1. Field of the Invention
The present invention is directed to digital communications networks. More specifically, the invention is directed to digital communications networks which use Network Address Translation systems to translate between IP addresses in a private network and IP addresses in a public network.
2. Background of the Related Art
As it is known in the art, network communication processes are divided into multiple standardized stages, or layers, and each layer is assigned a specific task necessary for network communication. A widely used network communication standard is the Open System Interconnection (OSI) standard developed by the International Standards Organization (ISO). The OSI communication model 110 shown in FIG. 1 divides network communication into seven layers 120-180. Each layer has a predefined, standardized mechanism for communicating with the layer immediately above it and immediately below it. In this manner, any layer may be modified or optimized without requiring modification of any other layer as long as the same standardized mechanism is used to communicate with adjacent layers.
The first layer 120 is the physical layer and it describes the hardware medium for transmitting and receiving a logic 1 and a logic 0. The second layer 130 is the data link layer and it translates messages into correct format for the physical layer 120 to transmit, and translates messages received by the physical layer 120 for upper layers to understand. Basically the data link layer 130 formats messages into data frames that encapsulate the messages and adds customized information, including a CRC code, destination address information, and source address information. The third layer 140 is the network layer and its main function is to direct data from a source network to a destination network, typically using a network address or similar unique indicia. This third layer 140 is sometimes called the Internet Protocol or IP layer since its job is basically to route messages and provide a standard network interface for upper layers.
The fourth layer 150, the transport layer, manages end-to-end control of communications links, e.g., determining whether all packets have arrived, and implements error-checking and data integrity features. A common protocol used here is the Transmission Control Protocol. The fifth layer 160 is often called the session layer. This layer sets up, coordinates, and terminates conversations, exchanges, and dialogs between applications on each side of the end-to-end connection. The presentation or syntax layer 170, layer six, is usually part of an operating system and converts incoming and outgoing data from one presentation format to another. Finally, layer seven, the application layer 180, is the layer at which communication partners are identified, quality of service is identified, user authentication and privacy are considered, and any constraints on data syntax are identified.
As a part of the network layer described above, digital communication networks such as the Internet provide communication services using addressable data packets. That is, when a computer system associated with a server on the Internet sends data to a system associated with a different server, it provides packets of the data to a router in the server. A router is a device or software package, connected between a network and a source of network traffic such as a server or the like, that determines where to send traffic generated by the server. The router adds to the packets inter alia a source address of the system which generated them and a destination address of the system where they are to be received, and sends them out onto the network. Different packets may take different paths to reach the destination. At every server node the packets pass through, they are received and forwarded in the best direction of the receiver system by routers in the nodes. This may entail consulting tables within the router to determine the best router to which to forward an incoming packet, determining the best router to handle a given type of traffic, determining the best router to handle a given volume of traffic, and the like.
Destinations of packets are represented by thirty-two bit IP addresses that are typically represented as a string of four eight bit, decimally represented numbers such as 127.58.123.1. The significance of fields in IP addresses, the method of assigning them, distributing, accessing and handling them and the like are known in the art and are not relevant to the present invention; thus, they will not be described in greater detail herein.
For a number of reasons, it is often desirable for a local network, i.e., a physically relatively small network having end systems connected thereto, to be able to have an addressing system different from that of a larger distributed network (such as the Internet) to which the local network is connected. For example, the use of different addressing systems inside and outside the local network adds to the security of the local network because there is typically only a random statically or dynamically assigned relationship between end system IP addresses as seen within the network (the private addresses) and those as seen outside of the network (the public addresses). This makes tracing and similar hacking activities difficult. Further, although some local networks may host many end systems, only a few of them at a time will need access outside the local network, e.g., to the Internet. Thus, rather than providing each end system with its own unique IP address, the router may simply map requests from end systems for Internet connections to a few IP addresses (or even a single address) assigned to the entire local network on an ad hoc basis.
One way to implement this ability is through the use of a Network Address Translator (NAT) device. Generally speaking, network address translation is the process of translating from an IP address used in one network to an IP address used in another network. In this arrangement, the local or private network is typically called the inside network, while its counterpart is called the outside network. The NAT device is typically a hardware device or computer-based software package that is part of a router. FIG. 2 shows a typical NAT arrangement. Here, a remote system 10 is connected via a public network 15 to a NAT 20 in a local/private/inside network 30 between the public network 15 and end systems 40 within the private network 30. The NAT 20 includes an address mapping table 25 for mapping traffic between end systems 40 and remote systems 10 on the public network 15.
The end systems 40 communicate with a network application server 50 via an application control signaling connection such as Megaco/H.248 or the like. The network application server 50 controls the establishment of the service by the end systems 40 and controls the address substitution being done on the packets by the NAT 20. Alternatively, the network application server 50 may be eliminated. In this case, the NAT 20 will make address substitutions based on its own stateful inspection.
Consider now the process of translating outgoing traffic from the local network 30 as shown in FIG. 3. Here, a local end system 40 having an address on the private network 30 of, e.g., 5.5.5.5 (its “inside local” address) wishes to send data to a remote system 10 having an outside address of, e.g., 10.10.10.10 (its “outside global” address). The local end system 40 sends the data to the NAT 20 along with an indication that the data is from inside address 5.5.5.5 and is intended for the remote system 10 at address 10.10.10.10. This may be done, e.g., by including source and destination address fields of 5.5.5.5 and 10.10.10.10 in the packets.
Upon receiving the data packets from the local end system 40, the NAT 20 inspects the packet headers and (in a simple case) by accessing its address mapping table 25 sees that the local end system 40 which has an inside address of 5.5.5.5 is directly mapped to an outside address of 20.20.20.20 (the “inside global” address of the end system 40). Thus, it replaces the inside source address of 5.5.5.5 in the packets with the outside address of 20.20.20.20. Then, the data packets may be released to the public Internet network 15.
Note the use of the terminology inside local address, inside global address, etc. above. These terms as used herein may be most easily remembered by noting that the first word indicates the network, private (inside) or public (outside), to which the address applies, while the second work indicates whether the address is being used by a system connected to the private (local) or public (global) network. Thus, an outside local address is an address used by an end system 40 on the private network 30 to address a system connected to the public Internet 15.
In the reverse operation shown in FIG. 4, receiving data from outside the local network 30, the NAT 20 receives data packets which have a source address of 10.10.10.10 and a destination address of 20.20.20.20. The NAT 20 looks in its address mapping table 25 and finds that the outside address 20.20.20.20 is mapped to the inside address of 5.5.5.5. The NAT 20 performs these substitutions in the packet headers (other manipulations may be necessary as well, such as recalculating checksums and the like) and passes the packets on to the end system 40.
As noted above, FIGS. 3 and 4 represent perhaps the simplest cases of NAT 20 operation. Variations are of course possible and in fact are more common. For example, in the above system the NAT 20 performed a mapping of the end system 40. There was no need to map the remote system 10, since it is connected to the public network 15 and is expected to have a unique address, in contrast to the end system 40 which has an address from a subset reserved for use by private systems. The private address is not unique and may be reused by other private networks, but the public address should be usable in both public and private.
In some cases, however, it may be desirable to map both the address of the end system 40 and the address of the remote system 10. For example, this may be necessary if the private network allocates addresses outside of the private use subset and causes a conflict with public addresses. This situation is usually avoided; however, it may still happen if, e.g., there is a merger of companies so that two divisions have conflicting addresses.
It will be understood that as used herein and in the appended claims, the address mapping table 25 is intended to include not only tables or other data structures having entries associating inside and outside IP addresses but other functionality enabling a similar operation, e.g., functionality for randomly or round robin association of a group of addresses and the like.
Also, the end system 40 may not have an outside address specifically associated with it. In that case, if the private network 30 has multiple outside IP addresses allocated to it, it may select one of the allocated outside IP addresses for temporary association with the end system 40. As above, the selected outside address can be associated with the end system 40 in an entry in the address mapping table 25 and, once the session between the end system 40 and the remote system 10 is completed, the entry may be deleted and the outside address reallocated to the pool.
Rather than selecting an IP address at random from the pool, the NAT 20 may, for load balancing purposes, choose addresses on a round robin basis.