UTILITY
`SERIAL
`NUMBER
`
`PATENT DATE
`
`SERIAL NUMBER
`0(;)/:;:::42, :]2::1
`
`FILING DATE
`04/24/97
`
`PATENT
`NUMBER
`
`SUBCLASS
`
`GROUP ART UNIT:
`~(J!';'\'
`.
`,,, . .f., .
`r)L:I,·
`
`RUCE ANTHONY WOOTTON, RALEIGH, NC; ~ILLIAM 8. COLVIN, MI~TON. CANADA.
`
`**CONTINUING DATA**************~******
`VERIFIED PROVISIONAL APPLICATION NO. 60/015~945 04/24/96
`.-,~f?A( ...... _/,/
`I
`
`//'
`
`**FOREIGN APPLICATIQNS************
`VERIFIE[:a
`
`,.'
`
`B+\-e (
`
`STATE OR SHEETS TOTAL
`AS
`FILED COUNTRY DRWGS. CLAIMS
`:32
`,"',
`...... NC
`...:.;-,
`
`FOnllgn prlorlty 01 aImed
`35 USC 119 oondltlona mat
`
`Verlfled and
`FO
`WASHINGTON HARBOUR
`3000 K STREET NW
`SUITE 500 POBOX 2569&
`WASHI~GTON[:aC-20d67-8696
`
`FILING FEE
`INDEP.
`CLAIMS RECEIVED
`
`ATTORNEY'S
`DOCKET NO.
`
`PARTS OF APPLICATION
`FILED SEPARATELY
`
`(,
`
`'?~(UN If::.. ,j LH-
`
`Assistant ExamIner
`
`Total Claims
`'.:3 -J
`r7'
`
`,'"
`
`Sheets Drwg.
`r;(.' .
`
`Print Fig.
`r---
`I. .'
`
`/
`. Ajit Patel
`~/
`:'rhH~r\l EXI.Hninm
`
`ISSUE
`BATCH
`Examiner NUMBER
`
`Label
`Area
`
`WARNING: The Information disclosed herein may be restricted. UnaLithorl;;:ed dlsolosure may be prohibited
`by the United States Code Tltle 35. Sections 122, 181 and 368. P08gesslon outside the U,S,
`, i,' palent & Trademark Office Is restricted to authorl;;:ed employees and contractors only.
`'\ ,;,1
`.
`,,'.'
`
`I
`
`().
`f)
`hl~p
`
`Form PTI~
`
`,
`
`(Rev. 8~"V~rM! IJ.
`QC _i6~~
`
`(FACE)
`
`Google Ex. 1402, pg. 1
`
`

`
`.
`
`('
`
`",', ~2 0.51. PTO
`'
`"':~,'06842328
`11~!I~I~I~I~llllnllllt, " •
`
`4..' , Date
`Entered
`or
`Counted
`
`.
`-- -~~-- ----
`PATENT APPI..lCATION
`
`__
`
`I'
`. . . _ ' : ____ "~";
`--- --------,
`"
`'
`!
`
`'"
`
`1 ' "1 '
`
`1 1 .1_
`
`APPROVED FOR LICENSE. Q"
`- "Jt;j~] F ~ )'"f,
`I
`",
`,) <" "g. I
`I
`__ INITIALS
`' ,
`- ' " " I ' )
`
`"
`
`,
`
`:
`
`1 111111 11111 Iml 1111111111 11111 11111 11111 11111111
`08842328
`
`'
`
`CONTENTS
`
`Date
`Received
`or
`Mailed
`
`__ ~ __ ~ 4.~,~~~~~~~ ____ _
`jV~W 5.~~~~~~~~~
`_______ 6.~~~~~----~~~'
`
`~ ______ 7'~~~~~4-__ ~~~~~~~ ____ _
`
`__ ~'--~ 8.~~~~ ______ ~~~
`
`~.-
`
`.
`
`- -'" .1(1 -1,2 ~-Prt1-'
`_I--+D/...:.....;! if=~_ 9. -Lf+~~~-;(----r--,..~-----.
`,r;;t;l5 #c:7v/
`_ _ _ 1~~
`11. ~.(.....LJt;Iu:..::.........-+--b-"::=....-.--~:.::x:::: ;!; 5-~c)
`..§/f ::::.rJ 2;1
`.-s:- g! DQ
`
`,,r{',
`
`", i
`
`-
`
`I
`,~,~
`"t",\ ,:'Ul) 13.
`\', "")\ :{,; 4';'
`'I '. ;. (,,:-'-::-
`______ 14. :pTOl.-'d-r (
`________ 15. ____________ __
`
`-""
`"
`
`_____ 16. ______________ _
`
`__ ___ 17. _______________ __._--__
`
`_____ 18. ______________ _
`
`____ _ 19. _ ____________ __
`
`____ 20. _--:--_____ ----.:... __ __
`
`_ - - -21 . _____ - - - - - -
`____ _ 22. ___ _ ____ _ _ _ _ __
`
`---'-____ 23. __ _________ _
`
`____ -24. __ ___ __ - - - -
`
`'---_____ ---25. ______ ______ __
`
`_
`
`, .....,...., _ _ _ _ 26. _ _ ______ ~_-_
`
`______ 27. _~----_----- ____ .,......;...-. _
`_____ 28. _ _________ _
`
`____ 29. __ _________ --'--
`
`_....:--__ -30. __ _________ _
`
`_
`
`----..-_____ 31. _____ ___ ___ _
`
`__ ...0..--__ 32. - _____ .l......-___ --~- ___ ---"-----,~
`(FRONT)
`
`Google Ex. 1402, pg. 2
`
`

`
`United States Patent [19]
`Wootton et al.
`
`[54]
`
`INTERNET PROTOCOL FILTER
`
`[75]
`
`Inventors: Bruce Anthony Wootton, Raleigh,
`N.C.; William G. Colvin, Milton,
`Canada
`
`[73] Assignee: Nortel Networks Corporation,
`Montreal, Canada
`
`[21] Appl. No.: 08/842,328
`
`[22] Filed:
`
`Apr. 24, 1997
`
`Related U.S. Application Data
`[60] Provisional application No. 60/015,945, Apr. 24, 1996.
`Int. CI.7
`..................••.••..•.••.••............•..•.•••• H04L 12/56
`[51]
`[52] U.S. CI ........................... 370/392; 370/390; 370/401;
`713/201
`[58] Field of Search ..................................... 370/351, 352,
`370/355, 389, 390, 392, 393, 400, 401,
`402, 409; 395/200.6, 200.62, 200.68, 200.72;
`713/201
`
`[56]
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`5,309,437
`5,383,179
`5,400,334
`5,606,668
`5,623,601
`5,778,174
`5,781,550
`5,793,763
`5,826,014
`5,835,726
`
`........................ 370/401
`5/1994 Perlman et al.
`1/1995 Saini et al. .............................. 370/393
`3/1995 Hayssen .................................. 370/245
`2/1997 Shwed.
`4/1997 Vu.
`7/1998 Cain.
`........................ 370/401
`7/1998 Templin et al.
`8/1998 Mayes et al. ........................... 370/389
`10/1998 Coley et al. .
`11/1998 Shwed et al. .
`
`FOREIGN PATENT DOCUMENTS
`o 465 201
`
`1/1992 European Pat. Off ..
`
`OlliER PUBLICATIONS
`
`Axner, "Differing Approaches to Virtual LANs", Business
`Communications Review, Dec. 1993, pp. 42-45.
`Bryan, "Build a Firewall", Byte, Apr. 1995, pp. 91-96.
`Bryan, "Firewalls for Sale", Byte, Apr. 1995, pp. 99-104.
`
`111111111111111111111111111111111111111111111111111111111111111111111111111
`US006128298A
`[11] Patent Number:
`[45] Date of Patent:
`
`6,128,298
`Oct. 3, 2000
`
`Carl-Mitchell, et aI., "Building Internet Firewalls", UnLy(cid:173)
`World, Feb. 1992, pp. 93-103.
`Chapman, "Network (In)Security Through IP Packet Filter(cid:173)
`ing", UNIX Security Symposium III Proceedings, Balti(cid:173)
`more, MD, Sep. 14-16, 1992, pp. 63-76.
`Cheswick, "The Design of a Secure Internet Gateway",
`USENIX Summer Conference, Anaheim, CA, luI. 11-15,
`1990, pp. 233-237.
`Ho, "Implementation of a Secure Gateway on Hughes
`Aircraft's Engineering Design Network", 15th Conference
`on Local Computer Networks, IEEE, Minneapolis, MN.,
`Sep. 30-0ct. 3, 1990, pp. 180-182.
`Hoover, "Securing the Enterprise, Firewalls Can Keep You
`from Getting Burned" ,Internet World, Feb. 1995, pp. 39-47.
`Koblas, et aI., "SOCKS", UNIX Security Symposium III
`Proceedings, Baltimore, MD, Sep. 14-16, 1992, pp. 77-83.
`Lottor, "TCP Port Service Multiplexer (TCPMUX)", Inter(cid:173)
`net rfc 1078 (1988), pp. 1,2.
`Luotonen, et aI., "World-Wide Web Proxies", Computer
`Networks and ISDN Systems 27 (1994), pp. 147-154.
`
`(List continued on next page.)
`
`Primary Examiner-Ajit Patel
`Assistant Examiner---:f3ob A. Phunkulh
`Attorney, Agent, or Firm-Foley & Lardner
`
`[57]
`
`ABSTRACT
`
`The IP filter, embodying the present invention, is a commu(cid:173)
`nications device designed to provide public network or
`Internet access to nodes of private networks, advantageously
`without requiring the private nodes on such networks to
`register public Internet addresses. The IP filter presents a
`single IP address to the Internet and uses a plurality of IP
`ports to solve the problem of IP address conservation. It
`initiates sessions by assigning private side IP sessions to a
`unique port of the IP filter's public address. The IP filter
`effects a translation between a source port number for the
`private network and a destination port number for the public
`network for communication therebetween. Benefits of the IP
`filter include private node security and conservation of
`Internet-registered addresses.
`
`32 Claims, 2 Drawing Sheets-
`
`INTERNET
`-----
`PUBLIC
`NETWORK
`
`Google Ex. 1402, pg. 3
`
`

`
`6,128,298
`Page 2
`
`OlliER PUBLICATIONS
`
`Marotta, et aI., "Internetworking Data Services", 16,h Con(cid:173)
`ference on Local 'computer Networks, IEEE, Minneapolis,
`MN, Oct. 14-17,1991, pp. 223--229.
`Panzieri, et aI., "Interfacing UNIX to Data Communications
`Networks", IEEE Transactions on Software Engineering,
`vol. SE-U, Oct. 1985, pp. 1016-1032.
`Schauer, et aI., "An Internet Gatekeeper", UNIX Security
`Symposium III Proceedings, Baltimore, MD, Sep. 14-16,
`1992, pp. 49-61.
`Schroeder, et al. "Autonet: A High Speed, Self-Configuring
`Local Area Network Using Point-to-Point Links", IEEE
`Journal onSelectedAreas in Communications, vol. 9, No.8,
`Oct. 1991, pp. 1318-1334.
`Shapiro, "Structure and Encapsulation in Distribution Sys(cid:173)
`tems: The Proxy Principle", The 6'h International Confer(cid:173)
`ence on Distributed Computing Systems, IEEE, Cambridge,
`MA, May 19-23, 1986, pp. 198-204.
`Snyder, "Choosing the Right Firewall to Defend Your Net(cid:173)
`work" Network World, vol. 12, No. 10, Mar. 5, 1995, p. 1.
`Stephensen, "A Blueprint for Firewalls", LAN Magazine,
`Feb. 1995, pp. 63--70.
`Tam, et al. "CAPNET-An Approach to Ultra High Speed
`Network", IEEE International Conference on Communica(cid:173)
`tions, 1990, pp. 323.1.1-323.1.7.
`
`Tolly, "Evaluating Port Switching Hubs-A reality check
`for virtual workgroups",Data Communications, Jun. 1993,
`pp.52-62.
`
`Treese, et aI., "X Through the Firewall, and Other Applica(cid:173)
`tion Relays", USENIX Summer 1993 Technical Conference,
`Cincinnati, OH, Jun. 21-25, 1993, pp. 87-98.
`
`Cheswick and Bellovin, "Firewalls and Internet Security:
`Repelling the Wily Hacker", Addison-Wesley, 1994, pp.
`34-36,54-75.
`
`Comer, "Internetworking with TCP/IP", Prentice-Hall, Inc.,
`1988,pp. 120-127, 137-141, 194, 195,208-214,346,347.
`
`McClimans, "Workarounds Ease the IP Address Shortage",
`Data Communications, section Software Views, vol 24, No.
`2, Feb. 23, 1995, (p. 33), pp. 3-5.
`
`Kostick, "Building a Linux Firewall", Linux Journal, Apr.
`1996, pp. 49, 52, 53,55, 57, 58, 61.
`
`Egevang et aI., "Internet Engineering Task Force, USA"
`XP2040992 pp. 1-8 (1994).
`
`Stallings, "Internet Security Handbook" XP2040993 pp.
`27-37 (1995).
`
`Google Ex. 1402, pg. 4
`
`

`
`u.s. Patent
`
`Oct. 3, 2000
`
`Sheet 1 of 2
`
`6,128,298
`
`FIG. I
`
`Google Ex. 1402, pg. 5
`
`

`
`u.s. Patent
`
`Oct. 3, 2000
`
`Sheet 2 of 2
`
`6,128,298
`
`/2~
`
`40
`
`38
`
`34
`
`30
`
`ADDRESS
`TRANSLATION
`
`USER
`INTERFACE
`
`42
`
`IP HANDLER
`
`ARP
`
`ETHERNET TABLE
`
`PACKET DRIVER
`
`PACKET DRIVER
`
`36
`
`32
`
`H.W.
`
`H.W.
`
`FIG. 2
`
`Google Ex. 1402, pg. 6
`
`

`
`6,128,298
`
`1
`INTERNET PROTOCOL FILTER
`
`This application is based on provisional application
`60/015,945 filed Apr. 26, 1996.
`
`BACKGROUND OF THE INVENTION
`
`The present invention generally relates to internetwork
`firewalls and, in particular, to an internet protocol (IP) filter
`whereby a private IP network domain is mapped to a single
`IP address on the public Internet.
`Firewalls are generally known and characterized by com(cid:173)
`puter servers which function to couple nodes within the
`domain of the private network to nodes in a public network
`domain, such as the Internet. A deficiency of the known
`firewall products is the need for a unique public IP address
`for each concurrent session or interaction between public
`and private nodes.
`A firewall providing conservation of public IP addresses
`would be desirable.
`
`SUMMARY OF THE INVENTION
`It is an object of the present invention to provide a new
`and improved apparatus for communicatively coupling two
`networks.
`The invention, therefore, according to a first exemplary
`aspect provides a method of interfacing private and public
`data communications networks, through a filter node in
`communication with both networks, the filter node having
`an address known in the public network, comprising the
`steps of: routing from nodes in the private network, to the
`filter node, data packets having destination information,
`which includes a destination address and a destination port,
`corresponding to nodes in the public network and having
`source information, which includes a source address and a
`source port, of the respective private network nodes; for
`each data packet received from the private network, at the
`filter node, maintaining the source information taken from
`the data packet in correlation with a unique value represent(cid:173)
`ing a port of the filter node, and replacing in the data packet 40
`the source address with the filter node address and the source
`port with the filter node port value; and routing from the
`filter node, in the public network, the data packets having the
`replaced source information, according to the destination
`information in each, to the corresponding public network 45
`nodes.
`According to a second exemplary aspect, the invention
`provides a method of interfacing private and public data
`communications networks, through a filter node in commu(cid:173)
`nication with both networks, comprising the steps of: (a)
`receiving at the filter node, from the private network, a data
`packet having an a destination address corresponding to a
`node in the public network and a source address correspond(cid:173)
`ing to a node in the private network; (b) maintaining, by the
`filter node, the source address taken from the data packet; (c)
`replacing, in the data packet, the source address with an
`address of the filter node; (d) routing from the filter node, in
`the public network, the data packet having the replaced
`source address, according to the destination address, to the
`corresponding public network node; (e) waiting for a return
`packet from the public network, responsive to the data
`packet having the replaced source information; (f) replacing,
`in the return packet, the destination address with the main(cid:173)
`tained source address; and (g)routing from the filter node, in
`the private network, the return packet having the replaced 65
`destination address to the corresponding private network
`node.
`
`2
`According to a third exemplary aspect, the invention
`provides a method of operating a filter node for interfacing
`first and second data communications networks, comprising
`the steps of: receiving from the first network, a data packet
`5 having destination information, which includes a destination
`address and a destination port, corresponding to a node in
`the second network and having source information, which
`includes a source address and a source port, corresponding
`to a node in the first network; maintaining the source
`10 information taken from the data packet in correlation with a
`unique value representing a port of the filter node; replacing
`in the data packet the source address with an address of the
`filter node and the source port with the filter node port value;
`and sending to the second network the data packet having
`15 the replaced source information, whereby that packet is
`routed according to its destination information to the corre(cid:173)
`sponding second network node.
`According to a fourth exemplary aspect, the invention
`provides a filter node for interfacing first and second data
`20 communications networks, comprising: means for receiving
`from the first network, a data packet having destination
`information, which includes a destination address and a
`destination port, corresponding to a node in the public
`network and having source information, which includes a
`25 source address and a source port, corresponding to a node in
`the first network; means for maintaining the source infor(cid:173)
`mation taken from the data packet in correlation with a
`unique value representing a port of the filter node; means for
`replacing in the data packet the source address with an
`30 address of the filter node and the source port with the filter
`node port value; and means for sending to the second
`network, the data packet having the replaced source
`information, whereby that packet is routed according to its
`destination information to the corresponding second net-
`35 work node.
`An IP filter, embodying the present invention, is a com(cid:173)
`munications device designed to provide public network or
`Internet access to nodes of private networks, advantageously
`without requiring the private nodes on such networks to
`register public Internet addresses. The IP filter presents a
`single IP address to the Internet and uses a plurality of IP
`ports to solve the problem of IP address conservation. It
`initiates sessions by assigning privatc side IP sessions to a
`unique port of the IP filter's public address whereby up to
`64,512 (=65,536 total -1,024 well known ports) concurrent
`sessions may be supported through the single IP address.
`The IP filter effects a translation between a source port
`number for the private network and a destination port
`number for the public network for communication therebe-
`50 tween. Benefits of the IP filter include private node security
`and conservation of Internet-registered addresses.
`In a particular embodiment, the IP filter may support three
`data transport protocols over the internet protocol: transmis-
`55 sion control protocol (TCP), user datagram protocol (UDP)
`and Internet control message protocol (ICMP). Packets of
`other protocols may be ignored.
`The TCP protocol prepends a TCP header to a data packet.
`The source port and destination port numbers are contained
`60 in this header. The Internet addresses of the source and
`destination nodes are contained in the IP header. The IP
`address and port information extracted from each packet will
`be used to determine where the IP filter should route this
`packet.
`The IP filter maintains a lookup table of information on
`each TCP connection. This information includes the port
`from the private node, the private IP address, the assigned
`
`Google Ex. 1402, pg. 7
`
`

`
`6,128,298
`
`3
`port number of the destination node, and the port number of
`the IP filter in the form of an index. When a packet is
`received from the private network, the private address and
`port number are added to the table as a new entry, if an entry
`corresponding to this packet is not found in the table and if 5
`the TCP header indicates that this is a new connection
`request. Then the source address and port number in the
`packet header are replaced with the IP filter's IP address and
`port number, and the packet is transmitted to the Internet.
`When the IP filter receives a packet from the Internet, the 10
`destination port number is used to index the lookup table.
`When the corresponding table entry is found, the destination
`address and port number are replaced with the private
`network's IP address and port number, and the packet is
`transmitted to the private network. If the received packet's 15
`source port is different from the port recorded in the table,
`and if the packet header information indicates that this
`packet is the first response on the connection, then the
`lookup table is updated with the port number assigned by the
`Internet node, if needed. When the IP filter detects an end of 20
`transmission code in the packet, the lookup table entry is
`zeroed. If the IP filter receives packets from the Internet that
`do not have entries in the lookup table corresponding to the
`IP filter port, it ignores the packets.
`The UDP protocol is connectionless, as opposed to TCP, 25
`a connection-oriented protocol. The UDP header contains no
`codes governing initial connection or end of transmission.
`The data of interest in the UDP header are the source port
`and destination port. This information, along with the Inter(cid:173)
`net addresses contained in the IP header, are used to deter- 30
`mine where the IP filter should route this packet.
`The IP filter maintains a lookup table of information on
`each UDP session. When the IP filter receives a UDP packet
`from the private network, it records the source address, the 35
`source port number, the destination port number, and the
`assigned IP filter port number as the index to the table. Then
`the private node address and port number in the packet
`header are replaced with the address and assigned port
`number of the IP filter. Then the packet is transmitted to the 40
`Internet.
`When the IP filter receives a UDP packet from the
`Internet, it indexes the UDP lookup table and replaces the
`packet's destination information, namely the IP filter address
`and assigned port number, with the private address and port 45
`number from the lookup table. The lookup table also main(cid:173)
`tains an interval indication for an expiration timer on data(cid:173)
`gram packets received as per standard UDP implementa(cid:173)
`tions. If the IP filter receives packets from the Internet that
`do not have entries in the look'llp table corresponding to the 50
`IP filter port, it ignores the packets.
`As ICMP packets do not contain port numbers of either
`source or destination, any ICMP packets received from the
`private network are processed one at a time, with buffering
`of additional ICMP packets. The IP filter reads the private 55
`address from the packet header and replaces it with the
`address of the IP filter. The packet is transmitted to the
`Internet, and the IP filter waits for the response. When it
`receives the responding packet, the destination address in
`the packet header is changed from that of the IP filter to that 60
`of the node on the private network. Then the IP filter
`transmits the packet to the private network.
`To successfully deliver packets over an IP protocol
`network, each node must maintain a table of other hosts' IP
`addresses and their corresponding Ethernet addresses in an 65
`Ethernet based data communications network. The nodes
`actllally use the IP addresses and the Ethernet addresses to
`
`4
`address packets. The relationship between the two addresses
`is dynamic; that is, a node with an IP address may change its
`Ethernet address. Thr information in the address table is
`obtained from the replies to the node's broadcast of ARP
`packets. The source node broadcasts ARP packets to request
`the Ethernet address of the destination node, given the
`destination node's IP address. If the destination node
`receives the packet, it sends a reply packet with the
`requested information.
`Though it does not maintain a true ARP table, the IP filter
`passes ARP packets in a manner similar to TCP and UDP
`packet passing. When the IP filter receives an ARP packet
`from a node on the private network destined for the public
`network, it replaces the source address information with the
`filter's address information. The private node's IP address
`and the target IP address are placed in a lookup table. When
`the target node replies with its own Ethernet address, the
`destination address information is changed from that of the
`IP filter to that of the private node before transmitting the
`packet to the private node. The private node address infor(cid:173)
`mation is obtained from the table. When an ARP packet is
`destined for the firewall, the ARP packet does not pass
`through the IP filter but is restricted to communications
`between the filter and the one side of the network.
`Events and errors encountered by the IP filter may be
`logged, for example, by writing them into a text file.
`The IP filter ideally will process packets as fast as the
`networks present them but when network traffic is too heavy,
`the IP filter will then buffer the packets in two queues, one
`for the private network and one for the Internet.
`Two source and destination lookup tables may be utilized,
`one for TCP packets and the other for UDP packets. Each
`table is directly indexed by the IP filter port number assigned
`to the communication session. The table entries contain the
`IP address of the private node, the source port of the private
`node, and the destination port of the Internet node. If there
`is no connection on a certain IP filter port; then the corre(cid:173)
`sponding entry in the table may be zeroed. Packets arriving
`from both the private network and the Internet are processed
`using the same lookup table. This arrangement assumes that
`of the available IP filter communications ports some are
`designated for UDP communication and some for TCP
`communication.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`The invention will be better understood from the follow(cid:173)
`ing description together with reference to the accompanying
`drawings, in which:
`FIG. 1 is a schematic representing an internet protocol
`filter coupling a private network and a public network; and
`FIG. 2 is a block diagram representing internal compo(cid:173)
`nents of the filter.
`
`DETAILED DESCRIPTION
`Referring to FIG. 1, shown for illustration of the present
`invention is a private network 10 communicatively coupled
`through an internet protocol (IP) filter 12 to a public network
`14 which may form parlof a global data network, otherwise
`referred to as the Internet 16. The private network 10
`represents a conventional data communications network,
`such as a local area network (LAN), having a plurality of
`nodes 18 each being identified by a unique IP address within
`the domain of the private network 10. The public network 14
`and Internet 16 are representative of public domain data
`communications networks also having a plurality of nodes
`20 with corresponding IP addresses.
`
`Google Ex. 1402, pg. 8
`
`

`
`6,128,298
`
`(iIP, iPort-frIP, frPort)
`
`10 which will be received by the IP filter 12 and translated
`thereby to
`
`(iIP, iport-pIP, pPort)
`
`6
`where frIP is the IP address of the IP filter 12 on the public
`network 14, and frPort is the index into the translation table
`plus an offset value, for example, of 1024 to skip using well
`known ports. The frPort represents an arbitrary port.
`The internet node 20 will reply with a packet
`
`5
`The IP filter 12 acts as a gateway through which data
`packets are exchanged between the private network 10 and
`the public network 14, thereby providing Internet access to
`the nodes 18 of the private network 10. The IP filter 12
`constitutes one of the private network nodes 18 and is the 5
`only such node to have a public IP address that is Internet(cid:173)
`registered, whereby the IP filter 12 essentially also consti(cid:173)
`tutes one of the public nodes 20 and itsIP address is known
`in the public domain. The IP addresses of the other private
`network nodes 18 are reserved for the private network 10,
`and not known or registered in the public Internet address
`domain. As is conventional, associated with the IP address
`of the IP filter 12 are a plurality of IP ports, specifically
`65,536 in total of which 64,512 are not reserved for pre(cid:173)
`defined protocols and can be used for address translations. 15
`In general, to translate from the private side, the values
`(protocol type, pIP, pPort, iIP, iport)must be located in the
`Communications between nodes 18 on the private net-
`work 10 are unaffected by the presence of the IP filter 12, but
`translation table. This should be done with a hash table
`lookup.
`to access the public network 14 and particularly the nodes 20
`therein, the private nodes 18 route all communications
`Translating from the public side can be a direct table
`requests through the IP filter 12. The IP filter 12 manages the 20 lookup since frPort minus 1024 is the index into the table.
`communications between private nodes 18 and the Internet
`If (iIP, iport) in the packet does not match the corresponding
`nodes 20 by modifying header information of data packets
`entries in the table, then an unauthorized access is logged
`received from the private network 10 before transmitting
`and the packet dropped.
`each to the public network 14. The modifications cause the
`In translating packets, when a port is substituted in the
`communications between the private nodes 18 and the 25 TCP or UDP header, the checksum in both the TCP/UCP and
`public Internet nodes 20 to actually be between the IP filter
`IP header must be recalculated. When an IP address is
`12 'and the Internet nodes 20, which route all return com-
`substituted in the IP header, the IP header checksum must be
`munications to the IP filter 12 which subsequently routes the
`recalculated.
`return data packets to the private nodes 18.
`Following are special considerations for different proto-
`The IP filter 12 accepts no connection requests from the 30 cols supported by the IP filter 12.
`In respect of TCP, when a SYN packet is received from
`public network 14. All communications between private
`nodes 18 and public nodes 20 are initiated by the private
`the private network 10, the IP filter 12 locates an unused
`nodes 18. The IP filter 12 is designed to support three data
`entry in the table and fills it in, setting the type to TCP and
`transport protocols over the internet protocol: TCP, UDP and
`state to SYN. Then the packet is forwarded by the general
`ICMP messages; packets of other protocols are rejected or 35 scheme above. If no free entries exist in the table, then the
`ignored.
`packet is dropped and the event is logged.
`A translation table is maintained by the IP filter 12 to map
`If a SYN packet is received from the public network 14
`address and ports for packets received from the private
`interface, it is treated as unauthorized and logged (except for
`network 10 destined to the public network 14 and vise versa.
`FTP special case described below). However, a SYN+ACK
`The translation table contains the following for each entry: 40 packet is forwarded if the state of the translation table entry
`is SYN. After forwarding such a packet the state set to
`OPEN.
`If a FIN packet is received by the IP filter 12 and if the
`state in the translation table is not FIN, the state is set to FIN
`45 and the packet forwarded. If the state is FIN, then the packet
`is forwarded and the translation table entry is deleted by
`setting it to O. AFIN must be sent by each side to close a TCP
`connection.
`If a RST packet is received, then the translation table entry
`50 is deleted.
`Having regard now to the UDP protocol, when any UDP
`packet is received from the private network 10 side, the IP
`filter 12 first tries its standard lookup. If a translation table
`entry is not found, an unused entry is set up and the state set
`55 to OPEN. If a free entry is not found in the table, then rather
`than dropping the packet, a random UDP in the table is
`overwritten. Since UDP is connectionless and consequently
`an unreliable transport, if a packet is received from the
`public network 14 that would have needed the entry that was
`60 overwritten, that packet will be dropped and the node 18 on
`the private side will need to retry.
`With regard to FTP, an FTP client establishes a TCP
`"control" connection with an FTPserver on a particular port,
`for example, port 21. However, when data is to be
`65 transmitted, the FTP server will open a TCP connection from
`its "data" port, for example, which is default 20, to a
`destination port specified by the client.
`
`private IP address
`private port
`internet (public) IP address
`internet (public) Port
`timer
`session type/state
`Ethernet address
`
`(PIP)
`(pPort)
`(iIP)
`(iPort)
`
`The basic translation substitutes IP addresses and ports from
`the private network side to the IP filter's IP address and
`ports, thereby hiding all nodes 18 on the private network 10
`from the public network 14.
`A packet originating on the private network side specifies
`a source--destination of
`
`(pIP, pPort-iIP, iPort)
`
`This defines a "socket" in which the endpoints of the
`connection (source and destination) are defined by the IP
`addresses in the IP header and the ports in the TCP or UDP
`header.
`The IP filter 12 will translate the above to
`
`(frIP, frPort-iIP, iport)
`
`Google Ex. 1402, pg. 9
`
`

`
`6,128,298
`
`7
`To support this, packets sent by the private network 10 to
`port 21 need to be analyzed for an FTP "port" command at
`the IP filter 12. If detected, then a new entry in the table must
`be set up with pPort set to the value in the FTP port
`command. The IP address and port number in the FTP 5
`command must be changed to the IP filter's address and port
`before forwarding the packet. The state is set to FTPDATA.
`When a SYN packet is received from the public network
`14, if a table entry exists and is in FTPDATAstate, then the
`packet is forwarded and the state set to OPEN.
`For the ICMP protocol, if an ICMP packet is received
`from the private network 10 and if that packet is an echo
`request (ping), then the IP filter 12 locates a new entry in the
`translation table. The sequence field of the packet is stored
`in pPort in the table and the table index is put in the sequence 15
`field of the packet. The ICMP checksum is recalculated and
`the standard IP header substitution is done. The type is set
`to ICMP and state to PING and the timer set to 1 minute.
`If an echo reply (ping) is received from the public network
`14 interface, then the sequence field is used as the index into 20
`the table. If the state is PING, then pPort in the table is
`substituted into the sequence field of the packet, the ICMP
`checksum recalculated and the standard IP header substitu(cid:173)
`tion is done. The table entry is then deleted.
`If an echo request (ping) is received from the public 25
`network 14, then the IP filter 12 will reply. This allows
`internet access to confirm that the IP filter 12 is reachable
`and running.
`If a Destination Unreachable packet is received from the
`public network 14, then the header information contained is
`extracted. If the protocol was TCP or UDP, the (frIP,
`frPort-iIP, iport) of the originating packet can be deter(cid:173)
`mined and the translation table entry located.
`If the IP address extracted from