The present invention relates generally to communication networks. More particularly, the present invention provides for a network address translator that is configured to transmit packets via different modes of network address translation and to determine the appropriate mode of network translation to use for a packet.
Network Address Translation (NAT) is a term used to describe the method by which Internet Protocol addresses (IP addresses) used within one network are mapped (i.e., translated) to a different IP address known within another network, in an attempt to provide transparent routing to host computers. One network is designated the inside network and the other is the outside. Typically, a company maps its local inside network addresses to one or more global outside IP addresses and un-maps the global IP addresses on incoming packets back into local IP addresses. This helps ensure security since each outgoing or incoming request must go through a translation process that also offers the opportunity to qualify or authenticate the request or match it to a previous request. NAT also conserves on the number of global IP addresses that a company needs and it lets the company use a single IP address in its communication with the world.
Network Address Translation allows a single device, such as a gateway device or router, to act as an agent between the Internet (or “public network”) and a local (or “private”) network. This means that only a single, unique IP address is required to represent an entire group of hosts. The impetus towards increasing use of NAT comes from a number of factors including, a world shortage of IP addresses, security needs and ease and flexibility of network administration.
Traditionally NAT has two modes of operation—basic NAT and Network Address Port Translation (NAPT).
Basic NAT provides for a group of public host IP addresses to be assigned to a NAT gateway device. In implementation, basic NAT operates by providing for one to one mapping of private addresses to public addresses. This one to one mapping can either be done statically or dynamically. In static NAT, an unregistered IP address is mapped to a registered IP address on a one-to-one basis (i.e., the IP address of the host is always translated to the same address). In dynamic NAT, an unregistered IP address is mapped to a registered IP address from a group of registered IP addresses (i.e., the IP address of the host is translated to the first available address).
In contrast to basic NAT, NAPT maps all addresses in the private realm to a single public domain address. NAPT distinguishes network sessions coming from the same or different private IP addresses by mapping the private source IP address and the private source port to a unique public source port. In this regard, the data packets are translated on the basis of the unique public source port using a single public IP address. NAPT allows for mapping multiple private addresses to one public address by associating each host with a port (i.e., source IP and source port to source port mapping).
These two modes of operation, basic NAT and NAPT, both provide benefits to the network provider and/or network user. Basic NAT allows for one-to-one mapping/translation exists between the private address and the public address. However, basic NAT requires that a sizable pool of addresses be available for one-to-one mapping and, as such, basic NAT inherently has a poor IP address reusability factor. In this regard, basic NAT is only capable of supporting as many Virtual Private Network (VPN) connections as the number of public IP addresses available in the pool at any point in time.
NAPT, which provides mapping all addresses in the private realm to a single public domain address, does not require the same magnitude of available public addresses. However, in the NAPT environment the need for less public addresses is offset by a system that offers limited functionality for certain protocols and applications, such as VPN.
Recent network advancements have attempted to provide the capability to implement both basic NAT and NAPT in one comprehensive network system. For example, U.S. Pat. No. 6,058,431, entitled “System and Method for Network Address Translation as an External Service in the Access Server of a Service Provider”, issued in the name of inventors Srisuresh et al., on May 2, 2000. The Srisuresh '431 patent describes an external network address translation service, which performs NAT and NAPT, concurrently. Essentially, this service is intended to reduce the cost of stub routers by removing the need for network address translation features in stub routers. In the Srisuresh '431 patent the basis of choosing NAT versus NAPT is the service agreed upon with the stub networks. This decision is made at the inception of the network connection and is fixed throughout the network session. Thus, the Srisuresh '431 patent does not teach a NAT versus NAPT decision process that is adaptable throughout the network session to accommodate the type of service desired by the network user.
Additionally, U.S. patent application publication number U.S. 2002/0010799, entitled “Communication Data Relay System and Method of Controlling Connectability Between Domains” by Kubota et al., published on Jan. 24, 2002 describes a relay system between two private local area networks. The teaching pertains to connectivity between different routing domains that might be implementing different routing protocols and/or routing data. The relay system requires address translation between the two LANs and similar address translation with the Internet. The publication teaches that the relay may perform basic NAT and NAPT, or IP masquerading, depending upon the address translation module, algorithm, and lookup-table configured for each LAN. However, the Kubota publication does not teach an address translation process that chooses a mode of translation to efficiently or effectively allocate network addresses.
In the same regard, United States patent application publication number 2002/0087721, entitled “Duplicate Private Address Translating System and Duplicate Address Network System”, in the name of inventors Sato et al., published on Jul. 4, 2002 describes a duplicate network address translating device which provides translation between private addresses on independent private networks and a global address on the Internet. The device allows separate private networks to maintain duplicate IP addresses by using different protocols or by adding additional independent network address information. The disclosure teaches that basic network address translation (basic NAT) would be unable to communicate between private networks using duplicate identical IP addresses on each of the independent networks. However, the duplicate network address translating system described would perform network address translation (NAT) or network address port translation (NAPT) between the private networks and the Internet via a global address. The teaching relies on Virtual Local Area network (VLAN) tags and Multi-Protocol Label Switching (MPLS) in combination with the source IP and source port to construct a translation table.
Thus, a need remains unfulfilled for an intelligent network address translator capable of improved connectivity, security, and flexible private network administration.