1. Field of the Invention
This invention relates to an intelligent router. More particularly, this invention relates to a router that is useful for providing internet access to a foreign or a guest station on a local network. This invention relates, even more particularly, to a computer system that acts as a routing apparatus, to a method of routing, to a method of intercepting IP packets from computers with unknown IP configuration, to a method of adapting intercepted IP traffic to a local network configuration, to a method of protecting the local network from malicious guest computers, to a network interface, and to a computer program product adapted to provide IP network access to a guest station.
2. Related Technology
For the sake of clarity, some background information will now be provided. A discussion of digital computers is provided first, followed by an explanation of computer systems and computer program products. After that, computer communications and networks are discussed.
After this foundation is provided, a problem is described with respect to networking and portable devices. To complete this description of related technology, one or more prior solutions to the problem are then discussed.
Digital computers have made possible many changes in the scientific, industrial, and commercial arenas. Today, many businesses cannot function without the aid of working information systems. Many special-purpose and general-purpose computers are well-known.
A block diagram of a simple general-purpose digital computer is shown in FIG. 1, although the drawing figure could also pertain equally well to a special-purpose digital computer, depending on the functionality provided. Reference numeral 10 indicates the general-purpose digital computer. Such a computer may include a central processing unit 100, also referred to as a CPU. The main memory 110 may be understood to be a RAM. The computer in this simplified diagram has only one I/O processor 120. The I/O processor 120 controls I/O devices 130. The I/O devices 130 may include a display, a keyboard, a printer, a disk drive, a mouse, and a network adapter 140, such as an Ethernet card or the like. It will be understood that this diagram is for explanatory purposes only, and is not intended in any way to limit the invention.
The CPU 100 includes a control unit, an ALU, and registers. The control unit is responsible for fetching instructions from main memory 110 and determining their type. The ALU performs operations, such as addition and Boolean AND, needed to carry out the instructions. The registers of the CPU 100 provide a small, high-speed memory used to store temporary results and certain control information. The registers may each be designated a certain function, or may be general-purpose registers. Included in the registers is a program counter PC, which points to the next instruction to be executed. There is also an instruction register IR, which holds the instruction currently being executed.
It will be appreciated that the CPU 100, the main memory 110, and the I/O processor 120 are interconnected by buses. Communications between these different units takes place across the buses. Of course, the network adapter 140 or any of the other I/O devices 130 may be designed so as to function without the I/O processor and, instead, be connected to the same bus used by the other main modules. Additionally, it is possible to have multiple displays, multiple network adapters 140, and so on.
Thus, it can be seen that a digital computer is an interconnection of digital modules. There are modules within the CPU 100, and the CPU, the main memory 110, and the I/O processor 120 also may be thought of as modules themselves. On a larger scale, when these components are all included in the same container, this container may be understood to be a module, and the different I/O devices (such as display and keyboard) may be understood to be modules themselves.
Here, the term xe2x80x9ccomputer systemxe2x80x9d is to be understood to include at least a memory and a processor. In general, the memory will store, at one time or another, at least portions of an executable program code, and the processor will execute one or more of the instructions included in that executable program code. It will be appreciated that the term xe2x80x9cexecutable program codexe2x80x9d and the term xe2x80x9csoftwarexe2x80x9d mean substantially the same thing for the purposes of this description. It is not necessary for this discussion that the memory and the processor be physically located in the same place. That is to say, the processor and the memory might be in different physical pieces of equipment or even in geographically distinct locations.
The term xe2x80x9ccomputer program productxe2x80x9d will now be explained. On a practical level, the software that enables the computer system to perform desired operations may be supplied on any one of a variety of media. Furthermore, the actual implementation of computer operations may actually be statements written in a programming language. Such programming language statements, when executed by a computer, cause the computer to act in accordance with the particular content of the statements. Furthermore, the software that enables a computer system to act in a predetermined manner may be provided in any number of forms including, but not limited to, original source code, assembly code, object code, machine language, compressed or encrypted versions of the foregoing, and any and all equivalents.
One of skill in the art will appreciate that xe2x80x9cmediaxe2x80x9d, or xe2x80x9ccomputer-readable mediaxe2x80x9d, as used here, may include a diskette, a tape, a compact disc, an integrated circuit, a ROM, a CD, a cartridge, a remote transmission via a communications circuit, or any other similar medium useable by computers. For example, to supply software for enabling a computer system to operate in a predetermined manner, the supplier might provide a diskette or might transmit the software in some form via satellite transmission, via a direct telephone link, or via the Internet. Thus, the term, xe2x80x9ccomputer readable mediumxe2x80x9d is intended to include all of the foregoing and any other medium by which software may be provided to a computer.
Although the enabling software might be xe2x80x9cwritten onxe2x80x9d a diskette, xe2x80x9cstored inxe2x80x9d an integrated circuit, or xe2x80x9ccarried overxe2x80x9d a communications circuit, it will be appreciated that, for the purposes of this application, the computer usable medium may be referred to as xe2x80x9cbearingxe2x80x9d the software. Thus, the term xe2x80x9cbearingxe2x80x9d is intended to encompass the above and all equivalent ways in which software is associated with a computer usable medium. For the sake of simplicity, therefore, the term xe2x80x9cprogram productxe2x80x9d is thus used to refer to a computer useable medium, as defined above, which bears, in any form, software to enable a computer system to operate in a predetermined manner.
A User interface may be invocable by a running program. A user interface may be understood to mean any hardware, software, or combination of hardware and software that allows any user to interact with a computer system. Most programs have many interfaces of different types, e.g. a graphical interface for the user, a command line interface, a control interface (based on CORBA, JAVA-RMI, DCE or some other protocol). Here, it will be appreciated that the term xe2x80x9cuser interfacexe2x80x9d means all of these taken together.
For the purposes of this discussion, a user interface may be understood to include one or more user interface objects. User interface objects may include display regions, user activatable regions, and the like.
As is well understood, a display region is a region of a user interface which displays information to the user. A user activatable region is a region of a user interface, such as a button or a menu, which allows the user to take some action with respect to the user interface.
A user interface may be invoked by an application program. When an application program invokes a user interface, it is typically for the purpose of interacting with a user. It is not necessary, however, for the purposes herein, that an actual user ever interacts with the user interface. It is also not necessary, for the purposes herein, that the interaction with a user interface be performed by an actual user. That is to say, it is foreseen that a user interface may have interaction with another program, such as a program created using macro programming language statements that simulate the actions of a user with respect to the user interface.
FIG. 2 shows several computers of the type shown in FIG. 1 connected together in a network. In particular, computers 210, 220, 230, and 240 participate in a first network 200 (a second network is discussed further below). In the arrangement shown in FIG. 2, the computers 210-240 attached to the first network 200 can all communicate with each other. The computers 210-240 may be referred to as stations participating in network 200. Furthermore, the computers 210-240 normally participate in this first network 200 and may be thought of as xe2x80x9cregular stationsxe2x80x9d or xe2x80x9cregular machinesxe2x80x9d of the network 200.
FIG. 3 shows the first network 200 and a second network 300. The second network 300 has several regular stations 310, 320, 330, and 340. Each of the stations 310-340 shown in FIG. 3 may be a digital computer 10 as shown in FIG. 1. The stations 310-340 can all communicate with each other by virtue of the second network 300, but cannot communicate with. any of the stations 210-240 of the first network 200, in the arrangement shown in FIG. 3. This is because there is no interconnection between network 200 and network 300.
Although it may be possible to put all of the stations 210-240 and 310-340 on a single, larger network, this is not always desirable or possible. A typical solution to effecting communication between networks is to provide some kind of connection between the networks that keeps the networks separate, but allows for communications to pass from one to the other.
FIG. 4 shows the first network 200 and the second network 300 in a more conceptual manner. In particular, networks 200 and 300 are represented by blobs with dashed lines in FIG. 4 so as to help focus the discussion away from any particular topology (such as that shown in FIGS. 2 and 3) and toward the concept of internetworking. A third network 400 and respective regular stations 410, 420, 430, and 440 also are shown.
FIG. 5 is similar to FIG. 4, except that the three networks 200, 300, 400 are shown connected to a network 500 which may be thought of as a network for interconnecting networks 200-400. Network 500 may, more specifically, be referred to as an inter-network. The first network 200 connects to inter-network 500 via access station 502. The second network 300 connects to the inter-network 500 via access station 503. The third network 400 connects to the inter-network 500 via access station 504. The inter-network 500 may be a network of any size, and may include switching nodes. In fact, the inter-network 500 may include many intermediate networks, such as is the case with the Internet.
A brief description of how the networks 200-400 and inter-network 500 operate will now be provided.
In its simplest form, communications between computers may take place between two devices that are directly connected by some form of point-to-point transmission medium. Often, however, it is impractical for two devices to be directly, point-to-point connected. When devices are far apart, and it is too expensive to arrange for a dedicated link between the two devices, or when there is a set of devices, each of which may require a link to many of the others at various times, computer networking is the solution.
The individual stations 210-240, 310-340, and 410-440 may be referred to also as users, or machines, although other terms are equally acceptable. Stations may be any of several types of communicating digital computers, and are all in communication with an access node.
In a communication network, data may be transferred from source to destination through a series of intermediate nodes. These nodes are not concerned with the content of the data but exist to provide a forwarding facility that will move the data from node to node until the data reaches the destination. One kind of a network is a circuit-switched network. In a circuit-switched network, a dedicated communications path is established between two stations through the nodes of the network. On each link between the intermediate nodes, a logical channel is dedicated to the connection.
Another kind of network is a store-and-forward network, which may be referred to herein as a packet network. With a packet network, it is not necessary to dedicate transmission capacity along a path through the network. Instead, data are sent out in a sequence of small pieces called packets. Each packet is passed through the network from node to node. A participating node first receives the packet, stores it in memory, consults its forwarding table in order to determine an outbound network interface, and sends the packet through that interface to the next hop. The forwarding table is periodically computed by means of a routing protocol, such as RIP or OSPF. Packet-networks are commonly used in computer to computer communications.
A very high degree of cooperation between computer systems is required in order to communicate from a source computer (or source station) through a network to a destination computer (or destination station). The exchange of information between computers for the purpose of such cooperative action may be understood to be computer communications. Similarly, when two or more computers are interconnected via a communication network, the set of computer stations may be referred to in general as a computer network.
A protocol may be understood to refer to the set of rules governing the exchange of data between computers. Many different protocols may be in operation at any one time when two different computers are communicating with each other. In fact, the structured set of protocols that implement all of the different communications between computers may be referred to as a computer communications architecture. One example of a well-known computer communications architecture is the open systems interconnection (OSI) model. Another example is SNA. Yet another example, which relates to the Internet, is TCP/IP.
Addressing and routing are critical issues in a packet (i.e. store-and-forward) network. The primary function of a packet network, at its lowest level, may be understood to be accepting packets from a source station and delivering them to a destination station. More than one route from source to destination is typically possible, and a routing function must be performed. The selection of a route for a packet at a particular node may be understood to be the function of routing. An apparatus that is equipped with routing software and with hardware to forward packets between networks, according to the routes calculated by the routing software, may be referred to as a router. It should be noted, that for small routers, routes may be configured manually, and the routing software may be disabled.
FIG. 6 shows a router 600 connected between the first network 200 and the second network 300. A router may operate as follows. Assume that station 210 sends a packet addressed to station 310. Station 210 is said to be the source station and station 310 is said to be the destination station. The source station 210, which may be a digital computer 10 as shown in FIG. 1, transmits the packet to the network 200 via the network adapter 140. The router 600 may be configured with two network adapters 140: a first one participating in the first network 200 and a second one participating in the second network 300. The router 600 may receive the packet that station 210 transmitted. The router may recognize the address of the destination is station 310. The router 600 may keep tables in a memory, and these tables may contain information indicating that the destination station 310 is not a regular participant in the first network 200 (those tables, which are called forwarding tables or, interchangeably, routing tables), have been either manually configured or automatically calculated by the routing software by means of a routing protocol, such as RIP or OSPF). Having made a determination that the received packet is addressed to a station not participating in the first network 200, the router 600 may then transmit the packet through its second network adapter 140 on the second network 300. The packet is received by destination station 310 through its respective network adapter 140.
If the same packet had been transmitted by source station 210 but addressed to station 220 as a destination station, the router would have made a determination, from its forwarding table, that station 220 is a regular station of the first network 200 and would not have transmitted a copy of the packet on the second network 300.
It will be appreciated that one example of a packet network is an internet. A particular instance of an internet is the Internet. As used herein, the terms xe2x80x9can internetxe2x80x9d and xe2x80x9cthe Internetxe2x80x9d are generally interchangeable. The discussion here and below is not meant to be limited to the Internet, although the Internet used in most examples. Also, the term xe2x80x9cdata packetxe2x80x9d or xe2x80x9cpacket of dataxe2x80x9d may be used interchangeably with xe2x80x9cdatagramxe2x80x9d.
Turning back to FIG. 5, it may be appreciated that access nodes 502, 503, and 504 may be digital computers 10 equipped to operate as routers 600. It will be appreciated that a router is a digital computer 10 that is able to participate in a predetermined manner in more than one network. The router 600 is a computer system adapted to perform predetermined routing operations in accordance with its computer instructions.
An Internet packet must bear a destination address in order to be delivered to that location. In this regard, there is a distinction that should be made between names and addresses. A name indicates an entity to which an address may pertain. That is, an address indicates the location of an entity which may have a name. The Internet protocol (IP) is a protocol that deals primarily with addresses.
In the above-identified OSI model, there are seven layers: the physical layer, the data link layer, the network layer, the transport layer, the session layer, the presentation layer, and the application layer. The transport layer is responsible for providing reliable, transparent transfer of data between endpoints; it is also responsible for providing end to end error recovery and flow control. There are two different transport level protocols commonly associated with the Internet. These two protocols include the transmission control protocol (TCP), which is connection oriented, and the user datagram protocol (UDP), which is connectionless. TCP is the principal transport protocol for the Internet.
The inter-network 500, which will be referred to hereafter as the Internet in examples, with the understanding that the examples are not limited to just the Internet, uses IP at the network layer, on top of which other, higher layer protocols are implemented, such as TCP, UDP and ICMP. Networks that use IP may be referred to as IP networks. Internet 500 is thus an IP network. It will also be assumed that networks 200, 300, and 400 also use IP.
TCP may be understood to correspond roughly to the transport layer of the OSI model, and IP to the network layer. IP is responsible for routing packets from source to destination, and is connectionless, while TCP is connection oriented.
Another protocol that should be understood is the Internet control message protocol (ICMP). ICMP works with IP and is also associated with the network layer. Since IP is connectionless, it has no way to relay messages or errors to the originating post. ICMP performs such functions for IP. ICMP sends status messages and error messages to the sending station. ICMP messages are carried using IP. Yet another protocol that is important in IP networks is the address resolution protocol (ARP). Unlike IP and ICMP, ARP is located at the link layer. ARP maps IP addresses to the hardware addresses of network interfaces. More particularly, ARP is used to dynamically advertise and query about associations of IP/Hardware addresses on a local link. Since TCP/IP works at layer three and above, it needs a mechanism to interface with boards, which are lower level entities. The unique layer-3 addresses of a network interface (i.e., IP addresses) does not identify a physical network interfaces card by themselves. A mechanism is required to correlate the IP address and the data link (i.e., hardware) address. ARP does this. ARP is discussed in more detail below.
TCP and UDP have already been mentioned. The addressable endpoints of TCP and UDP may be referred to as ports. TCP and UDP have applications that are assigned to well-known ports, as well as applications that use dynamically assigned ports. The ports are the endpoints, an addressable entity to create a logical connection. They may be referred to as service contract ports because they may provide services to requesters of a particular service. Port numbers are typically not changed. A communication endpoint address is the combination of an IP address and the port number appended to the end of the IP address.
Each station participating in an IP network is identified with a 32-bit IP address. IP addresses have a fixed length of 32 bits. An address begins with a network number, followed by a local host address. Different classes of Internet addresses are defined. The different classes of IP addresses are provided to take into account the different possible sizes of IP networks. The Internet (i.e., the worldwide network) has different addressing considerations than an internal Internet (i.e., an internal corporate network).
FIG. 7 shows an IP packet header. IP packets are well-known, but a few of the fields will now be briefly discussed. The source address field shows the originator of the packet, and is 32 bits in length. The destination address is the target for the packet. Like the source address, it also is 32 bits in length. The field indicated by xe2x80x9cttlxe2x80x9d is the time-to-live field. This field indicates the maximum time a packet is permitted to stay in the Internet system. When the value equals zero, the packet is destroyed or discarded. Time is measured in units per second, and each entity that processes the packet must decrease the value by one, even if the process time is less than one second. The protocol field determines the higher level protocol entity that should process the data contained in the IP packet""s workload at the receiver""s side. Examples for such higher level protocols are TCP and UDP. The checksum field is a field computed so as to provide a checksum for the header only.
Now a description will be given of the domain name service (DNS). The purpose of the DNS is to translate human readable names for computers, e.g. castor.nec.com, into the corresponding IP-address, e.g. 140.20.20.4, that can be used by the IP protocol.
The DNS is a hierarchical structure in the shape of a tree. At the top of the tree is the root server, which contains information about itself and the top-level domains immediately beneath it. Common top-level domains include .gov, .edu, .com, and .org.
Under DNS, a domain name is a sequence of names with the top-level domain at the end. Each part of a domain name is a label. For example, dept.company.com has three labels: dept, company, and corn. A name server is a program operating on a host, station, or node that translates names to IP-addresses. It does this by mapping domain names to IP addresses. A name server may or may not be a dedicated processor that runs name-server software. A name resolver is software that functions as a client regarding its interaction with a name server. A name cache is a storage used by the name resolver to store frequently used name information.
The domain system assumes that all data originates in master files scattered through the hosts that use the domain system. These master files are updated by local system administrators. Master files are text files that are read by a local name server, and hence become available through the name servers to users of the DNS. The user programs access name servers through resolvers. In general, a user program accesses the DNS through a local resolver. From the resolver""s point of view, the DNS includes an unknown number of name servers. Each name server has one or more pieces of the whole domain tree. The resolver sees each of these DNS servers and their associated databases as being essentially static. From the point of view of the name server, the DNS consists of separate sets of local information called zones. The name server has local copies of some of the zones as well as references to other DNS servers, which are responsible for other zones. If a DNS server can not resolve a given name from his locally held database, it forwards the query to a DNS server that is responsible for the zone to which the name belongs.
Next, consideration will be given with respect to what happens when a regular station such as station 210 is attached to its own, regular network, i.e. the first network 200. First, the station 210 must find out the hardware addresses of its next-hop router or gateway and of the other machines that belong to its home network segment. To do this, the station 210 sends out ARP requests.
An example of the operation under this regular arrangement will now be given with respect to FIG. 17. For simplicity, it is assumed that the source station, or sending station, is station 210 connected to network 200 as shown in FIG. 5, and that station 210 has only one network adapter 140 as shown in FIG. 1 (e.g. one Ethernet card).
The station 210 is configured manually with its own IP address (e.g. 138.15.103.21), a netmask (e.g. 255.255.255.0) and a Gateway IP address (e.g. 138.15.103.52) pertaining to router 502. These settings are very specific to the networking environment in which the machine is to be used. The addresses are assigned by the local systems-adrnin, and are put into the stations 210-240. They usually remain unchanged while the station is connected to its regular network.
It may be assumed that station 210 has to send a packet to station 220, which has address 138.15.103.22.
Station 210 first determines whether it is directly connected to the same segment as the destination station. The station 210 compares its own IP-address with the receiver""s IP-address, taking into consideration the netmask (step 1710).
The sending station 210 interprets the IP-addresses and the netmask as 32-bit values and compares only those bits of the two IP-addresses, for which the corresponding bit of the netmask is 1 (in this example this means that it compares the first 24 bits of the IP-addresses and ignores the last 8 bits). In both cases, the first 24 bits are 138.15.103.
In step 1720, the masked addresses are judged to be equal or unequal. If equal, processing continues with step 1725; if unequal, processing continues with step 1730. Since the comparison results in a judgment that the masked addresses are equal, processing continues in this example with step 1725.
Given the judgment at step 1720, it may be inferred that the source station 210 and the destination station 220 are connected to the same segment. The next-hop for this particular packet is thus the station having the IP address of the destination station 220.
To deliver the IP-packet to the next-hop (which is the destination station 220 in this example), the IP-host has to determine the hardware address (HW address) of the next-hop. This must be done to instruct the physical transmission media correctly as to where it should deliver the packet. The IP-host knows the next-hop""s IP address (i.e., the IP-address of station 220), but it does not yet know the next-hop""s HW-address. For this reason it sends out an ARP message in broadcast form to every station on the network 200, asking for the HW-address of the next-hop machine (see step 1720). The ARP message identifies as the intended receiver the destination station 220.
Since the next-hop is a station participating the local network 200, it will receive this ARP request and eventually respond with its own HW-address, thereby providing the HW address of the next-hop station to the sending station 210. At step 1740, the station 210 checks to see whether an ARP reply has been received. If not, a wait period is entered (step 1750). After the wait, it may be determined whether a timeout period has passed in step 1760. If the timeout has not passed, processing may continue with a further check for an ARP reply in step 1740. If the timeout has passed, it may be determined that an error has occurred.
Assuming that an ARP reply is detected, processing continues with step 1770. The ARP reply is examined and the HW address of the next-hop station is determined.
In step 1780, the packet is sent to the next-hop (in this example, station 220), and the packet bears the destination IP address of 138.15.103.22. Station 220 receives the packet because it has a HW address that matches the HW address to which the packet is sent. Station 220 sees that the packet bears, as the destination address, the IP address of station 220. Station 220 therefore keeps the packet.
Now, an example will be provided for the case in which station 210 sends an IP packet to station 310, a station on another network. Station 310 may have an IP address of, e.g., 141.20.20.31.
Station 210 first determines whether it is directly connected to the same segment as the destination station 310. The station 210 compares its own IP-address with the receiver""s IP-address, taking into consideration the netmask (step 1710).
The two addresses, when masked, are 138.15.103 for station 210 and 141.20.20 for station 310. In step 1720, the masked addresses are judged to be unequal and so processing continues with step 1730.
Given the judgment at step 1720, it may be inferred that the source station 210 and the destination station 310 are not connected to the same segment. The next-hop for this particular packet is thus the router (gateway) 502. The IP address of the router 502 is 138.15.103.52, as already mentioned. The destination of the packet is still station 310, but the next hop for the packet must be router 502.
To deliver the IP-packet to the next-hop (which is the router 502 in this example), the IP-host has to determine the HW address of the next-hop. The IP-host knows the next-hop""s IP address (i.e., the IP-address of router 502), but it does not yet know the next-hop""s HW-address. For this reason it sends out an ARP message in broadcast form to every station on the network 200, asking for the HW-address of the next-hop machine (see step 1730). The ARP message identifies as the intended receiver the router 502.
Since the next-hop is a router participating the local network 200, it will receive this ARP request and eventually respond with its own HW-address, thereby providing the HW address of the next-hop station to the sending station 210. The wait and timeout processing may occur for steps 1740, 1750, and 1760 as already described above.
Assuming that an ARP reply is detected, processing continues with step 1770. The ARP reply is examined and the HW address of the next-hop station (in this example, the HW address of router 502) is determined.
In step 1780, the packet is sent to the next-hop (in this example, router 502), and the packet bears the destination IP address of 141.20.20.31. Router 502 receives the packet because it has a HW address that matches the HW address to which the packet is sent.
The router notes that its own IP address does not match that of the destination IP address of the packet. Therefore, the router 502 will undertake the procedure shown in FIG. 17 to forward the packet towards the next-hop along the path to the final receiver.
Thus, when station 210 sends a packet to station 310, the packet is taken by the router 502, passed through the internet 500, taken by router 503, and transmitted to station 310. The packet would show the source IP address as being the address for 210. When replying, station 310 sends out IP packets with the destination being the same as the IP address that was indicated as being the source. The reply packet is taken by router 503, passed through internet 500, and taken by router 502, which knows that the IP address corresponding to station 210 is a regular participant on its own network. Router 502 transmits the packet on network 200 and it is received by station 210.
In terms of hardware, the term xe2x80x9cguest machinexe2x80x9d or xe2x80x9cguest stationxe2x80x9d means any of a variety of computing apparatuses or computers that are capable of communicating using the well known internet protocol (IP). A guest machine could be a desktop computer, a transportable or portable computer, a laptop or notebook computer, a palmtop or handheld computer, a personal digital assistant, or the like. An apparatus, to be a potential guest machine, need merely to be capable of communicating using IP.
xe2x80x9cGuest stationxe2x80x9d also implies a station that is not connected to its regular network. This situation might obtain from a variety of reasons, as will now be discussed.
More often than ever, nomadic business travelers and workshop/conference attendees carry a selection of their portable IP-talking gadgets, at least a laptop, when visiting other sites. Being addicted to the blessings of online stock quotes, Email and other Internet services, they usually require access to the Internet from their hosting organization. Often, in those cases, one of the hosting organization""s analog telephone lines, together with a 28.8 Kbit/sec modem provided by the guest, is used to dial either directly into the guest""s home network or into a public ISP. This solution is not only expensive (long-distance telephone charges) and slow (28.8 Kbit/sec), but often also impractical (no access to analog telephone lines or permission to use them).
It may therefore be desirable for the hosting organization to provide its guests with a more economical and easier to use mechanism for connecting their portable devices to the Internet.
FIG. 8 shows a situation involving a guest station on a foreign network. In FIG. 8, station 210 is a guest station on the third network 400. Station 210 is a regular station of the first network 200. Station 210 is now connected to network 400. Since the third network 400 is not the regular network of station 210, the third network 400 is foreign to the station 210. From the perspective of station 210, therefore, a connection has been made to a foreign network. From the perspective of the third network 400, a guest station has been connected to it. In practical terms, the third network 400 may be thought of as a hotel or a conference center that provides IP connectivity to its guests. This service may be referred to as a service of hosting a guest station, and the network 400 may be thought of as a hosting network.
The general problem with hosting a guest station will be discussed by way of example, and with respect to FIGS. 8 and 17.
For simplicity, it is assumed that the source station, or sending station, is station 210 connected to third network 400 as shown in FIG. 8 instead of its regular network 200, and that station 210 has only one network adapter 140 as shown in FIG. 1 (e.g. one Ethernet card).
The station 210 is configured manually with its own IP address (e.g. 138.15.103.21), a netmask (e.g. 255.255.255.0) and a Gateway IP address (e.g. 138.15.103.52) pertaining to router 502.
It may be assumed that station 210 has to send a packet to station 220, which has address 138.15.103.22.
Station 210 first determines whether it is directly connected to the same segment as the destination station. The station 210 compares its own IP-address with the receiver""s IP-address, taking into consideration the netmask (step 1710). Both masked addresses provide 138.15.103 in the first 24 bits.
Since the comparison results in a judgment that the masked addresses are equal, processing continues in this example with step 1725.
Given the judgment at step 1720, it is incorrectly inferred that the source station 210 and the destination station 220 are connected to the same segment. The next-hop for this particular packet is thus thought to be the station having the IP address of the destination station 220.
To deliver the IP-packet to the next-hop (which is the destination station 220 in this example), the guest station 210 attempts to determine the hardware address (HW address) of the next-hop. Station 210 sends out an ARP message in broadcast form to every station on the network 400, asking for the HW-address of the next-hop machine (see step 1720). The ARP message identifies as the intended receiver the destination station 220.
Since the next-hop is not a station participating the local network 200, and since no station participating in the network 400 has a matching IP address, the ARP request is ignored by every station on network 400 and no station sends an ARP reply.
At step 1740, the station 210 checks to see whether an ARP reply has been received. No reply is ever received, so eventually it is determined that an error situation exists. The packet for station 220 cannot be sent.
Now, an example will be provided for the case in which guest station 210 connected to the third network 400 attempts to send an IP packet to station 310, a station on another network. Station 310, again, has an IP address of, e.g., 141.20.20.31.
Station 210 first determines whether it is directly connected to the same segment as the destination station 310. The station 210 compares its own IP-address with the receiver""s IP-address, taking into consideration the netmask (step 1710).
The two addresses, when masked, are 138.15.103 for station 210 and 141.20.20 for station 310. In step 1720, the masked addresses are judged to be unequal and so processing continues with step 1730.
Given the judgment at step 1720, it is inferred by guest station 210 that it and the destination station 310 are not connected to the same segment. The next-hop for this particular packet is thus the router (gateway) 502, at least according to the internal IP settings programmed into station 210. The IP address of the router 502 is 138.15.103.52, as already mentioned. The destination of the packet is still station 310, but the next hop for the packet is set to be router 502.
To deliver the IP-packet to the next-hop (which is the router 502 in this example), the guest station 210 has to determine the hardware address of the next-hop. The guest station 210 knows the intended next-hop""s IP address (i.e., the IPaddress of router 502), but it does not yet know the next-hop""s HW-address. For this reason it sends out an ARP message in broadcast form to every station on the third network 400, asking for the HW-address of the next-hop machine (see step 1730). The ARP message identifies as the intended receiver the router 502.
That router, however, does not participate on network 400, and therefore no ARP reply is ever provided to station 210. As in the immediately preceding example, an error situation is determined to be present and no packet can be sent from the guest station 210 to destination station 310.
Even if router 504 could be programmed to send out packets for a guest station 210, a problem would still remain, as will now be explained.
Assume that station 210 is a guest on the third network 400, and sends a packet through router 504 to station 310. The packet is received by router 504 on network 400, which may have an arrangement as the router 600 shown in FIG. 6. Router 504 receives the packet through one of its network adapters 140. The router 504 checks the destination address against its routing tables and recognizes that the packet bears a destination address that does not relate to any of the IP addresses in its own network 400. Router 504 transmits the packet on its other network interface 140. At this point, the packet bears the source IP address of station 210 and the destination IP address of station 310.
The packet is carried across the internet 500 and is provided to router 503 because it is the router that receives all packets for stations expected to be in network 300. Router 503 receives the packet and judges from its routing tables that the IP address for station 310 is an IP address on network 300. Router 503 transmits the packet on network 300 and station 310 receives it.
The heart of the problem comes into focus when station 310 sends a reply packet. The packet received by station 310 bore the source IP address of station 210. Therefore, station 310 transmits a reply packet with the same IP address for the destination of the reply packet. The reply packet bearing as its destination IP address the address of station 210 is picked up by router 503 and passed on to internet 500.
The packet is carried across the internet 500 and is provided to router 502 because that is the router that receives all packets for stations expected to be in network 200. Router 502 receives the packet and judges from its routing tables that the IP address for station 210 is an IP address on network 200. Router 502 transmits the packet on network 200, but station 210 is not connected to the network. The reply packet from station 310 to station 210 therefore never reaches station 210 because station 210 is connected as a guest on foreign network 400.
A solution to the problem of hosting a guest station should not require any changes in the guest""s device. There are four reasons for this. First, making those changes requires knowledge about local network policies and IP addresses. Second, changing the guest station""s device is a cumbersome and error prone task. Third, any changes must be reversed after the visit is over. Fourth, it is never entirely clear what impact such changes have on the guest""s equipment. Should a component of the guest""s system start to malfunction after such a configuration change, even for a completely unrelated reason, there can be a dispute about possible causes, responsibilities, and liability.
Furthermore, a solution to the problem of hosting a guest station should permit security for the foreign network (also referred to as the hosting network, from its own perspective) to avoid malicious attacks from guests.
The use of Dynamic Host Configuration Protocol (DHCP) is one mechanism that may be considered for the support of a guest station on a foreign network. DHCP, however, is disadvantageous in that it does not consider security aspects either for the host network or for the guest station.
Another, potentially insurmountable, disadvantage of DHCP is that it requires support at the guest station. Not all guest stations support DHCP, especially not older systems or simple devices which have only a minimal IP stack.
Yet another disadvantage of DHCP is its requirement for a separate IP address for each guest station. To provide appropriate capacity, a hotel or conference facility would need to obtain a large pool of IP numbers, most of which would typically go unused.
Mobile IP is another mechanism that may be considered as a solution to the problem of hosting a guest station. Mobile IP, however, depends on the existence of a home agent for each guest. Such home agents are usually not available for most guests.
Most of the foreseeable simple IP devices, e.g. IP pens, portable printers, however, should xe2x80x9cjust workxe2x80x9d in the hosting organization""s environment. It is inefficient to place them logically into their home environment, as is the case in the Mobile IP approach with a home agent. It would be better for a guest user to have access to most of the Internet services (i.e., browsing the WWW, sending email, ftp, telnet to read email, and the like) without detour through the regular network of the guest station.
Network address translation (NAT) is described in RFC 1631. A version of NAT is available in a commercial product available from CISCO Systems.
In its simplest configuration, the Network Address Translator (NAT) operates on a router connecting two networks together; one of these networks (designated as inside) is addressed with either private or obsolete addresses that need to be converted into legal addresses before packets are forwarded onto the other network (designated as outside). The translation operates in conjunction with routing, so that NAT can simply be enabled on a customer-side Internet access router when translation is desired.
Use of a NAT device provides RFC 1631-style network address translation (see URL http://info.internet.isi.edu:80/in-notes/rfc/files/rfc1631.txt) on the router platform. The goal of NAT is to provide functionality as if the private network had globally unique addresses and the NAT device was not present. Under the commercial product, NAT can perform translation of both source and destination IP addresses in a packet. The translation is performed by using an address translation table maintained in a NAT enabled router.
NAT does not, however, handle guest stations. The translations under NAT require the addresses to be entered into an address translation table. Where a packet is received by such a router, and the source address is not in the address translation table, no translation can take place. Thus, the use of NAT requires support from the hosting organization in the adding of the guest station to the address translation table.
It is therefore an object of the invention to solve the problem of hosting a guest station in a manner in which the guest simply plugs the guest station into the foreign network and gains instant IP connectivity. Another object is to achieve this even when the foreign network uses a broadcast LAN such as an Ethernet. Yet another object of the invention is to achieve the foregoing without change to the previously set network configuration of the portable device, including IP address, netmask, next-hop-routers (gateways) as well as settings for the Domain Name Service (DNS). It is a further object of the invention to achieve instant IP connectivity in a manner which prevents malicious attacks to the hosting network by the guest station. An additional object of the invention is to achieve the foregoing connectivity in a manner which permits the guest station, if desired, to provide for security against malicious intrusion or attacks from the foreign network. Furthermore, it is also an object of the invention to provide for IP access for a guest station without the need for a large pool of IP addresses. Finally, it is an important object of the invention to provide for IP access for a guest station without support from the guest station and without expecting support from the guest""s regular network.
The invention is realized, in one embodiment, in an intelligent router, also referred to herein as an access router, that intercepts all packets sent from the guest and replaces the guest""s IP address with a care-of IP address that belongs to the hosting organization.