A virtual network is a logical network overlaid on a physical network. A virtual network allows a virtual IP (Internet Protocol) address to be assigned to individual processes or applications running on a computer or other electronic device. The use of a virtual network allows for an extension of the computer's physical resources since a virtual network's components are not restricted to a one-to-one relationship with the physical devices in that computer system and network. Messages may be sent to a process at a virtual IP address separate from the real IP address used by the network device upon which the process is executed.
When a process executing on a virtual network needs to send a message to a virtual destination address, the virtual destination address must first be resolved into a real IP address. Virtual addresses in a virtual network are registered and associated with a real IP address. The resolution process determines the real IP address associated with a particular destination address. The message is then sent to the real IP address. The real IP address is resolved into a Link layer MAC address of the network interface on the receiving physical device (such as the address of a network interface card (NIC)). The message is then passed up to the Network layer and then onto the Application layer and the destination address associated with a process or application.
The concept of virtual IP addresses may be illustrated by reference to one of the protocol stack models such as the OSI (Open System Interconnection) model and the Internet Protocol model which describe a networking framework in functional terms. The OSI model contains seven layers, Physical layer, Link layer, Network layer, Transport layer, Session layer, Presentation layer, and Application layer. The Internet Protocol model contains five layers, Physical layer, Link layer, Network layer, Transport layer and Application layer (by absorbing the functionality of the Session and Presentation layers into other layers). Although the OSI model is also relevant to the present invention, examples contained herein will be made with reference to the five layer Internet Protocol stack. The Physical layer is the medium used to transport data such as wires carrying electricity, or fiber optic cable transporting light signals. The Link layer is the address of the network interface such as a MAC address. The Network layer holds IP addresses used to route messages from one network to another. Transport protocols such as UDP and TCP run at the Transport layer and are described further below. Applications and processes run at the Application layer. Protocols above the Network layer are referred to as “higher level protocols” herein (i.e.: transport protocols).
Unfortunately, when the virtual destination address is located on a physical device on the interior of a network which is running a proxy server, firewall, or other packet filtering mechanism, messages that have been sent to a virtual destination address have difficulty getting all the way to their target. The term “interior of a network” refers to devices which are not able to directly access another network without first going through another device on their own network. For example, most local area networks (LANs) access the Internet through a proxy server. Devices other than the proxy server are said to be on the interior of the LAN. The proxy server is referred to as an “edge device” because it is able to directly contact another network without using an intermediary device. “Packet filtering” refers to the filtering of incoming messages or packets by an edge device or process on an edge device so that not all of the packets are permitted to proceed to their destination, they are “filtered out”. If the electronic device that is filtering incoming packets, is under the control of the party executing the process associated with the virtual destination address, the device may be configured to allow the packets through to the end destination. However, in many situations, the edge device is not configurable by anyone without system administration privileges. Similarly, if the edge device is a device performing Network Address Translation (a “NAT box”), the NAT box rewrites all outgoing packets from an end user in the interior of the network to make them look like they came directly from the NAT box, and remembers that any traffic coming back from the particular destination address must be mapped back to the originating internal device. Consequently, the responding devices think they are responding to the sending device when they are actually responding to an edge device. In such a case, the packets intended for the virtual destination address on the interior of the physical network may be dropped and not reach their intended destination.