The Internet is a large collection of networks that collectively use the TCP/IP protocol suite to allow devices on one network to automatically communicate with other devices that may be on the same or remote networks. Each such device is assigned an IP address for each active network interface, which allows network infrastructure components to automatically route traffic between target devices.
It is a general requirement that each such network interface be assigned an IP address that is unique across the entire Internet, although several blocks of IP addresses have been reserved for use on interfaces that do not need to be made available outside the local network. Such private addresses are also referred to as “non-routable” addresses because it is not possible to establish a route (that is, a path through a set of network infrastructure devices) such that traffic from a device on the local network may reach a network interface with the non-routable address on a remote network. As the Internet has grown, this technique has allowed the repeated reuse of private addresses, which has helped to alleviate a growing shortage of publicly accessible IP addresses, but it has also lead to greater complexity as administrators sought alternative mechanisms to provide access to remote devices without routable addresses.
As the Internet has grown and security threats have increased, network administrators have also sought to limit access to specific devices under their administrative control by developing and deploying network filtering devices or applications that allow network administrators to specify specific address and port combinations that are granted or denied access, as required. Together, these two techniques have helped ensure the growth and stability of the Internet, but at the cost of greatly increased complexity and cost for administrators wishing to provide seamless access to networked devices on networks outside their administrative control.
One existing mechanism to address this problem involves installing dedicated client software on a local networked device that would o allow it to function as part of a “virtual private network” (VPN), in which the local device is allowed to act as if it is a member of the remote network. When using such a VPN system the local host is assigned an IP address on the remote network and all traffic to and from hosts on the remote network is automatically routed by the VPN system.
This technique works but the approach suffers from several shortcomings. A VPN system must first be set up by the administrator of the remote network. Once that is done, specialized software must be installed on each external device that wishes access or the VPN system (if this is not done, the system will be capable of providing only limited accessibility, for example via a web browser interface). In addition, appropriate security credentials must be generated by the remote administrator and distributed and maintained by the local administrator and users, all of which places a significant administrative burden on all parties to the operation. As a final drawback, once a local host is granted VPN access, it will generally have access to all devices on the remote network, unless additional filtering steps are taken to prevent this, which may not be desired by the remote administrator.
Another technique to overcome the problems of non-routable addresses is to perform so-called “network address translation” (NAT), which involves complex reconfiguration of border routers to automatically map network address/port combinations to and from routable to non-routable addresses. This technique does allow the use of a single publically routable IP address to provide access to multiple devices with non-routable addresses but only at the cost of increased system complexity. NAT-enabled networks do not generally allow incoming connections unless mappings have been pre-configured from specific port/address combinations to specific devices, which may in turn conflict with software that attempts to use default or non-standard address/port combinations.
A major issue with each of these solutions is the challenge of setting initial configuration parameters, and updating or modifying system settings or parameters once equipment is placed into service in remote locations. This issue becomes more acute as the number of configured devices grows.
Given these challenges, there exists a need for a mechanism to allow simplified and automated configuration to remote devices without the use of dedicated hardware (such as laptops or local PC devices) or host software and without requiring network administrator privileges on the remote network to set up, maintain or operate the solution.