In such a context, the internet router of the home network, which allows users of the home network to access the internet, acts as a filtering and routing device for this remote access request, authorizing incoming connections on a case-by-case basis, with the aim of forwarding them to the device in the home network targeted in this request.
It is assumed that requests issued by a device in the first network are transmitted by way of a trusted relay entity, in the form of a relay server, for example. This relay server constitutes a “trusted” entity from the point of view of the gateway of the second network, as opposed to any other entity that might, from the internet, seek to directly access this gateway by means of its public address, without having been explicitly authorized to do so.
A dialog is thus established between this relay server and a Reverse Proxy agent of the gateway of the second network, a dialog during which the Reverse Proxy agent verifies the authorizations describing the access rights of a remote user as regards the data/content concerned by the request issued by the first device. This step is inexpensive in terms of resources and in terms of the quantity of information transmitted, since, in the example case of a request to access an item of multimedia content, it is simply a sequence of file search operations in a file system.
The transmission of a multimedia content is, however, potentially very expensive, as much in terms of network resources as in terms of processing capacity. A need has therefore emerged to avoid needlessly taxing the memory and CPU resources of the gateway of the second network, which must, as far as possible, be restricted to its routing function, and to avoid creating a choke point at the level of the relay server SVR or equipping this server with load management means.
Usually, a specific communication port, separate from the default communication port used to contact the Reverse Proxy agent, is thus dynamically allocated at the level of the public network interface of the gateway of the second network, a communication port the use of which is reserved for the first device. The redirection mechanism then consists in supplying to the client a redirection address composed of the public address of the gateway and of the communication port that has been specifically allocated.
Then, by a simple conventional incoming routing mechanism no longer involving the Reverse Proxy agent of the gateway of the second network, the request coming directly from the client is routed by this home gateway to the target device in the second network.
However, such a mechanism can be hindered by the presence in the first and/or second network of one or more firewalls able to filter the traffic to these non-standard communication ports. For example, the internet operator of the second network might very well adopt a restrictive policy challenging the ability to contact a specific communication port of the gateway from the internet. As another example, the first network may be equipped with firewalls filtering the outgoing traffic from this first network.
Finally, such a mechanism does not allow a distinction to be made between a plurality of client terminals, to which one and the same address is assigned when the firewall/proxy of the first network uses one and the same public address for communications established with the client terminals connected to this public network.
A need has thus emerged for a secure and generic solution for authorizing the crossing of a gateway in such a context.