94 results about "Application-level gateway" patented technology

Clients that are connected on a private network and which are assigned a private IP address that is not routable on the Internet can connect to the Internet through a router/server that includes a network address translator (NAT). For outgoing packets, the NAT translates the client's private source IP address and generalized port number (GPN) to the NAT's global IP address and GPN. For incoming packets sent to the NAT's global IP address and GPN, the NAT translates the global destination IP address and GPN to the client's private IP address and GPN. For protocols which cannot be directly supported by the NAT, such as those in the IPSec security protocol suite, the NAT is extended by creating in the NAT's translation table an entry that associates, for a specific unsupported protocol, a client's private IP address and GPN, the NAT's global IP address and GPN, and a foreign address on the Internet, that is valid until a specified or default expiration time. Outgoing packets from the client to that foreign address and incoming packets from that foreign address to the NAT's global IP address and GPN are translated according to the entry until the entry expires. In associations with these translations to outgoing and incoming packets, the client implements any Application Layer Gateway (ALG) that would otherwise be implemented at the NAT. Further, at the client, outgoing packets are modified before being transmitted so as to pre-compensate for the effects of the translations. Incoming packets at the client from the NAT are similarly modified so as to post-compensate for the effects of the translations. For the IPSec protocol, these modification include adjusting the checksum in the TCP or UDP header to account for IP address and TCP or UDP port number translations.

A structure for coupling together addressably disparate nodes, such as IPv4 nodes and IPv6 nodes, without the use of an application level gateway. Instead, the system includes two executable applications, HEART and ECHO, that avoid the necessity of an application level gateway. In general, HEART and ECHO cooperate with each other through a network address translator-protocol translator (NAT-PT) to cause the NAT-PT to temporarily assign an IPv4 address to a control session between the IPv4 and IPv6 nodes and also prevent the control session from timing out due to lack of timely communications between the IPv4 and IPv6 nodes.

Methods, systems, and gateways are disclosed for automatically setting up a redirector of domain name system (DNS) name requests. A DNS setup packet is transmitted to a remote gateway via a tunnel of a virtual private network (VPN). The setup packet comprises a global name of a home network and a private address of a DNS server in the home network. A DNS setup reply packet is received from the remote gateway via the tunnel. The reply packet comprises a global name of another home network and a private address of a DNS server in the other home network. An application level gateway of the DNS server (DNS-ALG) in the home network is configured dependent upon the DNS setup reply packet to redirect DNS name requests for the global name of the other network to the DNS server in the other network. Methods, systems, and gateways are also disclosed for resolving a domain name request in a DNS.

Clients that are connected on a private network and which are assigned a private IP address that is not routable on the Internet can connect to the Internet through a router/server that includes a network address translator (NAT). For outgoing packets, the NAT translates the client's private source IP address and generalized port number (GPN) to the NAT's global IP address and GPN. For incoming packets sent to the NAT's global IP address and GPN, the NAT translates the global destination IP address and GPN to the client's private IP address and GPN. For protocols which cannot be directly supported by the NAT, such as those in the IPSec security protocol suite, the NAT is extended by creating in the NAT's translation table an entry that associates, for a specific unsupported protocol, a client's private IP address and GPN, the NAT's global IP address and GPN, and a foreign address on the Internet, that is valid until a specified or default expiration time. Outgoing packets from the client to that foreign address and incoming packets from that foreign address to the NAT's global IP address and GPN are translated according to the entry until the entry expires. In associations with these translations to outgoing and incoming packets, the client implements any Application Layer Gateway (ALG) that would otherwise be implemented at the NAT. Further, at the client, outgoing packets are modified before being transmitted so as to pre-compensate for the effects of the translations. Incoming packets at the client from the NAT are similarly modified so as to post-compensate for the effects of the translations. For the IPSec protocol, these modification include adjusting the checksum in the TCP or UDP header to account for IP address and TCP or UDP port number translations.

Disclosed are an interworking system between IP networks using different IP address format, an application layer gateway (ALG) server, a network address translator, an interworking method, and a SIP message routing method. The interworking system between a local network using a private IP and a public network using a public IP includes a STUN server and an application layer gateway (ALG) server. The STUN server provides binding information of header information of a public IP binding request. The application layer gateway (ALG) server performs a public IP binding request with header information changed by IP masquerading, and performs routing by applying the received binding information to media receiving address information of a SIP message.

The invention relates to a network communication area and discloses a method for penetrating the NAT. The method mainly includes: step S1: the communication terminal after the NAT device interacts with the NAT device to get the public network address and/or port behind the NAT from the NAT; step S2: the communication terminal fills the private network address and/or port information of the packet net payload as the public network address and/or port, and send the packets to the NAT device. The invention discloses the corresponding communication terminal and NAT device to support the implementation of the above method. Compared with the existing technology, the invention does not require NAT device to support the ALG (application layer gateway) and need not realize the STUN (UDP simple penetration mode of NAT) protocol, so it eliminates the limit of the static manual configuration.

A method and system for stateful handling of packets in a network are described. In a client-server network environment, the stateful inspection of incoming protocols is offloaded from the server and distributed to the client device. The stateful inspection, as well as the provisioning of the client with the necessary functions required by the handlers, is referred to as Client Assisted Application Level Gateway (ALG). This version of ALG, in which the client performs or assists the server by performing at least some of the inspection and provisioning tasks, allows for a marked performance gain to the network gateway by reducing its packet inspection load.

A method for identifying alternate end-to-end media paths through internet protocol realms using substitute session description protocol parameters is disclosed. The method includes receiving an session description protocol offer, including a list of previously traversed through internet protocol realms. The method continues with determining the next internet protocol realm for a media path based on unspecified signaling criteria. Finally, the method includes that if the next internet protocol realm to be traversed through is on the list of previously traversed through internet protocol realms, bypassing at least one border gateway associated with the current and previously traversed through internet protocol realms. The system implementing a method for identifying optimal end-to-end media paths and internet protocol multimedia subsystems include a list of internet protocol realm instances, an application level gateway configured to receive a session description protocol offer having connection information and port information, and a procedure to determine that if the next internet protocol realm that the media path may traverse through is on the list of instances, the media path connection information and port information is substituted to facilitate border gateway bypassing.

The method comprises: in main mode stage of IKE negotiation, newly adding the NATPT-D load used to realize the mechanism of finding 'NAT-PT'; in the communication stage under IPSec protection, after detecting the NAT-PT gateway, when calculating the Authentication Data of AH, using a 'pseudo IP header' to replace the original IP header to solve the incompatibility problem between AH and NAT-PT. By the invention, IPSec can cross over the NAT-PT gateway under the AH transmission mode, AH tunnel mode, ESP transmission mode and ESP tunnel mode.

A dynamic network security system and a control method thereof in a router where an Intrusion Detection System (IDS) and a Voice over Internet Protocol Application Level Gateway (VoIP ALG) are integrated, system including: a VoIP ALG module for acquiring VoIP IP/port information of a counterpart unit in use for determining whether or not to perform intrusion detection on a packet received via VoIP signaling with the counterpart unit; an intrusion detection module for comparing the received packet with a preset intrusion detection log entry to perform intrusion detection on the received packet, and based on a result of the intrusion detection, determining whether or not to allow passage of the received packet; and an IP/port check module for checking VoIP IP/port information of the received packet according to the VoIP IP/port information of the counterpart unit provided from the VoIP ALG module to determine whether or not to perform the intrusion detection, and providing result information on the determination whether or not to perform the intrusion detection to the intrusion detection module.

The invention discloses a distributed gateway system in a 4-6-4 hybrid protocol network and an access method. The method comprises the steps that one or more distributed CLAT (Customer Side Translator) gateways receive a first access request to an IPv4 (Internet Protocol Version 4) server located on a network address translation PLAT (provider side translator) gateway side initiated by an IPv4 client; a first IP (Internet Protocol) address of IPv4 in the first access request is converted to a second IP address of IPv6 (Internet Protocol Version 6) according to an address conversion rule in the CLAT gateways; and a second access request to the PLAT gateway is initiated based on the second IP address of the IPv6; the second access request also carries a third IP address of the IPv4 and a third port; and the third IP address and the third port conduct pre-mapping formation on the first IP address of the IPv4 and a first port corresponding to the first IP address according to a preset address mapping rule via the CLAT gateways. The problems of gateway server pressure and network delay caused during an application-level gateway processing course are solved.

The invention discloses an application layer dynamic intrusion detection system and detection method based on artificial intelligence, wherein the detection system comprises an application layer gateway, a detection module, a judgment and operation module, a sample database and an updating module, the detection module comprises a detection model mixed with a convolutional neural network and a bidirectional long and short term memory neural network. The detection module after initialization is used for making an attack judgment on an application layer data packet, filtering the data packet above the threshold value and putting the data packet into a malicious sample database, and meanwhile, the data packet under the threshold value is not processed. The updating module is used for traininga new model by using the malicious samples and normal samples with a certain proportion in the sample database and updating the detection model in the detection module in real time. According to the invention, a universal detection method is used for the attack method of the application layer, the method has the advantages of high detection rate and low misjudgment rate. Meanwhile, the intrusion detection system has the advantage of dynamic updating model, and has good filtering effect on unknown zero-day attack.

A mobile client (104) on a private network (106) sends a request for receiving streamed media from a server (110,112) on a public network such as the Internet (108). The private network has a firewall (118). The private network has a router (116) that routes requests for streaming media to an application layer gateway (120) on the private network. The application layer gateway takes care of the NAT and security issues. Owing to this configuration, the mobile clients need not be re-configured when used for receiving streaming media.

The method for use in making a mobile node roaming at external network capable of safely communicating with the communication nodes in internal network comprises: setting a first SIP proxy server, an application layer gateway, a second SIP proxy server and an AAA server between the internal network and the external network; when the second SIP proxy server detects the mobile node is closing to the internal network, it modifies the data transmission direction of the communication node information packet, and transmits it to the application layer; the first SIP proxy server authenticates and authorizes the mobile node through the AAA server, and generates a negotiation key that is transmitted to the application gateway; finally the application gateway takes over the transmission between the mobile node and the communication node.

Disclosed is a method for applying a NAT-PT-based SIP onto the gateway to convert SIP message between an IPv4 network and an IPv6 network, comprising: obtaining the identification number and length of the SIP message; analyzing the first line of the message head to judge whether the type of the SIP message is a request or a response; if the answer is request, executing the request process; if the answer is response, executing the response process. The invention can record the conversion of the IP address and the port via a conversion information table, manage the conversion state of the message by a state machine, and carry out the conversion from the IPv4 address to IPv6 address (or visa versa) based on an address prefixing and an address pool, accordingly, the conversion between the IPv4 network and IPv6 network is achieved.

The invention discloses an implementing method for FTP application-level gateways based on NAT-PT, for conversion of FTP protocol between IPv4 network and IPv6 network, including the following steps: a. receiving an FTP message, judging whether the FTP packet is a data packet message, if so, establishing a data conversation; otherwise, executing the following steps; b. resolving the FTP command for knowing the command types; c. converting the FTP command, simultaneously converting IP address and/or terminal port when the command includes IP address and/or terminal port; d. establishing a control conversation when the FTP command is PORT command, EPRT command, PASV command or EPSV command; and e. establishing a data conversation simultaneously when establishing a control conversation, when the FTP command is the EPRT command; and establishing a data temporary conversation simultaneously when establishing a control conversation, when the command is the EPSV command.

An application level gateway allows computers on a local area or “internal” network to serve data (e.g., web pages, files or other constructs) to computer systems on an external or public network such as the Internet, even though references such as hostnames and/or network addresses within the internal network that are contained within the data (e.g., URLs in web pages) might not be compatible (e.g., DNS resolvable or routable) with the external network. The system detects, in a portion of data (e.g., a web page), a local reference to a computer system on the internal network, determines whether a computer system identifier is mapped to the computer system specified in the local reference, and replaces the local reference with a translated reference obtained from the mapping. The translated reference contains the computer system identifier and a reference to a gateway computer system coupled to the internal network, such that subsequent referrals to the translated reference are directed to the gateway computer system. When a request for the data is subsequently received, the gateway performs a reverse mapping to determine the identity of the computer system on the internal network.

The invention provides a system and method for interworking between the IPv4 (internet protocol version 4) and the IPv6 (internet protocol version 6) based on a DHT (distributed hash table). The system only improves a terminal and takes a new double stack gateway which is arranged at the network perimeter between the IPv4 and the IPv6 as an application layer gateway rather than changing the othernetwork element equipment arranged in the original IPv4 or IPv6 network. The common point of the terminal and the application layer gateway is that an application later is additionally provided with five sequence connection modules, namely an address conversion module, a DHT layer building and maintaining module, a route path querying module, a shortest route path computing module and a data packet transmitting module; and on the basis of the added modules, each application layer gateway is logically mapped to form a DHT converge network. In order to realize the interconnection and the intercommunication of the IPv4 node and the IPv6 node, the terminal is further additionally provided with a scene judging module. The invention is used for realizing the interconnection and the intercommunication of the IPv4 and the IPv6 on the basis that the existing IPv4 protocol and IPv6 protocol are minimally changed. In the invention, the address difference of the original IPv4 network node and IPv6 network node is eliminated, and the data communication is completed by two different host machines according to an IP (internet protocol) address sequence with a set rule. By adopting the DHT technology, the invention is good in expandability and scalability.

The invention relates to method of domain name service (DNS) conversion gateway as well as file transfer protocol (FTP) conversion gateway in network processor platform. Steps of the method are as following: (1) receiving port receives data packet; (2) converting address and protocol for received data packets by micro engine; (3) checking port number of protocol, structuring data packet for DNS packet or FTP command packet found by using 'taking along' technique; (4) SltongARM calls module of DNS conversion gateway to process DNS packet, and calls module of FTP conversion gateway to process FTP command packet; (5) data packet processed by conversion module of application layer gateway is sent to transmission queue to be transmitted. Practical testing verifies that NAT-PT realized by the invented method is capable of processing accesses between IPv4 network and IPv6 in real time.

The present invention provides a method and device configured for processing an SDP request in a media path optimization process. In this case, the method comprises: an application layer gateway (ALG) receiving a session description protocol (SDP) request; the ALG determining that media connection information used by the SDP request is different from media connection information in last accessible domain information in node information of the SDP request; and the ALG sequentially adding its forward accessible domain information and its backward accessible domain information to an end of a queue of the node information of the SDP request, and then sending the SDP request. By virtue of the present invention, an optimized media path and normal communication can be ensured.