IPv4 address space is rapidly becoming scarce. It is anticipated that all currently available address blocks will have been allocated over the next two years. As this deadline approaches organizations will experience significant difficulties in expanding or growing their network operations.
Adoption of IPv6, which promises to make available a large range of new, longer IP numbers, continues to lag due to its complexity and cost. IPv6 requires that new routing hardware and new network services protocols must be adopted. The radically different addressing schemes introduced by IPv6 are also difficult for network operators entrenched in the IPv4 paradigm to understand. The goal of this invention is to expand and improve the utility of existing IPv4 address space.
Given the reluctance to adopt IPv6, several techniques have been developed to allow scarce IPv4 addresses to be shared by multiple devices. All of these techniques have led to compromises in security and undesirable changes in packet information and content.
The primary approach for IP address sharing is Network Address Translation (NAT). NAT is the most widely used technique to allow several network end-hosts share a limited set of IPv4 addresses. This approach relies on devices that modify IP addresses and port numbers in IP packets, as they are transmitted from the network end-host to the Internet.
NAT relies on a device placed in the path between the end-hosts and the Internet. Typically, the NAT device uses public IPv4 address space on the Internet facing side and private, non-routable IP addresses on the end-hosts. As a result of NAT's reliance on hardware appliances, it is difficult and costly to use NAT to support a large number of end-hosts.
In addition, the NAT device modifies packets transmitted from the end-host to the Internet and in each case replaces the private IP addresses in the packets with an address from the pool of available public addresses. Such modifications are similar in nature to the results of a “man-in the middle” attack from a network security perspective. Thus they severely limit the use of end-to-end security techniques. For example, these modifications make it impossible to trace a packet back to its original source. As a result, malicious transmissions can be effectively made untraceable with NAT and similar methods.
This section provides background information related to the present disclosure which is not necessarily prior art.