324 results about "Private IP" patented technology

A computer system aggregates a plurality of network resources of a computer system. The computer system has a plurality of processing nodes. Each of the processing nodes includes one or more of the plurality of network resources. The one or more resources of each processing node makes up a bypass protocol stack operable to provide offloaded connections over a network to instances of one or more applications running on the system. Each of the applications is uniquely associated with a first port number. The system is identified on the network by a global IP address and each of the plurality of nodes is identified by a unique local IP address. Each of the plurality of resources is uniquely identified by an assigned private IP address. At each of the processing nodes, a listening socket is created for each instance of the plurality of applications running on the node. The listening socket is created by associating it with a first endpoint tuple that includes the public IP address uniquely identifying the node and the first port number associated with the application for which the listening socket is created. The first endpoint tuple associated with each listening socket created is translated to a set of bypass endpoint tuples, each of the set of bypass tuples including a different one of the assigned private IP addresses identifying the one or more network resources of the node. Each listening socket is associated with the set of bypass tuples. A global address translation map is maintained for each set of bypass tuples associated with each of the listening sockets created for an instance of each of the applications running on the plurality of processing nodes.

A method for routing packets from a gateway to an endpoint includes the step of associating a private internet protocol (IP) address with an endpoint having a public IP address. A packet addressed to the private IP address of the endpoint is captured. A policy is applied to the packet. The packet is transmitted to the public IP address of the endpoint, responsive to the application of the policy to the packet.

Provided is a method and apparatus for facilitating push communication from a first network to a target device of a second network, the second network comprising a packet service network such as a GPRS core network. A private IP address, usable for addressing the target device when the packet service network is in an activated state with respect thereto, is retained. Upon receipt of a first message from the first network, indicative of a push communication for the target device, the packet service network is disposed into the activated state, and a second message, addressed to the private IP address, is transmitted. The second message may be generated by a NAT configured to implement micro-port forwarding. The second message may be generated by a representative device of the second network, configured to receive the first message via a NAT in response to a query generated by the representative device.

A data center network system and a packet forwarding method thereof are provided. The data center network system includes a virtual bridge and an address resolution protocol (ARP) server. The virtual bridge intercepts an ARP request having an identification field and a destination IP address field and adds a corresponding virtual data center identification to the identification field of the ARP request and redirecting the ARP request to the ARP server. Additionally, the ARP server queries a corresponding MAC address according to an IP address recorded in the destination IP address field of the ARP request and the corresponding VDCID recorded in the identification field of the ARP request, and transmits the corresponding MAC address in response to the ARP request. Accordingly, the same private IP address can be reused in the data center network system.

A method of operating a node of a telecommunications system, the node comprising a plurality of entities each arranged to send and receive IP packets to peer entities, via a Network Address Translation function, using a layer 4 control protocol which facilitates multi-homing by allowing an entity to include more than one IP address in a layer 4 packet chunk. The method comprises maintaining at each of said plurality of entities a table mapping one or more private addresses of the entity to one or more public addresses of the Network Address Translation function, and, for each association initiation message generated by an entity, including in said layer 4 packet chunk of the message the public IP address(es) of the Network Address Translation function obtained from said table for the corresponding private IP address(es).

Clients that are connected on a private network and which are assigned a private IP address that is not routable on the Internet can connect to the Internet through a router/server that includes a network address translator (NAT). For outgoing packets, the NAT translates the client's private source IP address and generalized port number (GPN) to the NAT's global IP address and GPN. For incoming packets sent to the NAT's global IP address and GPN, the NAT translates the global destination IP address and GPN to the client's private IP address and GPN. For protocols which cannot be directly supported by the NAT, such as those in the IPSec security protocol suite, the NAT is extended by creating in the NAT's translation table an entry that associates, for a specific unsupported protocol, a client's private IP address and GPN, the NAT's global IP address and GPN, and a foreign address on the Internet, that is valid until a specified or default expiration time. Outgoing packets from the client to that foreign address and incoming packets from that foreign address to the NAT's global IP address and GPN are translated according to the entry until the entry expires. In associations with these translations to outgoing and incoming packets, the client implements any Application Layer Gateway (ALG) that would otherwise be implemented at the NAT. Further, at the client, outgoing packets are modified before being transmitted so as to pre-compensate for the effects of the translations. Incoming packets at the client from the NAT are similarly modified so as to post-compensate for the effects of the translations. For the IPSec protocol, these modification include adjusting the checksum in the TCP or UDP header to account for IP address and TCP or UDP port number translations.

The IPNet Gateway (IPNGw) is a new technology that maps multiple servers on a private IP network to a single IP address on the Internet. As requests come in for DNS resolution of the server's domain name, the IPNet Gateway records the domain of the requesting client and the name of the requested server, and returns its own address as the destination address for the requested domain name. This DNS response is set as non-cacheable to prevent the association between the IPNGw IP address and the domain name of the target server beyond the anticipated following transaction from the client. As soon as the IPNGw responds to the DNS request it enters into a waiting state anticipating a connection from the client to the specific server identified in the DNS request. Subsequently, the client establishes a connection with the IPNGw, which in turn relays the connection request to the server.

A mediating apparatus is provided on an IP network, and stores an access control list (ACL) retained in a VPN gateway unit. The mediating apparatus: receives a retrieval request from a VPN client unit; acquires a private IP address of a communication unit by reference to ACL; searches DNS to acquire therefrom an IP address of the VPN gateway unit; generates a common key that is used for authentication between the VPN client unit and the VPN gateway unit and for encrypted communication therebetween; sends the IP address of the VPN gateway unit, the private IP address of the communication unit, and the common key to the VPN client unit; and sends the IP address of the VPN client unit and the common key to the VPN gateway unit.

An interface for a private IP network interfaces flows of packets between gateway controllers and external media gateways. It has a network address translator and an IPsec device for maintaining secure paths to the external devices. A path identifier records which of the packet flows corresponds to which path. It is incorporated in the packet header, and means that the same interface can be used to couple many different external gateways, and interface them with many of the gateway controllers. Widespread deployment of such interfaces in anonymisers to achieve hiding of device addresses and network topology, as well as the reduction in use of expensive registered addresses is facilitated. By sending the path identifier in the packet, the IPsec device and the address translator can be loosely coupled devices, so standard readily available devices can be used.

In a General Packet Radio Service (GPRS) network, a system and method of dynamically allocating an Internet Protocol (IP) address to a mobile terminal (MT) operating in the network. A Gateway GPRS Service Node (GGSN) requests IP addresses over the Gi interface from a Radius server in an IP-based network. A Conditional PDP Address (CPA) parameter is stored in the MT's Home Location Register (HLR) as part of the user subscriber data, and is passed to the GGSN during the GPRS Attach procedure. The CPA parameter indicates whether the subscriber is entitled to a backup IP address in case of failure to obtain one over the Gi interface, and whether the MT is a user of a real-time application. A timer in the GGSN sets a maximum time period (Ti) that the GGSN will wait for a response from the server, and a counter (Ni) sets the maximum number of requests that are sent. A Network Access Server (NAS) in the GGSN sends a request for an IP address from the GGSN to the server, and determines whether Ti expires without receiving a response from the server. If no response is received, the GGSN allocates an IP address. A public IP address is allocated only if the MT is a user of a real-time application. Otherwise, a private IP address is allocated.

A single firewall or cluster of firewalls with a public IP address is interfaced to an internet public subnet to receive service requests for a cluster of network servers. A first private subnet with a plurality of private IP addresses is interfaced to the single firewall or cluster of firewalls to receive the service requests after passing through a firewall. A plurality of redundant load balancers with a respective plurality of private IP addresses are interfaced to the first private subnet to receive the service requests after passing through the first private subnet. The load balancers are interfaced to a second private subnet. The network servers with respective private IP addresses are interfaced to the second private subnet to receive the service requests from the load balancers. At an initialization time, a private IP address is defined for the network load balancer system within the internet access subnet. When one of the load balancers becomes primary at the initialization time or switches from a standby state to an active state, the network load balancer system private IP address is defined as an alias in an interface table to be recognized by the one load balancer. When the one network load balancer switches from the active state to a standby state, the network load balancer system private IP address previously defined as the alias is released from the interface table.

A method and application programming interface for using multiple network addresses on a common physical layer. The host protocol stack supports multiple Internet Protocol interfaces. When a process makes a function call to create a new socket, a new IP address is associated with the socket. Each socket is then bound to an IP address that is distinct from the IP addresses bound to other sockets. This is in contrast to conventional sockets that are bound to a common IP address. In this manner, each process may be associated with a unique IP address. Such a configuration may useful in Internet telephony where each call process receives a unique private IP address in a virtual private network.

A computer system establishes offloaded connections over a network between requester applications running on client nodes and server applications running on a server node. The connections are established through an aggregated plurality of network resources of the server node. Each of the aggregated plurality of server resources is operable to provide offloaded connections over the network and each is assigned to a unique private IP address. Connect queries are generated on behalf of requesting applications. Each of the connect queries specifies one of the server applications using a first endpoint tuple. The first endpoint tuple includes one of one or more IP addresses identifying the server node publicly on the network and a first port number uniquely identifying the server application. A valid set of bypass endpoint tuples are obtained that are translated from the first endpoint tuple specified in the query. Each tuple of the set includes a different one of the assigned private IP addresses. A connect request is issued over the network that specifies a selected one of the valid set of bypass endpoint tuples as the destination transport address for the connection.

A system, apparatus and method to use private IP addresses to designate host devices or nodes in different networks for communication purposes are described. Various embodiments of the invention address the problem of a shortage of public IP addresses under IPv4 architecture. In one embodiment of the invention, dynamic NAT penetration capabilities are provided which consequently expand the capability of running peer-to-peer applications on the Internet.

A communication network providing mobile IP services to mobile nodes sharing the same private IP address. A mobile node visits a foreign network from its home network and transmits a registration request including its private IP address to a foreign agent on the foreign network. If the foreign agent determines that another mobile node with a valid registration shares the same private IP address, the foreign agent requests the mobile node to use a temporary address. The temporary address is sent along with the registration request to the registering mobile node's home agent. When the home agent receives a packet addressed to its mobile node, it creates two tunnels. An outer tunnel is created using a care-of address associated with the foreign agent. An inner tunnel is created using the temporary address assigned to mobile node. The packet is then forwarded via the two tunnels. Upon receipt of the tunneled packet by the foreign agent, it de-tunnels the outer tunnel to uncover the inner tunnel, and forwards the inner tunnel to the mobile node. The mobile node de-tunnels the inner tunnel to recover the original packet.

Disclosed is a device and method for securing stored data in an IP based storage area network (SAN), where the physical storage media is located in an unprotected site. The connection between the client and the unprotected site is established over a public or private IP network preferably by means of an iSCSI protocol. According to the present invention a data block to be saved in a remote site is encrypted at the initiator host using a private encryption key and an encrypt key. The private encryption key is saved in a key management table which is shared among other hosts that may access the encrypted data block.

A disclosed Internet Linked Network Architecture delivers telecommunication type services across a network utilizing digital technology. The unique breadth and flexibility of telecommunication services offered by the Internet Linked Network Architecture flow directly from the network over which they are delivered and the underlying design principles and architectural decisions employed during its creation. The present invention supports current telecommunication and voice over IP standards and applications. This new network not only replaces the telecommunication network presently in place, but it also offers a more feature rich and cost effective alternative. For example, traditional telecommunication switches are more expensive, less reliable and slower than the faster digital data switches utilized in the present invention. Furthermore, the programmable nature of the digital devices comprising the present invention allows the new network to be built with a scalable and extensible architecture, providing the flexibility necessary to incorporate new or future digital enhancements. The inventive network is designed as a complete replacement for the traditional telecom network. The disclosed architecture allows for this network to connect to traditional networks and allows for an upgrade path. The design is robust and scalable so this network can introduce new features and functionality while preserving the quality of traditional networks.

A method of and a device for communication between a client and server using a flexible address. The method of receiving a flexible address includes: transmitting a request for communication with a server to a proxy, which retains the flexible address of the server; and receiving a response, which includes the flexible address from the server which received the communication request relayed by the proxy. This enables the client to independently communicate with a server which has a flexible private IP address.

A media gateway control protocol (MGCP) proxy server interfaces between a plurality of MGCP gateways and at least one MGCP call agent which may be coupled to a private network and served by a network address translation firewall. The proxy server comprises a private network interface for communicating over a private network with the call agent and a public network interface for communicating over the Internet. A translation module provides for receiving an MGCP message generated by a gateway and addressed to the public network interface. The MGCP message includes a message transaction ID assigned by the gateway and an endpoint ID identifying the gateway. The endpoint ID comprises a local endpoint name and a domain. The translation module translating the MGCP message to create a translated message by: i) substituting a unique transaction ID in place of the message transaction ID; and ii) substituting a private IP address assigned to a private network interface in place of the domain of the endpoint ID of the MGCP message. The translation module: i) provides the translated message to the private network interface for sending to the call agent; ii) writes each of the unique transaction ID and the message transaction ID to a record of a gateway request map; and iii) writes the public socket on which the message was received from the gateway to a record associated with the MGCP gateway in a registration map and updates an indication of a predetermined time window during which the public socket is valid to a time period following receipt of the MGCP message.

A communications system that provides broadband access to passengers of mobile platforms includes a router located on the mobile platform. A network is connected to the router. User communication devices (UCDs) connected to the network, wherein the UCDs establish point-to-point over Ethernet (PPPoE) sessions with the router. A transmitter and a receiver are connected to the router. A satellite and a ground station are in communication with the transmitter and the receiver. A distributed communications system includes virtual private networks (VPN) and is connected to the ground station. A first address manager leases the use of public IP addresses by the mobile platform. A second address manager assigns the public IP addresses to UCDs when the UCDs request access to the VPNs and private IP addresses for other network service. The UCDs employ IPSec protocol when accessing the VPNs.

Clients that are connected on a private network and which are assigned a private IP address that is not routable on the Internet can connect to the Internet through a router/server that includes a network address translator (NAT). For outgoing packets, the NAT translates the client's private source IP address and generalized port number (GPN) to the NAT's global IP address and GPN. For incoming packets sent to the NAT's global IP address and GPN, the NAT translates the global destination IP address and GPN to the client's private IP address and GPN. For protocols which cannot be directly supported by the NAT, such as those in the IPSec security protocol suite, the NAT is extended by creating in the NAT's translation table an entry that associates, for a specific unsupported protocol, a client's private IP address and GPN, the NAT's global IP address and GPN, and a foreign address on the Internet, that is valid until a specified or default expiration time. Outgoing packets from the client to that foreign address and incoming packets from that foreign address to the NAT's global IP address and GPN are translated according to the entry until the entry expires. In associations with these translations to outgoing and incoming packets, the client implements any Application Layer Gateway (ALG) that would otherwise be implemented at the NAT. Further, at the client, outgoing packets are modified before being transmitted so as to pre-compensate for the effects of the translations. Incoming packets at the client from the NAT are similarly modified so as to post-compensate for the effects of the translations. For the IPSec protocol, these modification include adjusting the checksum in the TCP or UDP header to account for IP address and TCP or UDP port number translations.

The present invention relates to a service method for a construction of networks having automatic backup and load-balancing upon failures to networks and systems, and more particularly to a dedicated private network service method having a load-balancing function wherein the network backup is available since a bypass path is made to normally operating IDC centers upon failures to a specific IDC of the IDCs dispersed in plural places in a public IP networks by GLB servers, and load-balancing as to entire servers is available by constructing network equipment changeable into a private IP network in case of connecting to the IDC centers, connecting the network equipment by Giga lines, and using dispersed IDCs as a network constructed in one place. Further, the present invention, in a dedicated private network, comprises steps of (1) performing a bypass connection to an IDC normally operated upon a failure of a specific IDC by connecting a user by IDC center in a public IP network by a GLB server upon a user's connection; (2) changing a public IP address to a private IP address upon a connection to the dedicated private network; (3) load-balancing traffic to plural IDC centers after interactively connecting the respective IDC centers by constructing a ring-shape network with the IDC centers of private IP networks connected by Giga lines; and (4) performing the load balancing of servers by identifying server states at SLB servers in the respective IDC centers.

To connect arbitrary network communication apparatuses by selecting an appropriate route or identifying an IP address in an environment which includes a network using plural NAT routers, which is hierachically connected through plural NAT routers for distributing private IPs.

A network communication apparatus (201) includes: a direct search unit (102) which transmits a direct search request to another network communication apparatus (202); a route information obtaining unit (103) which obtains route information of the network communication apparatus (202) from a server (205) which holds the route information of the network communication apparatus (202); and a communication control unit (101) which performs, when the information regarding the other network communication apparatus (202 to 204) is obtained upon the direct search request, communication with the other network communication apparatus (202 to 204) based on the information, and which performs, when the information is not obtained, communication with the other network communication apparatus (202 to 204), based on the route information.