Multiplex communications – Pathfinding or routing – Switching a message which includes an address header
Reexamination Certificate
1998-08-10
2003-01-21
Olms, Douglas (Department: 2661)
Multiplex communications
Pathfinding or routing
Switching a message which includes an address header
C370S392000, C370S395520, C370S401000, C709S245000, C709S249000, C709S250000, C713S152000
Reexamination Certificate
active
06510154
ABSTRACT:
BACKGROUND OF THE INVENTION
The present invention relates to address translation systems for mapping local Internet Protocol IP addresses used by hosts on a private network to globally unique IP addresses for communication with hosts on the Internet. The address translation systems have adaptive security mechanisms to protect the private network from certain packet types sent from the Internet.
Private networks are commonly connected to the Internet through one or more routers so that hosts (PCs or other arbitrary network entities) on the private network can communicate with nodes on the Internet. Typically, the host will send packets to locations both within its private network and on the Internet. To receive packets from the Internet, a private network or a host on that network must have a globally unique 32-bit IP address. Each such IP address has a four octet format. Typically, humans communicate IP addresses in a dotted decimal format, with each octet written as a decimal integer separated from other octets by decimal points.
Global IP addresses are issued to enterprises by a central authority known as the Internet Assigned Number Authority (“IANA”). The IANA issues such addresses in one of three commonly used classes. Class A IP addresses employ their first octet as a “netid” and their remaining three octets as a “hostid.” The netid identifies the enterprise network and the hostid identifies a particular host on that network. As three octets are available for specifying a host, an enterprise having class A addresses has 2
24
(nearly 17 million) addresses at its disposal for use with possible hosts. Thus, even the largest companies vastly underuse available class A addresses. Not surprisingly, Class A addresses are issued to only very large entities such as IBM and ATT. Class B addresses employ their first two octets to identify a network (netid) and their second two octets to identify a host (hostid). Thus, an enterprise having class B addresses can use those addresses on approximately 64,000 hosts. Finally, class C addresses employ their first three octets as a netid and their last octet as a hostid. Only 254 host addresses are available to enterprises having a single class C netid.
Unfortunately, there has been such a proliferation of hosts on the Internet, coupled with so many class A and B licenses issued to large entities (who have locked up much address space), that it is now nearly impossible to obtain a class B address. Many organizations now requiring Internet access have far more than 254 hosts' —for which unique IP addresses are available with a single class C network address. It is more common for a mid to large size enterprise to have 1000 to 10,000 hosts. Such companies simply can not obtain enough IP addresses for each of their hosts.
To address this problem, a Network Address Translation (“NAT”) protocol has been proposed. See K. Egevang and P. Francis, “The IP Network Address Translator (NAT),” Request For Comments: “R.F.C.” 1631, Cray Communications, NTT, May 1994 which is incorporated herein by reference for all purposes. NAT is based on the concept of address reuse by private networks, and operates by mapping the reusable IP addresses of the leaf domain to the globally unique ones required for communication with hosts on the Internet. In implementation, a local host wishing to access the Internet receives a temporary IP address from a pool of such addresses available to the enterprise (e.g., class C 254 addresses). While the host is sending and receiving packets on the Internet, it has a global IF address which is unavailable to any other host. After the host disconnects from the Internet, the enterprise takes back its global IP address and makes it available to other hosts wishing to access outside networks.
To implement a NAT, a translation system must be provided between the enterprise private network and the Internet. By virtue of this location, the translation must act as a firewall to protect the local private network from unwanted Internet packets. In view of this requirement, it would be desirable to have a system which employs NAT and provides a secure firewall.
SUMMARY OF THE INVENTION
The present invention provides a system which employs NAT in conjunction with an adaptive security algorithm to keep unwanted packets from external sources out of a private network. According to this algorithm, packets are dropped and logged unless they are deemed nonthreatening. Domain Name System “DNS” packets and certain types of Internet Control Message Protocol “ICMP” packets are allowed to enter local network. In addition, File Transfer Protocol “FTP” data packets are allowed to enter the local network, but only after it has been established that their destination on the local network initiated an FTP session.
These and other features and advantages of the present invention will be presented in more detail in the following specification of the invention and the figures.
REFERENCES:
patent: 4962532 (1990-10-01), Kasiraj et al.
patent: 5159592 (1992-10-01), Perkins
patent: 5287103 (1994-02-01), Kasprzyk et al.
patent: 5371852 (1994-12-01), Attanasio et al.
patent: 5406557 (1995-04-01), Baudoin
patent: 5426637 (1995-06-01), Derby et al.
patent: 5430715 (1995-07-01), Corbalis et al.
patent: 5477531 (1995-12-01), McKee et al.
patent: 5513337 (1996-04-01), Gillespie et al.
patent: 5550984 (1996-08-01), Gelb
patent: 5560013 (1996-09-01), Scalzi et al.
patent: 5608738 (1997-03-01), Matsushita
patent: 5621727 (1997-04-01), Vaudreuil
patent: 5623601 (1997-04-01), Vu
patent: 5636216 (1997-06-01), Fox et al.
patent: 5757924 (1998-05-01), Friedman et al.
patent: 5790548 (1998-08-01), Sistanizadeh et al.
patent: 5793763 (1998-08-01), Mayes et al.
patent: 5856974 (1999-01-01), Gervais et al.
patent: 5870386 (1999-02-01), Perlman et al.
patent: 6061797 (2000-05-01), Jade et al.
patent: 6128664 (2000-10-01), Yanagidate et al.
patent: 6154839 (2000-11-01), Arrow et al.
patent: 6188684 (2001-02-01), Setoyama et al.
K. Egevang and P. Francis, “The IP Network Address Translator (NAT)” RFC 1631, Cray Communications, NTT, May 1994.*
Y. Reckther. B. Moskowitz, D. Karrenberg, and G. de Groot. “Address Allocation for Private Internets.” RFC 1597. T.J. Watson Research Center, IBM Corp., Chrysler Corp., RIPE NCC. Mar. 1994.
Internet posting for Test Sites to Beta Test an IP Address Translation product; posted on firewalls mailing list posting made on or after Oct. 28, 1994.
Coile Brantley W.
Mayes John C.
Hom Shick
Olms Douglas
LandOfFree
Security system for network address translation systems does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Security system for network address translation systems, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Security system for network address translation systems will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-3028154