1. Field of the Invention
The present invention relates generally to an improved data processing system, and in particular, to a computer implemented method, data processing system, and computer program product for processing data packets in an interception proxy server without using a network address translation module.
2. Description of the Related Art
Proxy servers are generally known in the art and are available for common Internet services. A proxy server is a server or an application that breaks the connection between a client and a server and performs some operations on behalf of the original server. For example, an HTTP proxy is used for Web access, and an SMTP proxy is used for e-mail. As an example, a proxy server may perform the operation of network address translation (NAT), which presents one organization-wide IP address to the Internet. The network address translation funnels all user requests to the Internet and fans responses back out to the appropriate users. Proxies may also cache Web pages, so that the next request can be obtained locally.
A configuration of a conventional interception proxy server system which provides network address translations is shown in FIG. 1. With the interception proxy server system, a user's Transmission Control Protocol (TCP) request via Web browser 102 may be diverted by router 104 to proxy server 106 using a combination of Generic Routing Encapsulation (GRE) and Internet Protocol (IP) Network Address Translation (NAT). Generic Routing Encapsulation is a method for encapsulating and routing a payload packet. The payload packet is first encapsulated in a GRE packet. The resulting GRE packet is then encapsulated in some other delivery protocol and forwarded to its destination. Network Address Translation comprises the translation of an IP address used within one network to a different Internet Protocol address known within another network. For instance, a company may map the local IP address on an outgoing data packet to a global IP address outside of the company's local network, and unmap the global IP address on incoming data packets back into a local IP address. Proxy server 106 configures a network address translation module 108 within the proxy to redirect all TCP traffic for a particular port, such as port “80”, to the proxy.
Consider the example of a Web request which comprises a TCP packet containing a global destination address, “Google”, and a global port number, “80”. When the Web request “Google:80” passes router 104 and router 104 is aware of proxy server 106, router 104 encapsulates the TCP packet using generic routing encapsulator 110 and redirects the TCP packet from its intended destination address “Google:80” to proxy server 106. When the encapsulated packet arrives at proxy server 106, decapsulator 112 decapsulates the GRE packet. Decapsulation is typically performed in TCP/IP protocol stack 114. Proxy server 106 then applies NAT module 108 to convert the global destination address and port, “Google:80” to a local destination address and port number for proxy server 106. For instance, the address may be translated to “local_ipname:5000”. This network address translation is commonly implemented using firewall software products such as IPFilter which provide D-NAT (destination network address translation) and S-NAT (source network address translation) functionality as well as firewall services. Incoming packets to proxy server 106 are subject to a D-NAT rule, and the outgoing packets are subject to an S-NAT rule.
Although NAT module 108 allows proxy server 106 to convert an IP address from one network to another, if proxy server 106 is very busy, proxy server 106 can experience a large amount of state maintenance overhead by requiring a large number of entries to be created and maintained. Specifically, proxy server 106 must perform a number of steps to an incoming GRE packet before the packet may be delivered to the destination server. Input processing 116 in TCP/IP protocol stack 112 receives the GRE packet and passes the packet to the firewall product (NAT module 108), since all incoming IP packets are scanned by the firewall. NAT module 108 will return the packet back to input processing 116 without any modifications. Input processing 116 will then pass the packet to the GRE protocol processor (decapsulator 112) for decapsulation.
If the decapsulation is successful, the GRE headers are stripped off and the “payload” packet is passed back to input processing 116 again for processing of the “payload” packet. Input processor 116 validates the IP packet and passes it to the firewall. The firewall applies D-NAT to convert destination IP address of “Google” to a local IP address, and destination port of 80 to the local port on which the interception proxy server is listening. If a network address translation entry does not exist, the process creates one. If a network address translation entry exists, the process performs state maintenance and updates the TCP checksum. The modified packet is then passed to input processing 116 to continue processing of the packet. Input processing 116 then determines that the destination IP address is one of the local interfaces, and input processing 116 passes the packet to TCP.
There are, however, several drawbacks to using the interception proxy technique described above. One limitation is that NAT module 108 maintains an entry for each TCP connection. On a busy interception proxy server server, the number of these connections can grow to a very large number. NAT module 108 maintains state to decide when to expire these entries. In addition, current interception proxy techniques cause all incoming packets to be passed to the firewall twice. And, for outgoing TCP packets, input processing 116 passes the TCP packet to the firewall to perform source network address translation.