1. Field of the Invention
The present invention relates generally to an improved data processing system. More specifically, the present invention is directed to a computer implemented method, system, and computer usable program code for encapsulating transmission control protocol in transmission control protocol to consolidate transmission control protocol ports.
2. Description of the Related Art
Today, most computers are connected to some type of network. A network allows a computer to share information with other computer systems. The Internet is one example of a computer network. The Internet is a global network of computers and networks joined together by means of gateways that handle data transfer and the conversion of messages from a protocol of the sending network to a protocol used by the receiving network. On the Internet, any computer may communicate with any other computer with information traveling over the Internet through a variety of languages, also referred to as protocols. Typically, the Internet uses a set of protocols called Transmission Control Protocol/Internet Protocol (TCP/IP).
Using transmission control protocol (TCP), applications on networked hosts may create connections to one another, over which they may exchange streams of data using stream sockets. TCP guarantees reliable and in-order delivery of data from sender to receiver. Also, TCP distinguishes data for multiple connections by concurrent applications, such as, for example, a Web server and an e-mail server, running on the same host.
TCP checks to make sure that no packets are lost during transmission by giving each packet a sequence number, which is also used to make sure that the data is delivered to the entity at the other end in the correct order. The TCP module at the receiving end sends back an acknowledgement for packets which have been successfully received. A timer at the sending TCP will cause a timeout if an acknowledgement is not received within a reasonable round-trip time. Lost data is then re-transmitted.
In addition, TCP checks that no bytes are corrupted during transmission by using a checksum. A checksum is computed at the sender for each block of data before the data is transmitted. Then, the checksum is checked at the receiver to make sure the data is the same.
A port number is a special number present in a header of a data packet. Port numbers are typically used to map data to a particular process running on a computer. In TCP, each packet header will specify a source port number and a destination port number, as well as specifying the source and destination IP addresses among other things. A process may “bind” to a particular port to send and receive data. Binding to a particular port means that the process will listen for incoming packets whose destination port matches that port number and/or send outgoing packets whose source port is set to that port number.
Because the port number forms part of the packet header, the port number is readily interpreted not only by the sending and receiving computers, but also by other aspects of the networking infrastructure. In particular, firewalls are commonly configured to respond differently to packets depending on their source and/or destination port numbers. In other words, a firewall may allow certain port numbers to pass through the firewall, while preventing other port numbers from passing through.
Processes implement connections to TCP ports by means of sockets. A socket is a transport end-point, which a process may create and then bind to a socket address. In TCP, a socket address consists of a combination of a port and an IP number.
Current systems require that each port used for every TCP connection must be enabled in the firewall. Enabling each port for every TCP connection creates multiple “punchthroughs” in the firewall. Punchthrough or hole punching is a technique to establish communication between two devices that are behind one or more restrictive firewalls. Creating multiple punchthroughs in the firewalls creates an increased security risk to any system.
Typically, clients have setups where they have multiple ports in use for multiple TCP connections. Specifically, clients need setups where multiple ports have to be in use because other clients may connect to the clients to retrieve data from the server instead of the other clients directly connecting to the server due to security issues. A problem with this type of setup is that multiple ports are enabled in the firewall, which may prove to be a high security risk. Ideally, clients want to open as few ports as possible in the firewall for increased security purposes.
A present solution to this type of problem is to intercept a request to connect to a “hidden” port and store a mapping between the “network visible” port and the hidden port. Then, the request is redirected to the hidden port via the stored mapping. A problem with this solution is that it involves increased overhead for rewriting protocol headers and recalculating checksums.
Another current solution is to use a “TCP tunnel” where all connections are made to one or more local ports. Then, those connections are forwarded to the other end, which may possibly be through a firewall, via a single TCP port. An application at this single port gathers all the data from various different ports and tunnels them through a single connection. A problem with this solution is that the application at the single port becomes a single point of failure. Also, congestion may occur because the rate of service is dependent on the rate at which this application may process data from various different connections feeding into it.
Therefore, it would be beneficial to have an improved computer implemented method, system, and computer usable program code for multiplexing multiple TCP connections onto a single connection by encapsulating TCP in TCP to consolidate TCP ports, thus enabling only one open port in the firewall for increased network security.