Google Inc. v. Rockstar Consortium US LP et al
Filing
1
COMPLAINT for Declaratory Judgment of Non-Infringement against All Defendants ( Filing fee $ 400, receipt number 0971-8252154.). Filed byGoogle Inc.. (Attachments: # 1 Exhibit A, # 2 Exhibit B, # 3 Exhibit C, # 4 Exhibit D, # 5 Exhibit E, # 6 Exhibit F, # 7 Exhibit G, # 8 Civil Cover Sheet)(Warren, Matthew) (Filed on 12/23/2013)
EXHIBIT C
US006128298A
United States Patent [19]
[11]
Patent Number:
6,128,298
W00tt0n et al.
[45]
Date of Patent:
Oct. 3, 2000
[54]
INTERNET PROTOCOL FILTER
Carl—Mitchell, et al., “Building Internet Firewalls”, Unix
Worla', Feb. 1992, pp. 93—103.
[75] Inventors: Bruce Anthony Wootton, Raleigh,
NC; William G. Colvin, Milton,
Canada
Chapman, “Network (In)Security Through IP Packet Filter
ing”, UNIX Security Symposium III Proceedings, Balti
more, MD, Sep. 14—16, 1992, pp. 63—76.
Cheswick, “The Design of a Secure Internet Gateway”,
USENIX Summer Conference, Anaheim, CA, Jul. 11—15,
[73] Assignee: Nortel Networks Corporation,
Montreal, Canada
1990, pp. 233—237.
Ho, “Implementation of a Secure Gateway on Hughes
[21] Appl. No.2 08/842,328
[22] Filed:
Apr. 24, 1997
Aircraft’s Engineering Design Network”, 15”” Conference
on Local Computer Networks, IEEE, Minneapolis, MN.,
[60]
Related US. Application Data
Provisional application No. 60/015,945, Apr. 24, 1996.
[51]
Int. C1.7 ................................................... .. H04L 12/56
[52]
US. Cl. ........................ .. 370/392, 370/390, 370/401,
[58]
Field Of Search ................................... .. 370/351, 352,
713/201
370/355, 389, 390, 392, 393, 400, 401,
402, 409, 395/2006, 200.62, 200.68, 20072,
Sep. 30—Oct. 3, 1990, pp. 180—182.
Hoover, “Securing the Enterprise, Firewalls Can Keep You
from Getting Burned”,Internet World, Feb. 1995 , pp. 39—47.
Koblas, et al., “SOCKS”, UNIX Security Symposium III
Proceedings, Baltimore, MD, Sep. 14—16, 1992, pp. 77—83.
Lottor, “TCP Port Service Multiplexer (TCPMUX)”, Inter
net rfc 1078 (1988), pp. 1,2.
Luotonen, et al., “World—Wide Web Proxies”, Computer
Networks and ISDN Systems 27 (1994), pp. 147—154.
713/201
(List continued on neXt page.)
[56]
References Cited
Primary Examiner—Ajit Patel
U.S. PATENT DOCUMENTS
5,309,437
5,383,179
5,400,334
5/1994 Perlman et al. ...................... .. 370/401
1/1995 Saini et al. ..... ..
370/393
3/1995 Hayssen ................................ .. 370/245
5,606,668
5,623,601
5,778,174
2/1997 Shwed.
4/1997 Vu.
7/1998 Cain.
5,781,550
5,793,763
7/1998 Templin et al. ...................... .. 370/401
8/1998 Mayes et al. ......................... .. 370/389
5,826,014
10/1998 Coley et al. .
5,835,726
11/1998 Shwed et al. .
FOREIGN PATENT DOCUMENTS
0 465 201
1/1992
European Pat. Off. .
OTHER PUBLICATIONS
Axner, “Differing Approaches to Virtual LANs”, Business
Communications Review, Dec. 1993, pp. 42—45.
Bryan, “Build a Firewall”, Byte, Apr. 1995, pp. 91—96.
Bryan, “Firewalls for Sale”, Byte, Apr. 1995, pp. 99—104.
Assistant Examiner—Bob A. Phunkulh
Attorney, Agent, or Firm—Foley & Lardner
[57]
ABSTRACT
The IP ?lter, embodying the present invention, is a commu
nications device designed to provide public network or
Internet access to nodes of private networks, advantageously
without requiring the private nodes on such networks to
register public Internet addresses. The IP ?lter presents a
single IP address to the Internet and uses a plurality of IP
ports to solve the problem of IP address conservation. It
initiates sessions by assigning private side IP sessions to a
unique port of the IP ?lter’s public address. The IP ?lter
effects a translation between a source port number for the
private network and a destination port number for the public
network for communication therebetween. Bene?ts of the IP
?lter include private node security and conservation of
Internet-registered addresses.
32 Claims, 2 Drawing Sheets
/6
INTERNET
PRIVATE
N ETWORK
PUBLIC
NETWORK
6,128,298
Page 2
OTHER PUBLICATIONS
Marotta, et a1., “Internetworking Data Services”, 16th Con
ference on Local Computer Networks, IEEE, Minneapolis,
MN, Oct. 14—17, 1991, pp. 223—229.
PanZieri, et a1., “Interfacing UNIX to Data Communications
Networks”, IEEE Transactions on Software Engineering,
vol. SE—11, Oct. 1985, pp. 1016—1032.
Schauer, et al., “An Internet Gatekeeper”, UNIX Security
Symposium III Proceedings, Baltimore, MD, Sep. 14—16,
1992, pp. 49—61.
Schroeder, et al. “Autonet: A High Speed, Self—Con?guring
Local Area Network Using Point—to—Point Links”, IEEE
Journal on Selected Areas in Communications, vol. 9, No. 8,
Oct. 1991, pp. 1318—1334.
Tolly, “Evaluating Port Switching Hubs—A reality check
for virtual workgroups”, Data Communications, Jun. 1993,
pp. 52—62.
Treese, et al., “X Through the Firewall, and Other Applica
tion Relays”, USENIX Summer 1993 Technical Conference,
Cincinnati, OH, Jun. 21—25, 1993, pp. 87—98.
Cheswick and Bellovin, “Firewalls and Internet Security:
Repelling the Wily Hacker”, Addison—Wesley, 1994, pp.
34—36, 54—75.
Comer, “Internetworking with TCP/IP”, Prentice—Hall, Inc.,
1988, pp. 120—127, 137—141, 194, 195, 208—214, 346, 347.
Shapiro, “Structure and Encapsulation in Distribution Sys
tems: The Proxy Principle”, The 6th International Confer
ence on Distributed Computing Systems, IEEE, Cambridge,
MA, May 19—23, 1986, pp. 198—204.
Snyder, “Choosing the Right Firewall to Defend Your Net
work” Network World, vol. 12, No. 10, Mar. 5, 1995, p. 1.
McClimans, “Workarounds Ease the IP Address Shortage”,
Data Communications, section Software Views, vol 24, No.
Stephensen, “A Blueprint for Firewalls”, LAN Magazine,
Egevang et al., “Internet Engineering Task Force, USA”
XP2040992 pp. 1—8 (1994).
Feb. 1995, pp. 63—70.
Tam, et al. “CAPNET—An Approach to Ultra High Speed
Networ ”, IEEE International Conference on Communica
tions, 1990, pp. 323.1.1—323.1.7.
2, Feb. 23, 1995, (p. 33), pp. 3—5.
Kostick, “Building a Linux Firewall”, Linux Journal, Apr.
1996, pp. 49, 52, 53, 55, 57, 58, 61.
Stallings, “Internet Security Handbook” XP2040993 pp.
27—37 (1995).
U.S. Patent
0a. 3, 2000
Sheet 1 of2
INTERNET
PR IVATE
NETWORK
NETWORK
FIG. I
6,128,298
U.S. Patent
0a. 3, 2000
Sheet 2 of2
6,128,298
/2 \
40 \
ADDRESS
usER
TRANSLATION
INTERFACE
33 '—
34 '30 '-
A 42
lP HANDLER
ARP
ETHERNET TABLE
PACKET DRIVER
PACKET DRIVER
/0
‘\36
A 32
/4
H.W.
PRIVATE
NETWORK
H.W.
PUBLIC
NETWORK
FIG. 2
6,128,298
1
2
INTERNET PROTOCOL FILTER
According to a third eXemplary aspect, the invention
provides a method of operating a ?lter node for interfacing
?rst and second data communications netWorks, comprising
the steps of: receiving from the ?rst netWork, a data packet
having destination information, Which includes a destination
This application is based on provisional application
60/015,945 ?led Apr. 26, 1996.
BACKGROUND OF THE INVENTION
address and a destination port, corresponding to a node in
The present invention generally relates to internetWork
?reWalls and, in particular, to an internet protocol (IP) ?lter
Whereby a private IP netWork domain is mapped to a single
the second netWork and having source information, Which
IP address on the public Internet.
FireWalls are generally knoWn and characteriZed by com
puter servers Which function to couple nodes Within the
domain of the private netWork to nodes in a public netWork
domain, such as the Internet. A de?ciency of the knoWn
?reWall products is the need for a unique public IP address
includes a source address and a source port, corresponding
10
unique value representing a port of the ?lter node; replacing
in the data packet the source address With an address of the
?lter node and the source port With the ?lter node port value;
15
and sending to the second netWork the data packet having
the replaced source information, Whereby that packet is
routed according to its destination information to the corre
for each concurrent session or interaction betWeen public
sponding second netWork node.
According to a fourth exemplary aspect, the invention
provides a ?lter node for interfacing ?rst and second data
communications netWorks, comprising: means for receiving
from the ?rst netWork, a data packet having destination
and private nodes.
A ?reWall providing conservation of public IP addresses
Would be desirable.
SUMMARY OF THE INVENTION
information, Which includes a destination address and a
It is an object of the present invention to provide a neW
destination port, corresponding to a node in the public
netWork and having source information, Which includes a
and improved apparatus for communicatively coupling tWo
netWorks.
to a node in the ?rst netWork; maintaining the source
information taken from the data packet in correlation With a
25 source address and a source port, corresponding to a node in
The invention, therefore, according to a ?rst exemplary
aspect provides a method of interfacing private and public
data communications netWorks, through a ?lter node in
communication With both netWorks, the ?lter node having
an address knoWn in the public netWork, comprising the
steps of: routing from nodes in the private netWork, to the
the ?rst netWork; means for maintaining the source infor
mation taken from the data packet in correlation With a
unique value representing a port of the ?lter node; means for
replacing in the data packet the source address With an
address of the ?lter node and the source port With the ?lter
node port value; and means for sending to the second
?lter node, data packets having destination information,
netWork, the data packet having the replaced source
information, Whereby that packet is routed according to its
Which includes a destination address and a destination port,
corresponding to nodes in the public netWork and having
destination information to the corresponding second net
source information, Which includes a source address and a 35 Work node.
source port, of the respective private netWork nodes; for
each data packet received from the private netWork, at the
?lter node, maintaining the source information taken from
the data packet in correlation With a unique value represent
ing a port of the ?lter node, and replacing in the data packet
An IP ?lter, embodying the present invention, is a com
munications device designed to provide public netWork or
Internet access to nodes of private netWorks, advantageously
Without requiring the private nodes on such netWorks to
register public Internet addresses. The IP ?lter presents a
the source address With the ?lter node address and the source
port With the ?lter node port value; and routing from the
?lter node, in the public netWork, the data packets having the
replaced source information, according to the destination
information in each, to the corresponding public netWork
single IP address to the Internet and uses a plurality of IP
ports to solve the problem of IP address conservation. It
initiates sessions by assigning private side IP sessions to a
45
nodes.
According to a second exemplary aspect, the invention
The IP ?lter effects a translation betWeen a source port
provides a method of interfacing private and public data
number for the private netWork and a destination port
number for the public netWork for communication therebe
tWeen. Bene?ts of the IP ?lter include private node security
and conservation of Internet-registered addresses.
In a particular embodiment, the IP ?lter may support three
data transport protocols over the internet protocol: transmis
communications netWorks, through a ?lter node in commu
nication With both netWorks, comprising the steps of: (a)
receiving at the ?lter node, from the private netWork, a data
packet having an a destination address corresponding to a
node in the public netWork and a source address correspond
ing to a node in the private netWork; (b) maintaining, by the
?lter node, the source address taken from the data packet; (c)
55
replacing, in the data packet, the source address With an
address of the ?lter node; (d) routing from the ?lter node, in
sion control protocol (TCP), user datagram protocol (UDP)
and Internet control message protocol (ICMP). Packets of
other protocols may be ignored.
The TCP protocol prepends a TCP header to a data packet.
The source port and destination port numbers are contained
in this header. The Internet addresses of the source and
destination nodes are contained in the IP header. The IP
the public netWork, the data packet having the replaced
source address, according to the destination address, to the
corresponding public netWork node; (e) Waiting for a return
packet from the public netWork, responsive to the data
packet having the replaced source information; replacing,
address and port information extracted from each packet Will
be used to determine Where the IP ?lter should route this
in the return packet, the destination address With the main
tained source address; and (g)routing from the ?lter node, in
the private netWork, the return packet having the replaced
unique port of the IP ?lter’s public address Whereby up to
64,512 (=65,536 total —1,024 Well knoWn ports) concurrent
sessions may be supported through the single IP address.
packet.
65
The IP ?lter maintains a lookup table of information on
destination address to the corresponding private netWork
each TCP connection. This information includes the port
node.
from the private node, the private IP address, the assigned
6,128,298
3
4
port number of the destination node, and the port number of
address packets. The relationship betWeen the tWo addresses
is dynamic; that is, a node With an IP address may change its
the IP ?lter in the form of an index. When a packet is
received from the private network, the private address and
corresponding to this packet is not found in the table and if
Ethernet address. The information in the address table is
obtained from the replies to the node’s broadcast of ARP
packets. The source node broadcasts ARP packets to request
the TCP header indicates that this is a neW connection
the Ethernet address of the destination node, given the
request. Then the source address and port number in the
packet header are replaced With the IP ?lter’s IP address and
destination node’s IP address. If the destination node
port number, and the packet is transmitted to the Internet.
When the IP ?lter receives a packet from the Internet, the
destination port number is used to index the lookup table.
When the corresponding table entry is found, the destination
address and port number are replaced With the private
networks IP address and port number, and the packet is
transmitted to the private netWork. If the received packet’s
source port is different from the port recorded in the table,
and if the packet header information indicates that this
packet is the ?rst response on the connection, then the
requested information.
port number are added to the table as a neW entry, if an entry
receives the packet, it sends a reply packet With the
10
Though it does not maintain a true ARP table, the IP ?lter
passes ARP packets in a manner similar to TCP and UDP
packet passing. When the IP ?lter receives an ARP packet
lookup table is updated With the port number assigned by the
from a node on the private netWork destined for the public
netWork, it replaces the source address information With the
?lter’s address information. The private node’s IP address
and the target IP address are placed in a lookup table. When
the target node replies With its oWn Ethernet address, the
destination address information is changed from that of the
IP ?lter to that of the private node before transmitting the
Internet node, if needed. When the IP ?lter detects an end of
packet to the private node. The private node address infor
transmission code in the packet, the lookup table entry is
mation is obtained from the table. When an ARP packet is
destined for the ?reWall, the ARP packet does not pass
through the IP ?lter but is restricted to communications
15
Zeroed. If the IP ?lter receives packets from the Internet that
do not have entries in the lookup table corresponding to the
IP ?lter port, it ignores the packets.
The UDP protocol is connectionless, as opposed to TCP,
25
logged, for example, by Writing them into a text ?le.
a connection-oriented protocol. The UDP header contains no
codes governing initial connection or end of transmission.
The data of interest in the UDP header are the source port
The IP ?lter ideally Will process packets as fast as the
netWorks present them but When netWork traf?c is too heavy,
and destination port. This information, along With the Inter
the IP ?lter Will then buffer the packets in tWo queues, one
for the private netWork and one for the Internet.
TWo source and destination lookup tables may be utiliZed,
one for TCP packets and the other for UDP packets. Each
net addresses contained in the IP header, are used to deter
mine Where the IP ?lter should route this packet.
The IP ?lter maintains a lookup table of information on
each UDP session. When the IP ?lter receives a UDP packet
from the private netWork, it records the source address, the
source port number, the destination port number, and the
assigned IP ?lter port number as the index to the table. Then
the private node address and port number in the packet
header are replaced With the address and assigned port
number of the IP ?lter. Then the packet is transmitted to the
betWeen the ?lter and the one side of the netWork.
Events and errors encountered by the IP ?lter may be
table is directly indexed by the IP ?lter port number assigned
35
to the communication session. The table entries contain the
IP address of the private node, the source port of the private
node, and the destination port of the Internet node. If there
is no connection on a certain IP ?lter port, then the corre
sponding entry in the table may be Zeroed. Packets arriving
from both the private netWork and the Internet are processed
Internet.
When the IP ?lter receives a UDP packet from the
using the same lookup table. This arrangement assumes that
Internet, it indexes the UDP lookup table and replaces the
packet’s destination information, namely the IP ?lter address
and assigned port number, With the private address and port
number from the lookup table. The lookup table also main
designated for UDP communication and some for TCP
communication.
of the available IP ?lter communications ports some are
45
BRIEF DESCRIPTION OF THE DRAWINGS
The invention Will be better understood from the folloW
tains an interval indication for an expiration timer on data
gram packets received as per standard UDP implementa
tions. If the IP ?lter receives packets from the Internet that
do not have entries in the lookup table corresponding to the
ing description together With reference to the accompanying
draWings, in Which:
IP ?lter port, it ignores the packets.
?lter coupling a private netWork and a public netWork; and
FIG. 2 is a block diagram representing internal compo
FIG. 1 is a schematic representing an internet protocol
As ICMP packets do not contain port numbers of either
source or destination, any ICMP packets received from the
private netWork are processed one at a time, With buffering
of additional ICMP packets. The IP ?lter reads the private
address from the packet header and replaces it With the
address of the IP ?lter. The packet is transmitted to the
Internet, and the IP ?lter Waits for the response. When it
receives the responding packet, the destination address in
the packet header is changed from that of the IP ?lter to that
nents of the ?lter.
55
referred to as the Internet 16. The private netWork 10
represents a conventional data communications netWork,
such as a local area netWork (LAN), having a plurality of
of the node on the private netWork. Then the IP ?lter
transmits the packet to the private netWork.
To successfully deliver packets over an IP protocol
netWork, each node must maintain a table of other hosts’ IP
addresses and their corresponding Ethernet addresses in an
Ethernet based data communications netWork. The nodes
actually use the IP addresses and the Ethernet addresses to
DETAILED DESCRIPTION
Referring to FIG. 1, shoWn for illustration of the present
invention is a private netWork 10 communicatively coupled
through an internet protocol (IP) ?lter 12 to a public netWork
14 Which may form part of a global data netWork, otherWise
65
nodes 18 each being identi?ed by a unique IP address Within
the domain of the private netWork 10. The public netWork 14
and Internet 16 are representative of public domain data
communications netWorks also having a plurality of nodes
20 With corresponding IP addresses.
6,128,298
6
5
where frIP is the IP address of the IP ?lter 12 on the public
network 14, and frPort is the index into the translation table
The IP ?lter 12 acts as a gateway through which data
packets are exchanged between the private network 10 and
the public network 14, thereby providing Internet access to
the nodes 18 of the private network 10. The IP ?lter 12
plus an offset value, for example, of 1024 to skip using well
known ports. The frPort represents an arbitrary port.
The internet node 20 will reply with a packet
constitutes one of the private network nodes 18 and is the
only such node to have a public IP address that is Internet
registered, whereby the IP ?lter 12 essentially also consti
(iIP, iPort—frIP, frPort)
tutes one of the public nodes 20 and its IP address is known
in the public domain. The IP addresses of the other private
network nodes 18 are reserved for the private network 10,
and not known or registered in the public Internet address
domain. As is conventional, associated with the IP address
of the IP ?lter 12 are a plurality of IP ports, speci?cally
65,536 in total of which 64,512 are not reserved for pre
de?ned protocols and can be used for address translations.
Communications between nodes 18 on the private net
work 10 are unaffected by the presence of the IP ?lter 12, but
to access the public network 14 and particularly the nodes 20
which will be received by the IP ?lter 12 and translated
thereby to
(iIP, iport—pIP, pPort)
15
translation table. This should be done with a hash table
lookup.
Translating from the public side can be a direct table
lookup since frPort minus 1024 is the index into the table.
therein, the private nodes 18 route all communications
requests through the IP ?lter 12. The IP ?lter 12 manages the
communications between private nodes 18 and the Internet
If (iIP, iport) in the packet does not match the corresponding
entries in the table, then an unauthoriZed access is logged
nodes 20 by modifying header information of data packets
received from the private network 10 before transmitting
and the packet dropped.
each to the public network 14. The modi?cations cause the
communications between the private nodes 18 and the
public Internet nodes 20 to actually be between the IP ?lter
25
12 and the Internet nodes 20, which route all return com
munications to the IP ?lter 12 which subsequently routes the
return data packets to the private nodes 18.
The IP ?lter 12 accepts no connection requests from the
public network 14. All communications between private
nodes 18 and public nodes 20 are initiated by the private
nodes 18. The IP ?lter 12 is designed to support three data
transport protocols over the internet protocol: TCP, UDP and
ICMP messages; packets of other protocols are rejected or
In respect of TCP, when a SYN packet is received from
the private network 10, the IP ?lter 12 locates an unused
entry in the table and ?lls it in, setting the type to TCP and
state to SYN. Then the packet is forwarded by the general
35
If a SYN packet is received from the public network 14
interface, it is treated as unauthoriZed and logged (except for
FTP special case described below). However, a SYN+ACK
packet is forwarded if the state of the translation table entry
address and ports for packets received from the private
network 10 destined to the public network 14 and vise versa.
The translation table contains the following for each entry:
internet (public) IP address
internet (public) Port
(PIP)
(pPort)
(iIP)
(iPort)
is SYN. After forwarding such a packet the state set to
OPEN.
If a FIN packet is received by the IP ?lter 12 and if the
state in the translation table is not FIN, the state is set to FIN
45
If a RST packet is received, then the translation table entry
is deleted.
Having regard now to the UDP protocol, when any UDP
Ethernet address
The basic translation substitutes IP addresses and ports from
the private network side to the IP ?lter’s IP address and
packet is received from the private network 10 side, the IP
55
?lter 12 ?rst tries its standard lookup. If a translation table
entry is not found, an unused entry is set up and the state set
to OPEN. If a free entry is not found in the table, then rather
than dropping the packet, a random UDP in the table is
overwritten. Since UDP is connectionless and consequently
an unreliable transport, if a packet is received from the
public network 14 that would have needed the entry that was
overwritten, that packet will be dropped and the node 18 on
the private side will need to retry.
a source—destination of
(pIP, pPort—iIP, iPort)
This de?nes a “socket” in which the endpoints of the
connection (source and destination) are de?ned by the IP
addresses in the IP header and the ports in the TCP or UDP
header.
The IP ?lter 12 will translate the above to
and the packet forwarded. If the state is FIN, then the packet
is forwarded and the translation table entry is deleted by
setting it to 0. AFIN must be sent by each side to close a TCP
connection.
timer
session type/state
ports, thereby hiding all nodes 18 on the private network 10
from the public network 14.
Apacket originating on the private network side speci?es
scheme above. If no free entries exist in the table, then the
packet is dropped and the event is logged.
Atranslation table is maintained by the IP ?lter 12 to map
private IP address
In translating packets, when a port is substituted in the
TCP or UDP header, the checksum in both the TCP/UCP and
IP header must be recalculated. When an IP address is
substituted in the IP header, the IP header checksum must be
recalculated.
Following are special considerations for different proto
cols supported by the IP ?lter 12.
ignored.
private port
In general, to translate from the private side, the values
(protocol type, pIP, pPort, iIP, iport) must be located in the
With regard to FTP, an FTP client establishes a TCP
“control” connection with an FTP server on a particular port,
for example, port 21. However, when data is to be
65
transmitted, the FTP server will open a TCP connection from
its “data” port, for example, which is default 20, to a
(frIP, frPort—iIP, iport)
destination port speci?ed by the client.
6,128,298
8
7
To support this, packets sent by the private network 10 to
drivers 30 and 32, an address resolution protocol (ARP)
port 21 need to be analyzed for an FTP “port” command at
the IP ?lter 12. If detected, then a neW entry in the table must
be set up With pPort set to the value in the FTP port
command. The IP address and port number in the FTP
command must be changed to the IP ?lter’s address and port
before forwarding the packet. The state is set to FTPDATA.
When a SYN packet is received from the public netWork
14, if a table entry exists and is in FTPDATA state, then the
packet is forWarded and the state set to OPEN.
For the ICMP protocol, if an ICMP packet is received
from the private netWork 10 and if that packet is an echo
request (ping), then the IP ?lter 12 locates a neW entry in the
translation table. The sequence ?eld of the packet is stored
in pPort in the table and the table indeX is put in the sequence
?eld of the packet. The ICMP checksum is recalculated and
the standard IP header substitution is done. The type is set
table 34, an Ethernet address table 36, an IP handler 38, an
address translation 40 and a user interface 42. The packet
drivers 30 and 32 control the Ethernet hardWare interfaces in
order to communicate With, respectively, the private netWork
10 and the public netWork 14. The IP handler 38 provides a
router functionality for receiving and forWarding messages,
and maintains the ARP table 34 and the Ethernet table 36.
The address translation 40 effects translation betWeen source
10
port numbers from the private netWork 10 and the destina
15
If an echo reply (ping) is received from the public netWork
tion port numbers on the public netWork side 14. The user
interface 42 enables an operator, via a keyboard and display
terminal attached to the processing platform, to interface
With the IP ?lter 12. Functions keys are provided to con?g
ure the IP ?lter, vieW or copy log ?les, display status, etc.
The log ?le Will contain the connect time of TCP or UDP
sessions, inbound and outbound traf?c statistics, and invalid
access to the IP ?lter 12. To prevent the log ?le from
groWing too large, this information Will be logged to a neW
14 interface, then the sequence ?eld is used as the indeX into
the table. If the state is PING, then pPort in the table is
substituted into the sequence ?eld of the packet, the ICMP
checksum recalculated and the standard IP header substitu
tion is done. The table entry is then deleted.
?le When the date changes.
Routing of packets to and from the IP ?lter 12 is described
in the folloWing in terms of a public interface, from the vieW
of the public netWork 14, and of a private interface, from the
vieW of the private netWork 10.
to ICMP and state to PING and the timer set to 1 minute.
If an echo request (ping) is received from the public
netWork 14, then the IP ?lter 12 Will reply. This alloWs
25
internet access to con?rm that the IP ?lter 12 is reachable
and running.
If a Destination Unreachable packet is received from the
public netWork 14, then the header information contained is
eXtracted. If the protocol Was TCP or UDP, the (frIP,
frPort—iIP, iport) of the originating packet can be deter
mined and the translation table entry located.
If the IP address eXtracted from the ICMP matches the
address in the table, the IP ?lter 12 forWards the packet to the
Ethernet address. Standard aging out of ARP table entries
needs to be done. If the IP destination is not on the LAN
segment, it Will forWard the packet to the con?gured default
router. ICMP Redirect messages sent by the default router
35
private netWork 10 using the standard scheme.
Will be ignored.
The private interface effects the functionality of a router,
All other ICMP packets received from either side are
as it needs to be able to forWard packets to one or more
dropped and logged.
routers to communicate With the remote client stations. A
large remote client netWork may access multiple router
Since most data communications protocols are based on
machines. Conventional routing can result in large routing
tables because the routing entries become host addresses
instead of subnet addresses. That is, if the netWork is set up
either the UDP or TCP protocols, these other protocols are
compatible With the IP ?lter 12 as long as they do not initiate
negotiations like FTP to have the server open a connection
back to the client. Examples of other compatible protocols
include: Telnet; TFTP (Trivial File Transfer Protocol); DNS
(Domain Name Services); and Web broWsers.
The public interface behaves as a host on the LAN
segment. To forWard a packet, it checks to see if the
destination IP is on the local LAN segment. If it is, it looks
up the IP address in its ARP table to ?nd the Ethernet
address. If there is no entry in the ARP table, it must put the
packet on a queue and send out an ARP request to get the
so that a client may come in through either Router1 or
45
Router2, then no single router can be the router for the
subnet that that client station is on. A conventional router
that Would get routing tables via RIP from all routers on the
private netWork Would end up With a large table of host
Whenever a packet is transmitted in either direction, the
timer ?eld of the translation table entry is set to the con?g
ured timeout value (except ping). Each minute, the timer
addresses for each remote client connected. This can affect
?eld of all active entries in the tables are decremented and
performance in the search time necessary to ?nd the route,
the memory required for large tables and the amount of RIP
if they become 0, then the translation table entry is deleted.
This Will clear out UDP and PING entries Which are no
longer in use and also TCP entries Which have had an
traffic on the LAN segment betWeen all these routers.
abnormal termination and did not send FIN from each side.
It could be a security hole to leave an unused entry in the
maintain an Ethernet table. For every packet that is for
table for too long. A good timeout value to be con?gured
To handle routing in this environment, the IP ?lter Will
Warded from the private to public side, if a translation entry
55
Would be just longer than the typical TCP keep alive.
eXists, use its Ethernet indeX to compare With the Ethernet
source address of the incoming packet. If they match,
According to a particular embodiment, the private net
tional Ethernet hardWare interfaces connected to netWorks
nothing more needs to be done. OtherWise, the Ethernet
table is searched for the source Ethernet address, adding a
neW Ethernet table entry if not found. The indeX to the
Ethernet table is then saved in the translation table entry.
Then When a packet is being translated from the public to
10 and 14, respectively, and Which is provisioned With
appropriate softWare to implement the functionality of the IP
private side, the Ethernet address can be retrieved directly
from the indeX in the translation table. Thus packets Will be
Work 10 and the public netWork 14 are Ethernet based
LANs. The IP ?lter 12 may be implemented by a data
processing platform Which is equipped With tWo conven
?lter 12.
Internal components of the IP ?lter 12 in terms of soft
Ware eXecutable by the data processing platform are shoWn
in FIG. 2. The internal components include tWo packet
65
routed to the router Which forWarded the packet to the IP
?lter.
Those skilled in the art Will recogniZe that various modi
?cations and changes could be made to the invention With
6,128,298
9
10
out departing from the spirit and scope thereof. It should
a destination port, corresponding to nodes in the public
netWork and having source information, Which includes
therefore be understood that the claims are not to be con
a source address and a source port, of the respective
sidered as being limited to the precise embodiments set forth
above, in the absence of speci?c limitations directed to each
embodiment.
What is claimed is:
for each outgoing data packet received from the private
1. A method of interfacing private and public data com
munications networks, through a ?lter node in communica
tion With both networks, the ?lter node having an address
correlation With a unique value representing a port of
knoWn in the public netWork, comprising the steps of:
routing from nodes in the private netWork, to the ?lter
private netWork nodes;
netWork, at the ?lter node, maintaining the source
information taken from the outgoing data packet in
the ?lter node, and replacing in the outgoing data
10
routing from the ?lter node, to nodes in the public
node, outgoing data packets having destination
information, Which includes a destination address and
a destination port, corresponding to nodes in the public
netWork and having source information, Which includes
netWork, the outgoing data packets having the replaced
source information, according to the destination infor
15
a source address and a source port, of the respective
mation in each, to the corresponding public netWork
nodes;
routing from nodes in the public netWork, to the ?lter
private netWork nodes;
node, incoming data packets each having the address of
for each outgoing data packet received from the private
the ?lter node as the destination address;
netWork, at the ?lter node, maintaining the source
information taken from the outgoing data packet in
correlation With a unique value representing a port of
for each incoming data packet received from the public
netWork, at the ?lter node, correlating the destination
port of the destination information in the incoming data
packet to particular source information being main
tained and replacing, in the incoming data packet, the
the ?lter node, and replacing in the outgoing data
packet the source address With the ?lter node address
and the source port With the ?lter node port value; and
routing from the ?lter node, to nodes in the public
packet the source address With the ?lter node address
and the source port With the ?lter node port value;
destination information With the particular source infor
25
mation;
routing from the ?lter node, in the private netWork, the
netWork, the outgoing data packets having the replaced
incoming data packets having the replaced destination
source information, according to the destination infor
mation in each, to the corresponding public netWork
information to the corresponding private netWork
nodes.
2. A method as claimed in claim 1, comprising the steps
ignoring by the ?lter node any incoming data packet
routing from nodes in the public netWork, to the ?lter
data packet can not be correlated to the maintained
nodes;
received from the public netWork, if the destination
port of the destination information in that incoming
of:
node, incoming data packets each having the address of
the ?lter node as the destination address;
35
for each incoming data packet received from the public
netWork, at the ?lter node, correlating the destination
port of the destination information in the incoming data
packet to particular source information being main
tained and replacing, in the incoming data packet, the
ing the source information from each outgoing data
packet as an entry in a lookup table, and the ?lter node
port value correlating to the source information con
stitutes an indeX into the table for that entry;
Wherein the incoming and outgoing data packets include
destination information With the particular source infor
packets in accordance With a transmission control pro
mation;
routing from the ?lter node, in the private netWork, the
incoming data packets having the replaced destination
information to the corresponding private netWork
45
nodes.
3. Amethod as claimed in claim 2, comprising ignoring by
the ?lter node any incoming data packet received from the
public netWork, if the destination port of the destination
tocol (TCP) over an internet protocol (IP); and
receiving at the ?lter node an outgoing TCP packet from
the private netWork; and if an entry corresponding to
the outgoing TCP packet is not found in the lookup
table and the outgoing TCP packet indicates that this is
a connection request, storing the source information
together With the destination information from the
outgoing TCP packet as a neW entry in the lookup table.
7. A method as claimed in claim 6, comprising receiving
at the ?lter node an incoming TCP packet from the public
netWork; and if the source port in the received incoming TCP
information in that incoming data packet can not be corre
lated to the maintained source information.
4. A method as claimed in claim 3, Wherein maintaining
the source information includes storing the source informa
tion from each outgoing data packet as an entry in a lookup
table, and the ?lter node port value correlating to the source
information constitutes an indeX into the table for that entry.
5. Amethod as claimed in claim 4, Wherein the incoming
source information,
Wherein maintaining the source information includes stor
packet is different from the destination port in a source
55
information entry of the lookup table, indeXed by the des
tination port in the outgoing TCP packet, and if the incoming
TCP packet indicates that this packet is a ?rst response to the
connection request, then updating by the ?lter node the
and outgoing data packets include packets in accordance
destination port in the table entry With the source port from
With a transmission control protocol (TCP) over an internet
the received incoming TCP packet.
protocol (IP).
8. A method as claimed in claim 7, comprising receiving
at the ?lter node any incoming TCP packet having an end of
transmission code in the packet and Zeroing an entry in the
6. A method of interfacing private and public data com
munications netWorks, through a ?lter node in communica
tion With both netWorks, the ?lter node having an address
lookup table corresponding to that received incomingTCP
packet.
knoWn in the public netWork, comprising the steps of:
routine from nodes in the private netWork, to the ?lter
node, outgoing data packets having destination
9. A method as claimed in claim 4, Wherein the data
packets include packets in accordance With a user datagram
information, Which includes a destination address and
protocol (UDP) over an internet protocol (IP).
65
6,128,298
11
12
10. A method of interfacing private and public data
(c) replacing, in the data packet, the source address with
an address of the ?lter node, wherein the source address
communications networks, through a ?lter node in commu
nication with both networks, the ?lter node having an
includes a port number of the node in the private
network and the address of the ?lter node includes a
address known in the public network, comprising the steps
port number of the ?lter node;
of:
(d) routing from the ?lter node, in the public network, the
data packet having the replaced source address, accord
routing from nodes in the private network, to the ?lter
node, outgoing data packets having destination
information, which includes a destination address and
a destination port, corresponding to nodes in the public
network and having source information, which includes
ing to the destination address, to the corresponding
public node network;
10
a source address and a source port, of the respective
source information;
private network nodes;
(f) replacing, in the return packet, the destination address
for each outgoing data packet received from the private
network, at the ?lter node, maintaining the source
information taken from the outgoing data packet in
correlation with a unique value representing a port of
with the maintained source address; and
15
the ?lter node, and replacing in the outgoing data
buffering, at the ?lter node, further data packets received
from the private network while waiting for the return packet,
and repeating steps (b) through (g) on an individual basis for
routing from the ?lter node, to nodes in the public
network, the outgoing data packets having the replaced
the further packets, if any, that were buffered.
13. A method as claimed in claim 12, wherein the data
packets include packets in accordance with an internet
source information, according to the destination infor
mation in each, to the corresponding public network
25
routing from nodes in the public network, to the ?lter
and second data communications networks, comprising the
steps of:
receiving from the ?rst network, an outgoing data packet
having destination information, which includes a des
the ?lter node as the destination address;
for each incoming data packet received from the public
network, at the ?lter node, correlating the destination
port of the destination information in the incoming data
packet to particular source information being main
tained and replacing, in the incoming data packet, the
tination address and a destination port, corresponding
to a node in the second network and having source
information, which includes a source address and a
source port, corresponding to a node in the ?rst net
destination information with the particular source infor
35
routing from the ?lter node, in the private network, the
incoming data packets having the replaced destination
going data packet in correlation with a unique value
representing a port of the ?lter node;
replacing in the outgoing data packet the source address
nodes:
ignoring by the ?lter node any incoming data packet
with an address of the ?lter node and the source port
received from the public network, if the destination
port of the destination information in that incoming
data packet can not be correlated to the maintained
source information,
wherein maintaining the source information includes stor 45
ing the source information from each outgoing data
packet as an entry in a lookup table, and the ?lter node
port value correlating to the source information con
stitutes an indeX into the table for that entry;
wherein the data packets include packets in accordance
to the corresponding second network node.
15. A method as claimed in claim 14, further comprising
the steps of:
receiving from the second network, an incoming data
packet having the address of the ?lter node as the
correlating the destination port of the destination infor
mation in the incoming data packet to particular source
protocol (IP); and
receiving at the ?lter node a UDP data packet from the
information being maintained;
55
replacing, in the incoming data packet, the destination
information with the particular source information;
sending to the ?rst network the incoming data packet
together with an interval indication for an expiration
timer as a new entry in the lookup table.
having the replaced destination information, whereby
11. A method of interfacing private and public data
that packet is routed according to its destination infor
mation to the corresponding ?rst network node.
16. A method as claimed in claim 15, comprising ignoring
the incoming data packet received from the second network,
if the destination port of the destination information in that
communications networks, through a ?lter node in commu
nication with both networks, comprising the steps of:
(a) receiving at the ?lter node, from the private network,
a data packet having a destination address correspond
ing to a node in the public network and a source address
(b) maintaining, by the ?lter node, the source address
taken from the data packet;
with the ?lter node port value; and
sending to the second network the outgoing data packet
having the replaced source information, whereby the
packet is routed according to its destination information
destination address;
with a user datagram protocol (UDP) over an internet
corresponding to a node in the private network;
work;
maintaining the source information taken from the out
information to the corresponding private network
private network, and adding the source information and
the destination information from the UDP packet
control message protocol (ICMP).
14. A method of operating a ?lter node for interfacing ?rst
node, incoming data packets each having the address of
mation;
(g) routing from the ?lter node, in the private network, the
return packet having the replaced destination address to
the corresponding private network node.
12. A method as claimed in claim 11, comprising
packet the source address with the ?lter node address
and the source port with the ?lter node port value;
nodes;
(e) waiting for a return packet from the public network,
responsive to the data packet having the replaced
data packet can not be correlated to the maintained source
65
information.
17. Amethod as claimed in claim 16, wherein maintaining
the source information includes storing the source informa
6,128,298
13
14
tion from the outgoing data packet as an entry in a lookup
table, and the ?lter node port value correlating to the source
information constitutes an index into the table for that entry.
18. A method as claimed in claim 17, Wherein the incom
then updating the destination port in the table entry With the
source port from that received incoming TCP packet.
21. A method as claimed in claim 20, comprising receiv
ing any incoming TCP packet having an end of transmission
code in the packet, and Zeroing an entry in the lookup table
corresponding to that received incoming TCP packet.
ing and outgoing data packets include packets in accordance
With a transmission control protocol (TCP) over an internet
22. A method as claimed in claim 17, Wherein the out
protocol (IP).
19. A method of operating a ?lter node for interfacing ?rst
and second data communications netWorks comprising the
steps of:
receiving from the ?rst netWork, an outgoing data packet
having destination information, Which includes a des
tination address and a destination port, corresponding
going and incoming data packets include packets in accor
dance With a user datagram protocol (UDP) over an internet
10
23. A method of operating a ?lter node for interfacing ?rst
to a node in the second netWork and having source
information, Which includes a source address and a 15
source port, corresponding to a node in the ?rst net
Work:
maintaining the source information taken from the out
tination address and a destination port, corresponding
to a node in the second netWork and having source
source port, corresponding to a node in the ?rst net
Work:
maintaining the source information taken from the out
going data packet in correlation With a unique value
representing a port of the ?lter node;
replacing in the outgoing data packet the source address
With an address of the ?lter node and the source port
25
With an address of the ?lter node and the source port
With the ?lter node port value;
sending to the second netWork the outgoing data packet
having the replaced source information, Whereby that
packet is routed according to its destination information
to the corresponding second netWork node;
receiving from the second netWork, an incoming data
packet having the address of the ?lter node as the
destination address:
correlating the destination port of the destination infor
packet having the address of the ?lter node as the
mation in the incoming data packet to particular source
destination address;
information being maintained;
replacing, in the incoming data packet, the destination
and second data communications netWorks, comprising the
steps of:
receiving from the ?rst netWork, an outgoing data packet
having destination information, Which includes a des
information, Which includes a source address and a
going data packet in correlation With a unique value
representing a port of the ?lter node;
replacing in the outgoing data packet the source address
With the ?lter node port value;
sending to the second netWork the outgoing data packet
having the replaced source information, Whereby that
packet is routed according to its destination information
to the corresponding second netWork node,
receiving from the second network, an incoming data
protocol (IP).
35
correlating the destination port of the destination infor
mation in the incoming data packet to particular source
information being maintained;
information With the particular source information;
sending to the ?rst netWork the incoming data packet
replacing, in the incoming data packet, the destination
having the replaced destination information Whereby
information With the particular source information;
sending to the ?rst netWork the incoming data packet
that packet is routed according to its destination infor
mation to the corresponding ?rst netWork node;
having the replaced destination information, Whereby
that packet is routed according to its destination infor
mation to the corresponding ?rst netWork node; and
ignoring the incoming data packet received from the
second netWork, if the destination port of the destina
tion information in that data packet can not be corre
lated to the maintained source information,
Wherein maintaining the source information includes stor
ignoring the incoming data packet received from the
45
ing the source information from the outgoing data
packet as an entry in a lookup table, and the ?lter node
Wherein the incoming and outgoing data packets include
packets in accordance With a transmission control pro
Wherein the outgoing and incoming data packets include
55
20. A method as claimed in claim 19, comprising receiv
packets in accordance With a user datagram protocol
(UDP) over an internet protocol (IP); and
receiving a UDP data packet from the ?rst netWork, and
adding the source information and the destination infor
mation from the UDP packet together With an interval
indication for an expiration timer as a neW entry in the
nation information from the TCP packet as a neW entry
in the lookup table.
tion information in that data packet can not be corre
lated to the maintained source information,
Wherein maintaining the source information includes stor
ing the source information from the outgoing data
packet as an entry in a lookup table, and the ?lter node
port value correlating to the source information con
stitutes an index into the table for that entry;
port value correlating to the source information con
stitutes an index into the table for that entry
tocol (TCP) over an internet protocol (IP): and
receiving an outgoing TCP packet from the ?rst netWork;
and if an entry corresponding to the outgoing TCP
packet is not found in the lookup table and the outgoing
TCP packet indicates that this is a connection request,
storing the source information together With the desti
second netWork, if the destination port of the destina
aO
lookup table.
24. A method of operating a ?lter node for interfacing ?rst
different from the destination port in a source information
and second data communications netWorks, comprising the
steps of:
(a) receiving from the ?rst netWork, a data packet having
entry of the lookup table, indexed by the destination port in
the outgoing TCP packet, and if that incoming TCP packet
a destination address corresponding to a node in the
second netWork and a source address corresponding to
indicates that it is a ?rst response to the connection request,
a node in the ?rst netWork;
ing any incoming TCP packet from the second netWork; and
if the source port in that received incoming TCP packet is
6,128,298
15
16
means for replacing, in the data packet, the destination
information With the particular source information; and
means for sending to the ?rst netWork the data packet
(b) maintaining the source address taken from the data
packet;
(c) replacing, in the data packet, the source address With
an address of the ?lter node, Wherein the source address
includes a source port number and the address of the
having the replaced destination information, Whereby
that packet is routed according to its destination infor
mation to the corresponding ?rst netWork node.
?lter node includes a port number of the ?lter node;
(d) sending to the second netWork the data packet having
the replaced source address, Whereby that packet is
29. A?lter node as claimed in claim 28, comprising means
for ignoring a data packet received from the second netWork,
if the destination port of the destination information in that
routed to the corresponding second netWork node;
(e) receiving a return packet from the second network,
responsive to the data packet having the replaced
data packet can not be correlated to the maintained source
information.
30. A ?lter node as claimed in claim 29, Wherein the
source information;
(f) replacing, in the return packet, the destination address
With the maintained source address; and
15
(g) sending to the ?rst netWork the return packet having
the replaced destination address, Whereby that packet is
packet as an entry in a lookup table, and Wherein the ?lter
node port value correlating to the source information con
stitutes an indeX into the table for that entry.
31. A ?lter node for interfacing ?rst and second data
routed to the corresponding ?rst netWork node.
25. A method as claimed in claim 24, comprising buffer
ing further data packets received from the ?rst netWork
communications netWorks, comprising:
While Waiting for the return packet, and repeating steps (b)
through (g) on an individual basis for the further packets, if
any, that Were buffered.
26. A method as claimed in claim 25, Wherein the data
packets include packets in accordance With an internet
25
27. A ?lter node for interfacing ?rst and second data
(c) means for replacing, in the data packet, the source
address With an address of the ?lter node, Wherein the
communications netWorks, comprising:
means for receiving from the ?rst netWork, a data packet
having destination information, Which includes a des
tination address and a destination port, corresponding
source address includes a source port number and the
address of the ?lter node includes a port number of the
?lter node;
to a node in the second netWork and having source
information, Which includes a source address and a
source port, corresponding to a node in the ?rst net
(d) means for sending to the second netWork the data
packet having the replaced source address, Whereby
35
(e) means for receiving a return packet from the second
the data packet in correlation With a unique value
representing a port of the ?lter node;
means for replacing in the data packet the source address
netWork, responsive to the data packet having the
replaced source information;
(f) means for replacing, in the return packet, the destina
With an address of the ?lter node and the source port
tion address With the maintained source address; and
(g) means for sending to the ?rst netWork the return
With the ?lter node port value; and
means for sending to the second netWork, the data packet
packet having the replaced destination address,
having the replaced source information, Whereby that
means for receiving from the second netWork, a data
packet having the address of the ?lter node as the
destination address;
means for correlating the destination port of the destina
tion information in the data packet to particular source
information being maintained;
that packet is routed to the corresponding second
netWork node;
means for maintaining the source information taken from
packet is routed according to its destination information
to the corresponding second netWork node.
28. A ?lter node as claimed in claim 27, comprising:
(a) means for receiving from the ?rst netWork, a data
packet having a destination address corresponding to a
node in the second netWork;
(b) means for maintaining the source address taken from
the data packet;
control message protocol (ICMP).
Work;
means for maintaining the source information includes
means for storing the source information from the data
45
Whereby that packet is routed to the corresponding the
?rst netWork node.
32. A?lter node as claimed in claim 31, comprising means
for buffering further data packets received from the ?rst
netWork While Waiting for the return packet, and means for
controlling means (b) through (g) on an individual basis for
processing the further packets, if any, that Were buffered.
Disclaimer: Justia Dockets & Filings provides public litigation records from the federal appellate and district courts. These filings and docket sheets should not be considered findings of fact or liability, nor do they necessarily reflect the view of Justia.
Why Is My Information Online?