In general, a public service is an application or service that is deployed in a public network and is offered to a number of different subscribers who may or may not have any relationship between them. Some public services allow for direct interaction between the subscribers. Furthermore, some public services may be characterized by the nature of a loose coupling between control signaling (which sets up data paths) and data exchange (where actual data is exchanged over the data paths). In other words, the control signals and the data may be separated from each other. A public service offers significant advantages to the subscribers because the subscribers may avoid the cost and time that would otherwise be incurred in setting up and maintaining some comparable communication services. Without public services, specialized hardware and/or software that may be required by some comparable communication services can make the set up cost substantial. Moreover, highly trained or dedicated resources that are used to maintain and manage the services on a day-to-day basis may further add to the costs when providing those services in-house. These costs may be reduced, or even avoided, by using public services.
Generally speaking, trusted service subscribers are service subscribers of the public service who have a trusted relationship between them and such trusted relationship is independent of the public service itself. For example, the trusted subscribers can be subscribers located at different remote/branch offices of the same company. As such, secure communication paths are established between these trusted service subscribers to ensure that communication between them remains private and confidential. Subscribers of the public service who are not trusted subscribers are untrusted subscribers. Currently, to communicate amongst trusted subscribers without using public services, the trusted subscribers use their private Internet Protocol (IP) addresses. When using public services, the service subscribers, both trusted and untrusted, are accessible to each other by their public IP addresses.
A public IP address is an IP address that can be used by the public service or a service subscriber to access another service subscriber. Communication using public IP address traverses a public communication path. In contrast, a private IP address is an IP address used only between trusted subscribers. The private IP address cannot be used to access an untrusted subscriber. Thus, a public service message, such as a public service request or a public service response, does not contain any private IP address. Communication using the private IP address traverses a secure communication path.
The two types of communication paths, namely, public communication paths and secure communication paths, mentioned above are defined as follows in the current document. A public communication path is a communication path used between any service subscribers of the public service, where public IP addresses are used to access the service subscribers. In contrast, a secure communication path is a communication path used by trusted service subscribers, not untrusted service subscribers. Techniques such as traffic segregation, authentication, and encryption may be employed by the secure communication path to prevent access by untrusted service subscribers. Communication over the secure communication path uses private IP addresses. One example of a secure communication path is a Virtual Private Network (VPN) tunnel. Furthermore, the secure communication path may or may not use the public communication path as its underlying transport.
Although there is substantial cost savings in using public services for communication, one major drawback of using public services is that the communication path taken when interacting with trusted subscribers is essentially no different from that used when interacting with untrusted subscribers. Typically, service subscribers that are behind a security appliance are accessible by a public IP address decided by the security appliance. A security appliance is an entity that manages both public and private IP address usages, establishes secure communication paths, and maintains the secure communication paths. When performing Network Address Translation (NAT), some conventional security appliances are responsible for choosing the public or the private IP address to indicate the source and/or destination of a message. Furthermore, some conventional security appliances are also capable of establishing secure communication paths with peer security appliances.
According to some conventional approaches, the private IP addresses of the service subscribers are not exposed or revealed by security appliances to untrusted service subscribers. When using a public service, some conventional security appliances may only use public IP addresses because the public service serves both trusted and untrusted service subscribers and the conventional security appliances may not be able to distinguish trusted subscribers from untrusted subscribers. Even if a secure communication path exists, the secure communication path is not used between trusted service subscribers when the trusted service subscribers use a public service to interact amongst themselves under some conventional approaches because communication between these trusted subscribers is accomplished using the public IP addresses of these trusted subscribers.