The present invention relates to methods and apparatus for processing data within a computer network. More specifically, this invention relates to mechanisms for forwarding packets that either request or provide shared services that are available to a plurality of Virtual Private Networks (VPNs) via a service provider network.
For a particular computer to communicate with other computers or web servers within a network (e.g., the Internet), the particular computer must have a unique IP address. IP protocol version 4 specifies 32 bits for the IP address, which theoretically gives about 4,294,967,296 unique IP addresses. However, there are actually only between 3.2 and 3.3 billion available IP addresses since the addresses are separated into classes and set aside for multicasting, testing and other special uses. With the explosion of the Internet, the number of IP addresses is not enough to give each computer a unique IP address.
One solution for addressing computers with the limited number of IP addresses is referred to as network address translation (NAT). NAT allows an intermediary device (e.g., computer, router or switch) located between the Internet network and a local network to serve as an agent for a group of local computers. A small range of IP addresses or a single IP address is assigned to represent the group of local computers. Each computer within the local group is also given a local IP address that is only used within that local group. However, the group's local IP addresses may be a duplicate of an IP address that is used within another local network. When a local computer attempts to communicate with a computer outside the local network, the intermediary device matches the local computer's local IP address to one of the intermediary device's assigned EP addresses. The intermediary device than replaces the local computer's local address with the matched assigned IP address. This matched assigned IP address is then used to communicate between the local computer and the outside computer. Thus, NAT techniques allow an IP address to be duplicated across local networks.
In addition to IP addresses, a packet may also contain address(es) embedded in the payload that require translation. Particular applications may embed address(es) in the payload for various application specific purposes. The current approach for supporting applications which embed IP addresses in the payload (e.g., DNS (domain name server), FTP (file transfer protocol), H.225/H.245) in a NAT environment is to add application-specific knowledge within the NAT device itself. This approach is described in detail in the Internet Engineering Task Force's Request for Comments document RFC 2663, entitled IP “Network Address Translator (NAT) Terminology and Considerations” by P. Srisuresh and M. Holdrege of Lucent Technologies (August 1999), which document is incorporated herein by reference in its entirety.
An enterprise network is typically a private network associated with an enterprise such as a company or business. In order for an enterprise network to communicate with a service provider network or the Internet, a NAT device intercepts packets and performs network address translation on packets prior to forwarding them to the intended recipient. While an enterprise network may be implemented at a single location or site, an enterprise network is often implemented in physically disparate locations. In other words, multiple sites associated with a single enterprise (e.g., company) may be seen by a service provider network as a single network. This is accomplished through associating each enterprise (e.g., business or customer) with a virtual private network (VPN). In this manner, multiple customer sites associated with a single enterprise may be seen as a single entity by a service provider.
In accordance with various prior art mechanisms, each enterprise (e.g., customer) may be identified with a virtual private network. Each enterprise site typically uses private addresses which are not recognized by the service provider. As a result, a NAT device is typically used to translate addresses of packets transmitted between the enterprise and the Service Provider network.
Various companies and enterprises may have services that they want to offer or share with customers or partners. Thus, a service provider may wish to offer services (i.e., shared services) to multiple enterprise customers. For instance, such shared services may include Voice over IP, Voice Gatekeeper, and Internet access. Thus, clients accessing these shared services offered by the Service Provider should be uniquely addressable. While IPv6 promises an IP address space that exceeds the connectivity needs of the foreseeable future, IPv6 is still in its early phases of deployment. As a result, enabling enterprise clients to be uniquely addressable is typically accomplished through NAT.
Typically, the NAT device is implemented at each enterprise site. As a result, a pool of public addresses must typically be pre-allocated to each enterprise customer. In addition, since a NAT device is typically placed at each enterprise site, implementing NAT by an enterprise having multiple sites can be unwieldy, as well as costly.
In view of the above, it would be beneficial if improved techniques for providing NAT could be implemented.