Electrical computers and digital processing systems: multicomput – Computer-to-computer session/connection establishing – Network resources access controlling
Reexamination Certificate
1999-07-29
2001-10-16
Maung, Zarni (Department: 2154)
Electrical computers and digital processing systems: multicomput
Computer-to-computer session/connection establishing
Network resources access controlling
Reexamination Certificate
active
06304908
ABSTRACT:
BACKGROUND
The present invention relates generally to electronic communications.
Networks provide communication sessions between clients and servers where, generally speaking, clients request information provided by servers. Some networks provide a high degree of security, so that messages passing between clients and servers are protected from unauthorized interception, reading, or tampering. Other networks, particularly more public networks such as the Internet, do not themselves necessarily protect from unauthorized reception of messages. Communications sessions and messages can be encoded to lend a degree of protection.
In addition, servers on public networks are vulnerable to discovery by unauthorized users, who can try to “hack” into such servers to obtain otherwise confidential information. Fire walls have been developed which help protect against unwanted intruders. Users, after logging onto a public network server, can be identified by any of a number of schemes (e.g., passwords), and then be transferred to other servers to access more sensitive information.
Network clients, especially Internet clients, often access the Internet through routers, or proxies. For example, a network client may be a particular user on a local area network (LAN). The network client may not have a valid Internet address, but may have a valid TCP/IP address (certain ranges of IP addresses are called “private” or “invalid” addresses and can be used within an organization's LAN but do not work over the Internet). Nonetheless, the network client can send and receive messages via the Internet by having those messages communicated through a device which does have a valid Internet address. For example, e-mail clients can access e-mails sent and received via the Internet from their e-mail server attached to their LAN, which in turn can attach to an Internet server which has a valid IP address and is attached to the Internet. The Internet has protocols (e.g., IMAP) for constructing and addressing e-mail messages so that e-mail clients properly receive their e-mail.
Computer users may also desire to access information that exists on particular computers attached to a LAN. One method for doing so requires a direct connection between the computer user and the LAN resource. For example, an employee can directly call (via a modem) a LAN computer that has a dedicated telephone port. A number of remote access applications provide for such connections. Such remote access applications allow the employee to remotely control and view the operations of a work computer, e.g., the employee's desktop computer, or a special computer having access to common LAN files at work.
However, if the employee wishes to have more flexible access to a LAN resource, for example, by using an existing remote access application but over the Internet instead of through a dedicated phone connection, there are some difficulties. Apart from securing the communication session itself (by, e.g., encryption), typical LAN resources do not have their own, Internet-acceptable, IP addresses. For example, an employee's LAN computer might have a LAN address of “10.0.0.3.” Should message packets be sent to or from that LAN computer with that address, typical Internet routers will drop them as having improper IP addresses.
One might try using some form of network address translation (NAT), which operates at the IP layer, to translate improper LAN addresses to some other arbitrary proper IP address, and back again. However, such a method would require a translation of each message packet's address, a recalculation of the checksum of the packet, and then a rewriting of the packet for delivery.
Even if a LAN resource has a proper IP address, it might not be desirable to make it known. For example, a firm might want several clients to have access to subsets of information applicable to each client separately, but not give that client access to other clients' information. The firm might put the information on a common Internet server, behind a firewall, and allocate client access by Uniform Resource Locator (URL): e.g., one client accesses information at http:// . . . //client A, another client at http:// . . . //client B. However, it can be difficult to develop a sufficiently complex set of different URLs for a variety of clients that is not also susceptible to someone figuring out its organization and accessing protected data.
LAN administrators may not want to give a LAN resource its own IP address, but also may not want to give others (for example, clients) network address translation information, since that information can include sensitive specifics about the LAN configuration. Also, administrators may not want any information about the location of a particular resource sent through the Internet, to lessen the chance others might locate the resource without authorization and try to break into it.
SUMMARY
In general, in one aspect, the invention features a method for delivering a message unit to a destination network resource within a transport communications layer including the steps of configuring a mapping to the destination network resource based upon a source address of the message unit, and sending the message unit to the destination network resource based upon the mapping.
Embodiments of the invention may include one or more of the following features. The source address can be the source IP address of the message unit, or the source IP address and source port number of the message unit. The destination network resource can have a network resource address to which the message unit is sent. The network resource address might not be a valid Internet IP address, or might be a network address on a local area network. Configuring the mapping can include writing a table that maps the source address of the message unit and a network resource address for the destination network resource. The table can map a host address and the host port number for the destination network resource. The mapping can be configured to send message units to destination network resources based upon source addresses of the message units. The source addresses can be source IP addresses, or source IP addresses and source port numbers for the message units. Configuring the mapping can include recording the source IP address of a latest-received connection request. The message unit can be a single message sent during a connection-oriented transport session, and the session can be a TCP session. The message unit can be a datagram sent during a connectionless transport session, and the session can be a UDP session.
In general, in another aspect, the invention features a storage device tangibly storing a control program. The control program, when coupled to a control device, operates the control device to deliver a message unit to a destination network resource within a transport communications layer. The control program is configured to operate the control device to perform the functions of: configuring a mapping to the destination network resource based upon a source address of the message unit, and sending the message unit to the destination network resource based upon the mapping.
Advantages of the invention may include one or more of the following. Clients can access destination network resources through available transport protocols, even if those resources do not have proper network addresses, or where those addresses remain secret. Employees can access their own desktop computers, ordinarily not having proper IP addresses, over the Internet using existing remote access applications. By conducting remote access sessions through Internet transport protocols, existing Internet encryption protocols (e.g., SSL as part of HTTPS) can be added to such sessions without any modification of the underlying remote access applications. Clients can be allocated access to resources based solely upon their source IP address information. This can lessen the risk that others, not having that address information, will become aware of such resources or try to break i
Chang Jung-won
Hickman Palermo & Truong & Becker LLP
Maung Zarni
Sun Microsystems Inc.
Truong Bobby K.
LandOfFree
Mechanism for delivering a message based upon a source address does not yet have a rating. At this time, there are no reviews or comments for this patent.
If you have personal experience with Mechanism for delivering a message based upon a source address, we encourage you to share that experience with our LandOfFree.com community. Your opinion is very important and Mechanism for delivering a message based upon a source address will most certainly appreciate the feedback.
Profile ID: LFUS-PAI-O-2584760