1. Field of the Invention
The present invention relates to the technical field of network address translation and, more particularly, to a dynamic network address translation system and method of transparent private network device.
2. Description of Related Art
In the Internet, an IP (Internet Protocol) address typically represents a device, and further represents the source and destination for transferring packets in the network. Currently, the most popular IP technique is known as IPv4 (IP version 4), which is characterized in providing the address length of 32 bits. However, because the number of devices in the network is increased so fast and the address length is restricted, the number of available public IP addresses is getting insufficient. To overcome such a problem, more and more devices are provided with private IP addresses (also known as virtual IP addresses) and utilize the NAT (Network Address Translation) technique to communicate with the devices in the Internet.
The NAT technique is provided to translate the address of an IP packet from an address realm to another address realm. Such a technique is typically applied in communication between two address realms, for example, the communication between a public network (a network using public IP addresses, such as Internet) and a private network (a network using private IP addresses).
The NAT router is a router located between two different address realms, and has two IP addresses associated with the two different address realms, respectively. Taking the address translation between the public network and private network as an example, the NAT router has a public IP address, known as an outer IP address, which can be correctly routed in the public network, and a private IP address, known as an inner IP address, which can be correctly routed in the private network.
In the NAT table, there are recorded with the rules for performing address translation and the translating manner. When receiving an IP packet, the NAT router determines whether the source IP or destination IP address in the header of the IP packet matches with the address translation rules. If they are matched, an address translation is performed based on the content of the NAT table; otherwise, no address translation is performed.
There is also provided a NAPT (Network Address and Port Translation) technique, which is similar to the NAT technique except that the address part to be processed includes an IP address and a port number (TCP port number or UDP port number), instead of only one IP address employed in the NAT technique. When a NAPT router receives an IP packet, it will check whether the [source IP address:source port number] or [destination IP address:destination port number] in the IP header of the packet matches with the address translation rules. If they are matched, an address translation is performed based on the content of the NAPT table; otherwise, no address translation is performed. With such a NAPT technique, a plurality of devices in the private network can share a public outer IP address (i.e., the outer IP address of the NAPT router) for communicating with devices in the public network.
The NAPT technique can normally process the private network originated connection, but not the public network originated connection. As known, the outer IP address represents all devices in the private network. When an IP packet whose destination IP address is the outer IP address of the router is routed to the router, the router will determine whether to perform a network address translation on this packet based on the content of the NAPT table and, if translation is done, route this packet to the device in the public network. In case of a connection originated from the public network, the device in the public network must first issue a connection request packet whose destination IP address includes a network address and a port number. However, the NAPT table does not have data corresponding to the network address and a port number. Therefore, the router does not perform an address translation. Although the packet is received by the router, the router will reject the connection request due to being unable to process such a port number request, resulting in that the public network originated connection can not be normally routed to the device in the private network.
To overcome the aforementioned problem, RFC2663 proposes an extension system of network address translation, known as bi-direction NAT, which utilize a DNS-ALG (Domain Name System—Application Level Gateway) and a NAT router to achieve an effect of bi-directional connection. However, such a system suffers a disadvantage in that each public network originated connection must use an additional public outer address.
Port forwarding is an alternative method for solving the public network originated connection problem. This method has been widely applied in an IP sharing device, which is a NAT router installed at the ADSL or cable modem user side for allowing a public outer IP address to be shared by a plurality of devices. This method utilizes the NAPT mechanism together with the pre-established NAPT table to make the specific port number of the router's outer IP address correspond to the same port number of a specific device in the private network. When the device in the public network sends a connection request packet to this specific port number of the NAPT router, the router will perform a network address translation on the packet based on the content of the NAPT table, so as to translate the destination IP address of the packet from the IP address of the router to the IP address of the specific device in the private network without changing the port number, thereby correctly routing the packet to the specific device in the private network and thus completing the public network originated connection.
Unfortunately, the above system suffers a disadvantage in having to pre-establish the content of the NAPT table. Therefore, the services from the public network originated connection are restricted to those provided by the pre-established port numbers. In particular, because a port number of the router's outer IP address can only correspond to a specific device in the private network, the other devices in the private network cannot be provided with connection service via this port number. For example, if there are 3 devices in a private network providing web services on TCP port number 80, only one device can have its TCP port 80 mapped to TCP port 80 on the external interface of the NAT router. This is so-called Port Collision problem.
U.S. patent publication 20010006523 discloses a “Method and system for communication to a host within a private network” which provides an intermediate system in a sub-network of the public network for operating with the domain name server. This intermediate system can check all packets from the sub-network and suitably process the same (possibly perform a network address translation). Furthermore, specific channels are pre-established between the intermediate system and the NAPT router to be communicated in the private network. The device in the sub-network can utilize the intermediate system and channels to achieve a connection to a specific private network. However, in this patent, each sub-network that requires such a function in the public network must be provided with an intermediate system, and channels between each intermediate system and all NAPT routers possibly connected thereto in the private network must be established. As a result, the expandability is unsatisfactory.
Therefore, it is desirable to provide an improved network address translation system and method to mitigate and/or obviate the aforementioned problems.