the driver when a packet addressed to the private IP address of the endpoint arrives from the server;
  
  (c) applying, by a policy engine executing in user mode memory space of the gateway and in communication with the management process, a policy to the packet to determine whether to transmit the packet to the endpoint based on whether the packet originated from a trusted source;
  
  (d) modifying, by the addressing element executing in user mode memory space, responsive to the determination, the packet to be addressed to the public IP address of the endpoint; and
  
  (e) transmitting, by the gateway, the packet to the public IP address of the endpoint via a second transport layer connection between the gateway and a client application of the endpoint, responsive to the modification, the client application terminating a third transport layer connection with the application.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein step (b) further comprises capturing, by a driver on the gateway, the packet addressed to the private IP address of the endpoint.
  - 3. The method of claim 2, wherein the driver executes in a kernel of the gateway.
  - 4. The method of claim 3, wherein step (b) further comprises capturing, by the driver, Ethernet traffic addressed to the endpoint, and forwarding the Ethernet traffic to a management process operating in user mode.
  - 5. The method of claim 4, wherein step (b) further comprises forwarding by the management process the Ethernet traffic to a policy engine.
  - 6. The method of claim 1, wherein step (c) further comprises determining by a policy engine whether the packet originated from a trusted source.
  - 7. The method of claim 1, wherein step (c) further comprises applying an access control list to the packet.
  - 8. The method of claim 1, wherein step (e)further comprises performing a network address translation to transform the private IP address of the endpoint to the public IP address of the endpoint.

9. A device for routing packets as a gateway to an endpoint, the device comprising:
- an addressing element, executing in user mode memory space of the device, assigning a private IP address of a private network to an endpoint having a public IP address, the addressing element not providing the private IP address to the endpoint;
  
  a receiver executing in kernel mode memory space, intercepting at a Media Access Control (MAC) layer of the device, a packet from the server destined for an application of the endpoint, to forward to a management process executing in user mode memory space, the management process having requested notification from the receiver when a packet addressed to the private IP address of the endpoint arrives from a server on the private network, the receiver intercepting the packet communicated via a first transport layer connection between the device and the server;
  
  a policy engine executing in user mode memory space in communication with the management process, receiving the packet, and applying a policy to the packet to determine whether to transmit the packet to the endpoint based on whether the packet originated from a trusted source,wherein the addressing element executing in user mode memory space modifies the packet to be addressed to the public IP address of the endpoint responsive to the determination; and
  
  a transmitter in communication with the addressing element, transmitting the packet to the endpoint via a second transport layer connection between the device and a client application of the endpoint, responsive to the modification, the client application terminating a third transport layer connection with the application.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
- - 10. The device of claim 9, wherein the receiver comprises a driver operating in a kernel of the device.
  - 11. The device of claim 9, comprises a driver in compliance with a Network Driver Interface Specification (NDIS).
  - 12. The device of claim 9, wherein the receiver intercepts Ethernet traffic addressed to the endpoint and forwards the Ethernet traffic to a management process operating in user mode.
  - 13. The device of claim 9, wherein the receiver forwards the intercepted packet to the policy engine.
  - 14. The device of claim 13, wherein the receiver process executes in kernel mode.
  - 15. The device of claim 9, wherein the receiver is a process.
  - 16. The device of claim 9, wherein the policy engine is a process.
  - 17. The device of claim 16, wherein the policy engine process executes in user mode.
  - 18. The device of claim 9, wherein the policy engine applies an access control list to the packet.
  - 19. The device of claim 9, wherein the addressing element further comprises transforming a private internet protocol (IP) address of the packet to the public IP address associated with the endpoint.
  - 20. The device of claim 9, wherein the transmitter transmits the packet to an endpoint over a secure sockets layer (SSL) tunnel.
  - 21. The device of claim 9, wherein the transmitter is a process.
  - 22. The device of claim 21, wherein the transmitter process executes in kernel mode.
  - 23. The device of claim 9, wherein the policy is an access control policy.
  - 24. The device of claim 9, wherein the policy determines whether the packet originated from a trusted source.
  - 25. The device of claim 9, wherein the policy engine provides a configuration setting for capturing the packet.
  - 26. The device of claim 9, wherein the application of the policy further comprises performing at least one of:
    - access control list matching and deep packet inspection.

27. A system for routing packets from a gateway to an endpoint, the system comprising:
- a gateway, in communication with an endpoint on a public network and a server on a private network,an addressing element, executing in user mode memory space of the gateway, assigning a private internet protocol (IP) address of the private network with a public IP address of the endpoint on the public network and establishing a first transport layer connection with the server, the gateway not providing the private IP address to the endpoint;
  
  a driver executing in kernel mode memory space of the gateway, intercepting at a Media Access Control (MAC) layer, a packet from a server destined for an application of the endpoint, the packet communicated via the first transport layer connection, to forward to a management process executing in user mode memory space of the gateway, the management process having requested notification from the driver when a packet addressed to the private IP address of the endpoint arrives from the server;
  
  a policy engine executing in user mode memory space of the gateway and in communication with the management process, applying a policy to the packet to determine whether to transmit the packet to the endpoint based on whether the packet originated from a trusted source; and
  
  wherein the addressing element executing in user mode memory space modifies the packet to be addressed to the public IP address of the endpoint responsive to the determination, and the gateway transmits the packet to the public IP address of the endpoint via a second transport layer connection between the gateway and a client application of the endpoint, responsive to the modification, the client application terminating a third transport layer connection with the application.
- View Dependent Claims (28, 29, 30, 31, 32)
- - 28. The system of claim 27, wherein the driver operates in a kernel of the gateway and forwards the packet to the policy engine operating in user mode.
  - 29. The system of claim 27, wherein the policy engine operating in user mode applies the policy to the packet and forwards the packet to a transmitter operating in kernel mode via the addressing element.
  - 30. The system of claim 27, wherein the transmitter transmits the packet via an encrypted tunnel of the second transport layer connection to the client application.
  - 31. The system of claim 27, wherein the gateway terminates the first transport layer connection with the server and terminates the second transport layer connection with the client application.
  - 32. The system of claim 27, wherein the client application provides the packet to the application on the endpoint via the third transport layer connection.

33. A method for routing packets from a gateway to an endpoint, the method comprising:
- (a) receiving, by a gateway, a request to a server from an application of an endpoint, the application terminating a first transport layer connection with a client application at the endpoint, the client application having a second transport layer connection with the gateway, the gateway having a third transport layer connection with the server in a private network;
  
  (b) capturing, by a driver executing in kernel mode memory space of the gateway at a Media Access Control (MAC) layer, a packet from the server communicated via the third transport layer connection, to forward to a management process executing in user mode memory space of the gateway, the management process having requested notification from the driver when a packet addressed to a private internet protocol (IP) address of the endpoint arrives from the server;
  
  (c) applying, by a policy engine executing in user mode memory space of the gateway and in communication with the management process, a policy to determine whether to transmit the packet to the endpoint based on whether the packet originated from a trusted source;
  
  (d) modifying, by an addressing element executing in user mode memory space of the gateway, the packet to be addressed to a public IP address of the endpoint responsive to the determination; and
  
  (e) transmitting, by the gateway via the second transport layer connection, the packet to the public IP address of the endpoint responsive to the modification, the packet destined for the application via the first transport layer connection, wherein the addressing element assigns the public IP address to the endpoint having the private IP address and does not provide the private IP address to the endpoint.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
Rao, Goutham P., Rodriguez, Robert A., Brueggemann, Eric R.
Primary Examiner(s)
Rinehart, Mark
Assistant Examiner(s)
BROCKMAN, ANGEL T

Application Number

US11/161,091
Publication Number

US 20060029063A1
Time in Patent Office

2,748 Days
Field of Search

370229-231, 370/389, 709223-226
US Class Current

370/389
CPC Class Codes

H04L 12/2856   Access arrangements, e.g. I...

H04L 12/2898   Subscriber equipments DSL m...

H04L 45/00   Routing or path finding of ...

H04L 45/72   Routing based on the source...

H04L 47/20   Traffic policing

H04L 61/00   Network arrangements, proto...

H04L 61/2514   between local and global IP...

H04L 61/2557   Translation policies or rules

H04L 63/0227   Filtering policies mail mes...

H04L 63/0272   Virtual private networks

H04L 63/101   Access control lists [ACL]

H04L 63/164   at the network layer

H04L 63/166   at the transport layer

H04L 63/20   for managing network securi...

Method and systems for routing packets from a gateway to an endpoint

First Claim

7 Assignments

0 Petitions

Accused Products

Abstract

687 Citations

33 Claims

Specification

Use Cases

Quick Links

Others

Method and systems for routing packets from a gateway to an endpoint

First Claim

7 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

687 Citations

33 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others