Network Address Translation (NAT) technology allows a gateway or router device to use a particular set of Internet protocol (IP) addresses for internal private message traffic and a different set of IP addresses for external public message traffic. To this end, administrative entities map the private addresses to public addresses and further map a particular port on the router's public interface to a specific device in the private network. This mapping technique is known as port address translation.
For example, to enable an “outbound session”, wherein a source device in a private network tries to communicate with a destination device that is outside of the private network, a router device typically allocates a Transmission Control Protocol (TCP) or User Datagram Protocol (UDP) source port for use during the outbound session. The router then replaces the source IP address for each source packet (from a device within the private network) with the IP address of the external or Internet adapter on the gateway device, and replaces the source TCP or UDP port number of the packet with the allocated source port number. In this manner, the gateway device dynamically maps the IP address and source port of the source device to a different IP address and source port (port/address translation).
In the above example, if the destination device sends a response to the router, the port/address mapping that was created during the outbound session is used to restore the source's originating IP address and originating port number. The router then forwards the resulting packets to the correct device in the private network. External devices are unable to initiate connections with devices behind the routing device. In this manner, NAT provides a type of firewall by hiding internal IP addresses from the external devices.
A substantial amount of administrative effort is typically required both to facilitate peer-to-peer connections for devices that reside behind a NAT firewall, and to enable inbound communication sessions. An inbound communication session is where a source device that is not behind the firewall initiates communication with a specific resource that is behind the firewall. This means that a network administrator must typically configure a static NAT route, or static address/port mapping at the router to identify a protected resource's address and gateway port by which the resource can be accessed during an inbound session.
Just as routes to network devices that are behind a NAT gateway are dynamically and/or statically configured, the devices themselves are often dynamically and/or statically configured with network addresses, configuration data, other data, and the like. To illustrate this, consider that a Dynamic Host Configuration Protocol (DHCP) server such as a digital subscriber link (DSL) modem, a cable modem, and/or the like, may assign IP addresses as well as configuration data and other data to devices (“DHCP clients”) in a network. Unless a network address is permanently assigned to a specific network device, the DHCP server places an administrator-defined time limit on the address assignment, called a lease. (Permanent address assignment is generally referred to as a reservation).
The lease is the length of time that a DHCP server specifies that a client device can use and assigned IP address. The lease ensures that network addresses are not wasted because network addresses are typically a limited resource. Halfway through the lease period, to maintain the validity of its assigned IP address, a DHCP client must typically request a lease renewal, whereupon the DHCP server may extend the lease.
There are any number of reasons why the DHCP client device may not request lease renewal such as if the client device is malfunctioning, if it has been moved to another network segment, if the device has been retired, and/or the like. If the DHCP client does not request renewal of the lease, it expires. Upon lease expiration, the device's assigned IP address is returned to an address pool for reassignment to a different device.
DHCP network address management can cause a number of significant problems in a NAT protected network. One problem, for example, is that by expiring and reassigning network addresses, the security of the private network may be compromised. To illustrate this, consider that a NAT gateway is maintaining a particular address/port mapping to enable peer-to-peer communication between a protected resource behind the NAT firewall and a device that is on the other side of the firewall. The lease on the protected resource's network address expires, meaning that the address can no longer be used to access the protected resource.
At this point, the NAT route that is mapped at the gateway to the protected device is invalid. If the DHCP server reassigns the expired address to a different device (e.g., a payroll server, a client file server, and/or the like) before a network administrator has had an opportunity to update routing table(s) at the gateway to reflect the invalidated route, the invalid route may be used by a device that is not behind the firewall to gain unauthorized and potentially damaging access to the different device.
The following described systems, apparatus, and procedures address these and other problems of existing techniques to configure and manage device routes in networks.