(12) United States Patent
`Beser et al.
`
`111111
`
`1111111111111111111111111111111111111111111111111111111111111
`US006496867Bl
`US 6,496,867 Bl
`Dec. 17, 2002
`
`(10) Patent No.:
`(45) Date of Patent:
`
`(54) SYSTEM AND METHOD TO NEGOTIATE
`PRIVATE NETWORK ADDRESSES FOR
`INITIATING TUNNELING ASSOCIATIONS
`THROUGH PRIVATE AND/OR PUBLIC
`NETWORKS
`
`(75)
`
`Inventors: Nurettin B. Beser, Evanston, IL (US);
`Michael Borella, Naperville, IL (US)
`
`(73) Assignee: 3Com Corporation, Santa Clara, CA
`(US)
`
`( *) Notice:
`
`Subject to any disclaimer, the term of this
`patent is extended or adjusted under 35
`U.S.C. 154(b) by 0 days.
`
`(21) Appl. No.: 09/384,120
`
`(22)
`
`Filed:
`
`Aug. 27, 1999
`
`(51)
`(52)
`(58)
`
`(56)
`
`Int. Cl? ........................ G06F 15/16; G06F 15/173
`U.S. Cl. ........................ 709/245; 709/227; 709/225
`Field of Search ................................. 709/220, 222,
`709/225, 226, 227, 228, 229, 245, 218,
`217; 370/401, 349; 713/201
`
`References Cited
`
`U.S. PATENT DOCUMENTS
`
`5,159,592 A
`5,227,778 A
`5,550,984 A
`5,636,216 A
`5,708,655 A
`5,793,763 A
`5,812,819 A
`5,867,660 A
`5,872,847 A
`6,018,767 A *
`6,236,652 B1 *
`6,253,327 B1 *
`6,377,982 B1 *
`
`10/1992
`7/1993
`8/1996
`6/1997
`1!1998
`8/1998
`9/1998
`2/1999
`2/1999
`1!2000
`5/2001
`6/2001
`4/2002
`
`Perkins
`Vacon eta!.
`Gelb
`Fox eta!.
`Toth eta!.
`Mayes eta!.
`Rodwin eta!.
`Schmidt et a!.
`Boyle eta!.
`.............. 709/218
`Fijolek et a!.
`Preston et a!. .............. 370/349
`Zhang et a!.
`............... 713/201
`Rai eta!. .................... 709/217
`
`6,381,646 B2 * 4/2002 Zhang eta!. ............... 709/227
`6,400,722 B1 * 6/2002 Chuah et a!.
`............... 370/401
`
`OTHER PUBLICATIONS
`
`Lee et al., "The Next Genration of the Internet: Aspects of
`teh Internet Protocol Version 6", IEEE Network, Jan./Feb.
`1988, pp. 28-33. *
`"Internet Engineering Task Force", Request for Comments
`791, Internet Protocol, Sep. 1981, pp. 1 to 45.
`"Internet Engineering Task Force", Request for Comments
`1853, IP in IP Tunneling, Oct. 1995, pp. 1 to 8.
`"Internet Engineering Task Force", Request for Comments
`1701, Generic Routing Encapsulation (GRE), Oct. 1994, pp.
`1 to 8.
`"Internet Engineering Task Force", Request for Comments
`1241, A Scheme for an Internet Encapsulation Protocol, Jul.
`1991, pp. 1 to 17.
`
`(List continued on next page.)
`
`Primary Examiner-Le Hien Luu
`(74) Attorney, Agent, or Firm-McDonnell, Boehnen,
`Hulbert & Berghoff
`
`(57)
`
`ABSTRACT
`
`A method for initiating a tunneling assoCiatiOn in a data
`network. The method includes negotiating private addresses,
`such as private Internet Protocol addresses, for the ends of
`the tunneling association. The negotiation is performed on a
`public network, such as the Internet, through a trusted-third(cid:173)
`party without revealing the private addresses. The method
`provides for hiding the identity of the originating and
`terminating ends of the tunneling association from the other
`users of the public network. Hiding the identities may
`prevent interception of media flow between the ends of the
`tunneling association or eavesdropping on Voice-over(cid:173)
`Internet-Protocol calls. The method increases the security of
`communication on the data network without imposing a
`computational burden on the devices in the data network.
`
`41 Claims, 17 Drawing Sheets
`
`100
`
`I
`
`102
`
`104
`
`106
`
`108
`
`NEGOTIATE A FIRST PRIVATE NETWORK
`ADDRESS ON THE FIRST NETWORK
`DEVICE AND A SECOND PRIVATE
`NETWORK ADDRESS ON THE SECOND
`NETWORK DEVICE THROUGH THE
`PUBLIC NETWORK
`
`Petitioner Apple Inc. - Exhibit 1007, p. 1
`
`

`
`US 6,496,867 Bl
`Page 2
`
`01HER PUBLICATIONS
`
`"ITU-T Recommendation H.323", Series H: Audiovisual
`and Multimedia Systems (Systems and Terminal Equipment
`for audiovisual Services), Telecommunication Standardiza(cid:173)
`tion Sector of ITU, International Telecommunication Union,
`Feb. 1998, 125 pages.
`"ITU-T Recommendation H.255.0", Series H: Audiovisual
`and Multimedia Systems (Transmission Multiplexing and
`Synchronization), Telecommunication Standardization Sec(cid:173)
`tor of ITU, International Telecommunication Union, Feb.
`1998, 157 pages.
`"Internet Engineering Task Force", Request for Comments
`2663, IP Network Address Translator (NAT) Terminology
`and Considerations, Aug. 1999, pp. 1 to 30.
`"Internet Engineering Task Force", Request for Comments
`1631, The IP Network Address Translator (NAT), May 1994,
`pp. 1 to 10.
`"Internet Engineering Task Force", Internet Draft, Negoti(cid:173)
`ated AddressReuse (NAR), May 1998, pp. 1 to 22.
`"Internet Engineering Task Force", Internet-Draft, NAT
`Bypass for End 2 End 'Sensitive' Applications, Jan. 1998,
`pp. 1 to5.
`"Internet Engineering Task Force", Interne-Draft, Network
`Address Translation-Protocol Translation (NAT -PT), 1 an.
`1999, pp. 1 to 15.
`"Internet Engineering Task Force", Internet-Draft, IP Host
`Network Address (and Port) Translation, Nov. 1998, pp. 1 to
`14.
`"Internet Engineering Task Force", Internet Draft, Distrib(cid:173)
`uted Network Address Translation, Oct. 1998, pp. 1 to 24.
`"Internet Engineering Task Force", Internet-Draft, DNS
`Extensions to Network Address Translators (DNS_ALG),
`Oct. 1998, pp. 1 to 27.
`
`"Internet Engineering Task Force", Internet-Draft, Security
`for IP Network Address Translator (NAT) Domains, Nov.
`1998, pp. 1 to 11.
`"Internet Engineering Task Force", Internet-Draft, The IP
`Network Address Translator (NAT), Feb. 1998, pp. 1 to 24.
`"Internet Engineering Task Force", Internet-Draft, Tradi(cid:173)
`tional IP Network Address Translator (Traditional NAT),
`Oct. 1998, pp. 1 to 17.
`"Internet Engineering Task Force", Internet-Draft, IP Net(cid:173)
`work Address Translator (NAT) Terminology and Consid(cid:173)
`erations, Oct. 1998, pp. 1 to 28.
`"Internet Engineering Task Force", Internet Draft, A Multi(cid:173)
`homing solution using NATs, Nov. 1998, pp. 1 to 32.
`"Internet Engineering Task Force", Internet Draft, Network
`Address Translation Issues with IPsec, Feb. 1998, pp. 1 to
`12.
`"Internet Engineering Task Force", Internet Draft, IP Secu-
`rity, Nov. 1997, pp. 1 to 12.
`.
`"Internet Engineering Task Force", Internet Draft, Architec(cid:173)
`tural Implications of NAT, Oct. 1998, pp. 1 to 14.
`"Internet Engineering Task Force", Internet Draft, IP Relo(cid:173)
`cation Through Twice Network Address Translators (RAT),
`Feb. 1999, pp. 1 to 20.
`"Internet Engineering Task Force", Internet Draft, Reverse
`Twice Network Address Translators (RAT), Dec. 1998, pp.
`1 to 24.
`"Internet Engineering Task Force", Internet Draft, Implica(cid:173)
`tions of NATs on the TCP/IP Architecture, Feb. 1999, pp. 1
`to 7.
`"Internet Engineering Task Force", Internet Draft, Mobile IP
`Extension for Private Internets Support, Feb. 1999, pp. 1 to
`24.
`* cited by examiner
`
`Petitioner Apple Inc. - Exhibit 1007, p. 2
`
`

`
`U.S. Patent
`
`Dec. 17, 2002
`
`Sheet 1 of 17
`
`US 6,496,867 Bl
`
`FIG.l
`
`24
`
`20
`
`14
`
`D
`
`26
`
`16
`
`12
`
`30
`
`10
`
`Petitioner Apple Inc. - Exhibit 1007, p. 3
`
`

`
`U.S. Patent
`
`Dec. 17,2002
`
`Sheet 2 of 17
`
`US 6,496,867 Bl
`
`FIG. 2
`
`APPLICATION LAYER
`
`50
`
`/
`
`SNMP
`
`['\
`62
`
`TFTP
`
`[\
`64
`
`DHCP 1\
`66
`
`UDP
`MGMT
`
`['\
`68
`
`UDP
`
`TRANSPORT
`1\ LAYER
`60
`
`I :
`NEnNORK
`1\ LAYER
`!
`!"
`56
`~--------------~~--------------~58
`
`I
`I
`
`I
`
`ICMP
`
`IP
`
`MAC
`
`54
`
`PHYSICAL
`MEDIA
`INTERFACE ~
`52
`
`DATA LINK
`LAYER
`
`PHYSICAL
`LAYER
`
`Petitioner Apple Inc. - Exhibit 1007, p. 4
`
`

`
`U.S. Patent
`
`Dec. 17,2002
`
`Sheet 3 of 17
`
`US 6,496,867 Bl
`
`FIG.3
`~
`INTERNET PROTOCOL PACKET
`r-------------------------
`
`/
`
`1
`1
`
`I
`I
`I
`~
`I
`I
`I
`I
`I
`82
`I
`1
`I
`I
`I
`I
`L~----------------------~J
`
`HEADER BEGINNING 86
`
`SOURCE ADDRESS 88
`
`DESTINATION ADDRESS ~
`
`HEADER END 92
`
`PAYLOAD
`84
`
`Petitioner Apple Inc. - Exhibit 1007, p. 5
`
`

`
`U.S. Patent
`
`Dec. 17,2002
`
`Sheet 4 of 17
`
`US 6,496,867 Bl
`
`FIG. 4
`
`START
`
`100
`
`I
`
`RECEIVE A REQUEST TO INITIATE A
`TUNNELING ASSOCIATION ON A FIRST
`NETWORK DEVICE
`
`102
`
`INFORM A TRUSTED-THIRD-PARTY
`NETWORK DEVICE OF THE REQUEST ON ~
`A PUBLIC NETWORK
`104
`
`ASSOCIATE A PUBLIC NETWORK
`ADDRESS FOR A SECOND NETWORK ~
`DEVICE ON THE TRUSTED-THIRD-PARTY
`' 106
`NETWORK DEVICE
`
`NEGOTIATE A FIRST PRIVATE NETWORK ~
`ADDRESS ON THE FIRST NETWORK
`108
`DEVICE AND A SECOND PRIVATE
`NETWORK ADDRESS ON THE SECOND
`NETWORK DEVICE THROUGH THE
`PUBLIC NETWORK
`
`(
`
`END
`
`Petitioner Apple Inc. - Exhibit 1007, p. 6
`
`

`
`U.S. Patent
`
`Dec. 17, 2002
`
`Sheet 5 of 17
`
`US 6,496,867 Bl
`
`FIG. 5
`
`( START
`
`110
`
`I
`
`RECEIVE A REQUEST TO INITIATE A VOIP
`ASSOCIATION ON A FIRST NETWORK
`DEVICE
`
`I---
`
`""""
`
`112
`
`INFORM A TRUSTED-THIRD-PARTY
`NETWORK DEVICE OF THE REQUEST ON ~
`A PUBLIC NETWORK
`114
`
`ASSOCIATE A PUBLIC IP ADDRESS FOR A
`SECOND NETWORK DEVICE ON THE
`TRUSTED-THIRD-PARTY NETWORK
`DEVICE
`
`r-.....
`\ 116
`
`I
`
`NEGOTIATE A FIRST PRIVATE IP
`ADDRESS ON THE FIRST NETWORK
`DEVICE AND A SECOND PRIVATE IP
`ADDRESS ON THE SECOND NETWORK
`DEVICE THROUGH THE PUBLIC
`NETWORK
`
`"
`
`118
`
`(
`
`END
`
`Petitioner Apple Inc. - Exhibit 1007, p. 7
`
`

`
`U.S. Patent
`
`Dec. 17, 2002
`
`Sheet 6 of 17
`
`US 6,496,867 Bl
`
`FIG. 6
`
`TRUSTED-
`THIRD-PARTY
`NETWORK
`DEVICE
`30
`
`130
`
`I
`
`T ERMINATING
`TELEPHONY
`DEVICE
`26
`
`ORIGINATING
`TELEPHONY
`DEVICE
`24
`
`FIRST
`NETWORK
`DEVICE
`14
`
`SECOND
`NETWORK
`DEVICE
`16
`
`R~QUEST~
`
`112
`
`~
`'
`i
`
`INFORM
`\...
`114
`
`{
`
`116
`
`ASSOCIATE
`r- ------ ----- -,
`I ~NEGOTIATE; ~NEGOTIATE~ I
`~-----._\ ____
`I
`I
`I
`L
`
`118
`
`Petitioner Apple Inc. - Exhibit 1007, p. 8
`
`

`
`U.S. Patent
`
`Dec. 17, 2002
`
`Sheet 7 of 17
`
`US 6,496,867 Bl
`
`FIG. 7
`
`START
`
`140
`
`I
`
`r
`SELECT THE FIRST PRIVATE NETWORK
`ADDRESS FROM A FIRST POOL OF
`PRIVATE ADDRESSES ON THE FIRST
`NETWORK DEVICE
`
`, r
`
`COMMUNICATE THE FIRST PRIVATE
`NETWORK ADDRESS FROM THE FIRST
`NETWORK DEVICE TO THE SECOND
`NETWORK DEVICE THROUGH THE
`PUBLIC NETWORK
`
`142
`
`144
`
`r
`SELECT THE SECOND PRIVATE
`NETWORK ADDRESS FROM A SECOND
`POOL OF PRIVATE ADDRESSES ON THE
`SECOND NETWORK DEVICE
`
`,.-
`
`146
`
`, ,
`
`COMMUNICATE THE SECOND PRIVATE ~
`I
`\
`NETWORK ADDRESS FROM THE
`SECOND NETWORK DEVICE TO THE
`FIRST NETWORK DEVICE THROUGH THE
`PUBLIC NETWORK
`
`148
`
`r
`
`END
`
`)
`
`Petitioner Apple Inc. - Exhibit 1007, p. 9
`
`

`
`U.S. Patent
`
`Dec. 17,2002
`
`Sheet 8 of 17
`
`US 6,496,867 Bl
`
`FIG. 8
`
`START
`
`150
`
`I
`
`SELECT THE FIRST PRIVATE IP ADDRESS
`FROM A FIRST POOL OF PRIVATE IP
`ADDRESSES ON THE FIRST NETWORK
`DEVICE
`
`- '
`
`152
`
`COMMUNICATE THE FIRST PRIVATE IP
`ADDRESS FROM THE FIRST NETWORK
`DEVICE TO THE SECOND NETWORK
`DEVICE THROUGH THE TRUSTED-THIRD(cid:173)
`PARTY NETWORK DEVICE ON THE
`PUBLIC NETWORK
`
`154
`
`SELECT THE SECOND PRIVATE IP
`ADDRESS FROM A SECOND POOL OF ~
`PRIVATE IP ADDRESSES ON THE SECOND I
`'\ 156
`NETWORK DEVICE
`
`COMMUNICATE THE SECOND PRIVATE IP
`ADDRESS FROM THE SECOND ~
`I
`'\
`NETWORK DEVICE TO THE FIRST
`158
`NETWORK DEVICE THROUGH THE
`TRUSTED-THIRD-PARTY NETWORK
`DEVICE ON THE PUBLIC NETWORK
`
`, r
`
`END
`
`Petitioner Apple Inc. - Exhibit 1007, p. 10
`
`

`
`U.S. Patent
`
`Dec. 17,2002
`
`Sheet 9 of 17
`
`US 6,496,867 Bl
`
`FIG. 9
`
`TRUSTED(cid:173)
`THIRD-PARTY
`NETWORK
`DEVICE
`30
`
`160
`
`I
`
`SECOND
`NETWORK
`DEVICE
`16
`
`FIRST
`NETWORK
`DEVICE
`14
`
`SELECT FIRST~ 152
`PRIVATE IP
`ADDRESS
`154
`r-------------~-------,
`I
`I
`~
`1
`1
`FIRST PACKET 162
`'
`.;
`~
`~ :
`SECOND PACKET 1M
`:
`L - - - - - - - - - - - ----------~ J (156
`SELECT
`SECOND
`PRIVATE IP
`ADDRESS
`
`158
`
`r-----L----------------,
`;1.
`I
`I
`1
`\
`1
`1
`
`THIRD PACKET!§_§.
`
`:
`
`: r FOURTH PACKET jj!!_
`
`~ L----------------------1
`
`Petitioner Apple Inc. - Exhibit 1007, p. 11
`
`

`
`U.S. Patent
`
`Dec. 17, 2002
`
`Sheet 10 of 17
`
`US 6,496,867 Bl
`
`FIG. 10
`
`START
`
`170
`
`I
`
`SELECT MULTIPLE PRIVATE NETWORK
`ADDRESSES FROM A POOL OF PRIVATE
`ADDRESSES ON THE FIRST NETWORK ~172
`DEVICE
`,,
`
`COMMUNICATE THE MULTIPLE PRIVATE
`NETWORK ADDRESSES FROM THE FIRST
`NETWORK DEVICE TO THE SECOND
`NETWORK DEVICE THROUGH THE
`PUBLIC NETWORK
`
`SELECT THE FIRST PRIVATE NETWORK
`ADDRESS AND THE SECOND PRIVATE
`NETWORK ADDRESS FROM THE
`MULTIPLE PRIVATE ADDRESSES ON THE
`SECOND NETWORK DEVICE
`
`,,
`
`17 4
`
`176
`
`COMMUNICATE THE FIRST PRIVATE
`NETWORK ADDRESS AND THE SECOND
`PRIVATE NETWORK ADDRESS FROM
`THE SECOND NETWORK DEVICE TO THE ~
`FIRST NETWORK DEVICE THROUGH THE
`178
`PUBLIC NETWORK
`
`,,
`
`END
`
`Petitioner Apple Inc. - Exhibit 1007, p. 12
`
`

`
`U.S. Patent
`
`Dec. 17,2002
`
`Sheet 11 of 17
`
`US 6,496,867 Bl
`
`FIG. 11
`
`START
`
`180
`
`I
`
`SELECT MULTIPLE PRIVATE IP
`ADDRESSES FROM A POOL OF PRIVATE ....._
`IP ADDRESSES ON THE FIRST NETWORK
`DEVICE
`
`182
`
`COMMUNICATE THE MULTIPLE PRIVATE
`IP ADDRESSES FROM THE FIRST
`NETWORK DEVICE TO THE SECOND
`NETWORK DEVICE THROUGH THE ~ 184
`TRUSTED-THIRD-PARTY NETWORK
`DEVICE ON THE PUBLIC NETWORK
`
`SELECT THE FIRST PRIVATE IP ADDRESS~
`AND THE SECOND PRIVATE IP ADDRESS I
`'\
`FROM THE MULTIPLE PRIVATE IP
`ADDRESSES ON THE SECOND NETWORK
`DEVICE
`,,
`COMMUNICATE THE FIRST PRIVATE IP
`ADDRESS AND THE SECOND PRIVATE IP
`ADDRESSFROMTHESECOND
`NETWORK DEVICE TO THE FIRST
`NETWORK DEVICE THROUGH THE
`TRUSTED-THIRD-PARTY NETWORK
`DEVICE ON THE PUBLIC NETWORK
`
`186
`
`188
`
`(
`
`END
`
`Petitioner Apple Inc. - Exhibit 1007, p. 13
`
`

`
`U.S. Patent
`
`Dec. 17, 2002
`
`Sheet 12 of 17
`
`US 6,496,867 Bl
`
`FIG. 12
`
`TRUSTED(cid:173)
`THIRD-PARTY
`NETWORK
`DEVICE
`30
`
`190
`
`I
`
`SECOND
`NETWORK
`DEVICE
`16
`
`FIRST
`NETWORK
`DEVICE
`14
`
`"'/' 182
`.--------~~-..........
`SELECT
`MULTIPLE
`PRIVATE IP
`ADDRESSES
`I ~ _____________ ,e:-_184 _____ I-_
`
`I
`
`FIRST PACKET lli ;
`
`SECOND PACKET~ J :
`:
`V
`L---------------------~1 /'186
`SELECT FIRST AND
`SECOND PRIVATE IP
`ADDRESSES
`
`:
`
`'-.. - - - - ..c-::. 181!.._ -
`I
`I
`: ~ FOURTH PACKET _1m!
`L----------------------1
`
`-
`
`-- -
`J1.
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`-
`
`THIRD PACKET 196
`
`--.
`I
`I
`
`:
`
`-
`
`Petitioner Apple Inc. - Exhibit 1007, p. 14
`
`

`
`U.S. Patent
`
`Dec. 17,2002
`
`Sheet 13 of 17
`
`US 6,496,867 Bl
`
`FIG. 13
`
`START
`
`210
`
`I
`
`...,.- 212
`COMMUNICATE THE PUBLIC IP ADDRESS
`OF THE SECOND NETWORK DEVICE TO I"
`THE FIRST NETWORK DEVICE
`
`,,
`SELECT THE FIRST PRIVATE IP ADDRESS
`FROM A FIRST POOL OF PRIVATE IP V 214
`ADDRESSES ON THE FIRST NETWORK
`DEVICE
`,,.
`COMMUNICATE THE FIRST PRIVATE IP
`ADDRESS FROM THE FIRST NETWORK
`DEVICE TO THE SECOND NETWORK ~ 216
`DEVICE THROUGH THE PUBLIC
`NETWORK
`
`SELECT THE SECOND PRIVATE IP
`ADDRESS FROM A SECOND POOL OF ,--
`PRIVATE IP ADDRESSES ON THE SECOND
`NETWORK DEVICE
`,,
`
`218
`
`COMMUNICATE THE SECOND PRIVATE IP
`ADDRESSFROMTHESECOND
`NETWORK DEVICE TO THE FIRST
`NETWORK DEVICE THROUGH THE
`PUBLIC NETWORK
`
`~220
`
`,, c END
`
`Petitioner Apple Inc. - Exhibit 1007, p. 15
`
`

`
`U.S. Patent
`
`Dec. 17,2002
`
`Sheet 14 of 17
`
`US 6,496,867 Bl
`
`FIG. 14
`
`230
`
`I
`
`SECOND
`NETWORK
`DEVICE
`16
`
`TRUSTED(cid:173)
`FIRST
`THIRD-PARTY
`NETWORK
`NETWORK
`DEVICE
`DEVICE
`14
`30
`1- .A----------- 1
`1 ,,.___FI-R-sT-PA_c_K_E_T_2_3_2 ---1 1,-- 212
`IV
`I
`L... - - - - - - - - - - - J
`SELECT FIRST
`PRIVATE IP
`ADDRESS
`- - - - - - - - - - - - __ .c:_~& ______ 1
`
`J I
`
`:
`v I
`I
`- - - - - - - - - - - - - - - - - - - - - - - J (218
`
`SECOND PACKET 234
`
`SELECT
`SECOND
`PRIVATE IP
`ADDRESS
`_____ c _________________ l
`220
`: ~
`I
`THIRD PACKET 236
`I ~
`I
`._ ______________________ J
`
`Petitioner Apple Inc. - Exhibit 1007, p. 16
`
`

`
`U.S. Patent
`
`Dec. 17,2002
`
`Sheet 15 of 17
`
`US 6,496,867 Bl
`
`FIG. 15
`
`START
`
`250
`
`I
`
`COMMUNICATE THE PUBLIC IP ADDRESS v 252
`
`OF THE SECOND NETWORK DEVICE TO
`THE FIRST NETWORK DEVICE
`
`SELECT MULTIPLE PRIVATE IP
`
`ADDRESSES FROM A POOL OF PRIVATE v 254
`
`IP ADDRESSES ON THE FIRST NETWORK
`DEVICE
`
`,,
`
`COMMUNICATE THE MULTIPLE PRIVATE
`IP ADDRESSES FROM THE FIRST
`NETWORK DEVICE TO THE SECOND
`NETWORK DEVICE THROUGH THE
`PUBLIC NETWORK
`
`v- 256
`
`SELECT THE FIRST PRIVATE IP ADDRESS
`
`AND THE SECOND PRIVATE IP ADDRESS v
`
`FROM THE MULTIPLE PRIVATE IP
`ADDRESSES ON THE SECOND NETWORK
`DEVICE
`
`258
`
`COMMUNICATE THE FIRST PRIVATE IP
`ADDRESS AND THE SECOND PRIVATE IP ~ 260
`ADDRESSFROMTHESECOND
`NETWORK DEVICE TO THE FIRST
`NETWORK DEVICE THROUGH THE
`PUBLIC NETWORK
`
`END
`
`Petitioner Apple Inc. - Exhibit 1007, p. 17
`
`

`
`U.S. Patent
`
`Dec. 17,2002
`
`Sheet 16 of 17
`
`US 6,496,867 Bl
`
`FIG. 16
`
`TRUSTED(cid:173)
`THIRD-PARTY
`NETWORK
`DEVICE
`30
`
`270
`
`I
`
`SECOND
`NETWORK
`DEVICE
`16
`
`FIRST
`NETWORK
`DEVICE
`14
`
`254
`~ ..... - - - - - - - - - - - J
`
`:r 252
`
`- - - - - - - - - - - - 1
`
`i ~ FIRST PACKET m
`
`SELECT
`MULTIPLE
`PRIVATE IP
`ADDRESSES
`
`i
`
`- - - - - - - - - - - - __ .c:-:_256 ______ 1
`
`SECOND PACKET ll!
`
`~ :
`
`..... - - - - - - - - - - - - - - - - - - - - - - J (258
`
`SELECT FIRST AND
`SECOND PRIVATE IP
`ADDRESSES
`- ____ c ______ ----------- 1
`260
`I lft.....__--------'--------1 I
`: l'i
`I
`THIRD PACKET ll§.
`,_ ______________________ J
`
`Petitioner Apple Inc. - Exhibit 1007, p. 18
`
`

`
`U.S. Patent
`
`Dec. 17,2002
`
`Sheet 17 of 17
`
`US 6,496,867 Bl
`
`FIG.17
`
`/
`
`310
`
`END1
`
`END2
`
`320
`
`322
`
`DEV1
`
`324
`
`END3
`
`316
`
`326
`
`01
`
`END4
`
`Petitioner Apple Inc. - Exhibit 1007, p. 19
`
`

`
`US 6,496,867 Bl
`
`1
`SYSTEM AND METHOD TO NEGOTIATE
`PRIVATE NETWORK ADDRESSES FOR
`INITIATING TUNNELING ASSOCIATIONS
`THROUGH PRIVATE AND/OR PUBLIC
`NETWORKS
`
`FIELD OF INVENTION
`The present invention relates to communications in data
`networks. More specifically, it relates to a method for
`initiating a tunneling association in a data network.
`
`10
`
`2
`Nonetheless, even if the information inside the IP packets
`could be concealed, the hacker is still capable of reading the
`source address of the packets. Armed with the source IP
`address, the hacker may have the capability of tracing any
`5 VoiP call and eavesdropping on all calls from that source.
`One method of thwarting the hacker is to establish a Virtual
`Private Network ("VPN") by initiating a tunneling connec(cid:173)
`tion between edge routers on the public network. For
`example, tunneling packets between two end-points over a
`public network is accomplished by encapsulating the IP
`packet to be tunneled within the payload field for another
`packet that is transmitted on the public network. The tun(cid:173)
`neled IP packets, however, may need to be encrypted before
`the encapsulation in order to hide the source IP address.
`15 Once again, due to computer power limitations, this form of
`tunneling may be inappropriate for the transmission of
`multimedia or VoiP packets.
`Another method for tunneling is network address trans(cid:173)
`lation (see e.g., "The IP Network Address Translator", by P.
`Srisuresh and K. Egevang, Internet Engineering Task Force
`("IETF"), Internet Draft <draft-rfced-info-srisuresh-OS.txt>,
`February 1998). However, this type of address translation is
`also computationally expensive, causes security problems
`by preventing certain types of encryption from being used,
`25 or breaks a number of existing applications in a network that
`cannot provide network address translation (e.g., File Trans(cid:173)
`fer Protocol ("FTP")). What is more, network address trans(cid:173)
`lation interferes with the end-to-end routing principal of the
`Internet that recommends that packets flow end-to-end
`between network devices without changing the contents of
`any packet along a transmission route (see e.g., "Routing in
`the Internet," by C. Huitema, Prentice Hall, 1995, ISBN
`0-131-321-927). Once again, due to computer power
`limitations, this form of tunneling may be inappropriate for
`the transmission of multimedia or VoiP packets.
`It is therefore desirable to establish a tunneling associa(cid:173)
`tion that hides the identity of the originating and terminating
`ends of the tunneling association from the other users of a
`public network. Hiding the identities may prevent a hacker
`from intercepting all media flow between the ends.
`
`BACKGROUND OF THE INVENTION
`Computer users are becoming increasingly concerned
`about the privacy of their communications over the Internet.
`Privacy concerns are an important factor in the continued
`growth and acceptance of the Internet by society. As the use
`of the Internet increases, more and more sensitive informa(cid:173)
`tion is being transmitted over this global network. Compa(cid:173)
`nies who cannot afford a private network often transfer
`sensitive corporate information over the Internet. Also, 20
`private citizens are increasingly relying on the Internet for
`banking and commercial transactions and frequently have to
`transfer private or personal information over the Internet,
`such as credit card numbers, social security numbers, or
`medical information.
`Unfortunately, the Internet is not a very secure network.
`Information is transmitted over the Internet inside Internet
`Protocol ("IP") packets. These packets typically pass
`through several routers between transmission by a source
`computer and reception by a destination computer. At each 30
`leg of their journey the packets can be intercepted and
`inspected. Moreover, the Internet Protocol that is used on
`global computer networks (such as the Internet) and on
`many private networks (such as intranets) is not a highly
`secure protocol. For example, because IP packets include a 35
`source address in a header, a hacker or cracker may intercept
`all IP packets from a particular source IP address.
`Consequently, the hacker may be able to accumulate all
`transmissions from the source.
`Typically, it is easy to map users to source IP addresses. 40
`A determined hacker may extract the source IP address from
`an IP packet and deduce that they are coming from a
`computer whose IP address is already known. Knowing the
`location of the source, the hacker may then be able to deduce
`the identity of the user who sent the IP packet. Even if the 45
`hacker cannot exactly identify the user or computer, he may
`glean sufficient information as to its approximate physical or
`virtual location. In globally addressed IP subnets it is easy to
`determine the location or organization of the source com(cid:173)
`puter. For example, an appropriate Domain Name Server 50
`("DNS") inquiry may correlate the IP address with a domain
`name, and domain names are typically descriptive of the
`user, location, or the user's organization.
`Of course, the sender may encrypt the information inside
`the IP packets before transmission, e.g. with IP Security 55
`("IPSec"). However, accumulating all the packets from one
`source address may provide the hacker with sufficient infor(cid:173)
`mation to decrypt the message. Moreover, encryption at the
`source and decryption at the destination may be infeasible
`for certain data formats. For example, streaming data flows, 60
`such as multimedia or Voice-over-Internet-Protocol
`("VoiP"), may require a great deal of computing power to
`encrypt or decrypt the IP packets on the fly. The increased
`strain on computer power may result in jitter, delay, or the
`loss of some packets. The expense of added computer power 65
`might also dampen the customer's desire to invest in VoiP
`equipment.
`
`SUMMARY OF THE INVENTION
`In accordance with preferred embodiments of the present
`invention, some of the problems associated with initiating a
`tunneling association are overcome. A method and system
`for initiating a tunneling association is provided. One aspect
`of the invention includes a method for initiating a tunneling
`association between an originating end of the tunneling
`association and a terminating end of the tunneling associa(cid:173)
`tion. The method includes receiving a request to initiate the
`tunneling association on a first network device. The first
`network device is associated with the originating end of the
`tunneling association, and the request includes a unique
`identifier for the terminating end of the tunneling associa(cid:173)
`tion. A trusted-third-party network device is informed of the
`request on a public network. A public network address for a
`second network device is associated with the unique iden(cid:173)
`tifier for the terminating end of the tunneling association on
`the trusted-third-party network device. The second network
`device is associated with the terminating end of the tunnel(cid:173)
`ing association. A first private network address on the first
`network device and a second private network address on the
`second network device are negotiated through the public
`network. The first private network address is assigned to the
`originating end of the tunneling association and the second
`private network address is assigned to the terminating end of
`the tunneling association.
`
`Petitioner Apple Inc. - Exhibit 1007, p. 20
`
`

`
`US 6,496,867 Bl
`
`3
`For example, the method and system of the present
`invention may provide for the initiation of a Voice-over(cid:173)
`Internet-Protocol association between an originating tele(cid:173)
`phony device and a terminating telephony device. The
`method and system described herein may help ensure that
`the addresses of the ends of the tunneling association are
`hidden on the public network and may increase the security
`of communication without an increased computational bur(cid:173)
`den.
`The foregoing and other features and advantages of
`preferred embodiments of the present invention will be more
`readily apparent from the following detailed description,
`which proceeds with references to the accompanying draw(cid:173)
`ings.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`10
`
`4
`20. Also, a trusted-third-party network device 30 is con(cid:173)
`nected to the public network 12. Data packets may be
`transferred to/from the first network device 14, the second
`network device 16, and the trusted-third-party network
`5 device 30 over the public network 12. For example, the three
`devices may be assigned public network addresses on the
`Internet. The first network device 14 and the second network
`device 16 may be modified routers or modified gateways.
`The trusted-third-party 30 may be a back-end service, a
`domain name server, or the owner/manager of database or
`directory services. Moreover, the trusted-third-party net(cid:173)
`work device 30 may not be located in one physical location
`but may be distributed over several locations and the infor(cid:173)
`mation may be replicated over the several locations.
`15 However, other data network types and network devices can
`also be used and the present invention is not limited to the
`data network an network devices described for an illustrative
`embodiment.
`In one exemplary preferred embodiment of the present
`20 invention, the first network device 14 and/or the second
`network device 16 is an edge router. An edge router routes
`data packets between one or more networks such as a
`backbone network (e.g. public network 12) and Local Area
`Networks (e.g. private network 20). Edge routers include
`25 those provided by 3Com Corporation of Santa Clara, Calif.,
`Lucent Technologies of Murray Hill, N.J., Livingston
`Enterprises, Inc. of Pleasanton, Calif., Ascend Communica(cid:173)
`tions of Alameda, Calif., Cisco Systems of San Jose, Calif.,
`and others.
`In another exemplary preferred embodiment of the
`present invention, the first or second network device (14 or
`16) is a cable modem ("CM") or cable modem termination
`system ("CMTS"). Cable modems and cable modem termi(cid:173)
`nation systems offer customers higher-speed connectivity to
`35 the Internet, an intranet, Local Area Networks ("LANs") and
`other computer networks via cable television networks. CMs
`and CMTSs include those provided by 3Com Corporation of
`Santa Clara, Calif., Motorola Corporation of Arlington
`Heights, Ill., Hewlett-Packard Co. of Palo Alto, Calif., Bay
`Networks of Santa Clara, Calif., Scientific-Atlanta of
`Norcross, Ga., General Instruments of Horsham, Pa., and
`others.
`The data network also includes network devices (24, 26)
`that are originating and terminating ends of data flow. In
`45 another exemplary preferred embodiment of the present
`invention, these network devices (24, 26) are telephony
`devices or multimedia devices. Multimedia devices include
`Web-TV sets and decoders, interactive video-game players,
`or personal computers running multimedia applications.
`50 Telephony devices include VoiP devices (portable or
`stationary) or personal computers running facsimile or audio
`applications. However, the ends of the data flow may be
`other types of network devices and the present invention is
`not restricted to telephony or multimedia devices.
`Network devices and routers for preferred embodiments
`of the present invention include network devices that can
`interact with network system 10 based on standards pro(cid:173)
`posed by the Institute of Electrical and Electronic Engineers
`("IEEE"), International Telecommunications Union-
`60 Telecommunication Standardization Sector ("ITU"), Inter(cid:173)
`net Engineering Task Force ("IETF"), or Wireless Applica(cid:173)
`tion Protocol ("WAP") Forum. However, network devices
`based on other standards could also be used. IEEE standards
`can be found on the World Wide Web at the Universal
`65 Resource Locator ("URL") "www.ieee.org." The ITU,
`(formerly known as the CCITT) standards can be found at
`the URL "www.itu.ch." IETF standards can be found at the
`
`30
`
`Preferred embodiments of the present invention are
`described with reference to the following drawings,
`wherein:
`FIG. 1 is a block diagram illustrating a network system;
`FIG. 2 is a block diagram illustrating a protocol stack for
`a network device;
`FIG. 3 is a block diagram illustrating the structure of an
`Internet Protocol packet;
`FIG. 4 is a flow diagram illustrating a method for initi(cid:173)
`ating a tunneling association;
`FIG. 5 is a flow diagram illustrating a method for initi(cid:173)
`ating a Voice-over-Internet-Protocol association;
`FIG. 6 is a block diagram illustrating the message flow of
`the method illustrated in FIG. 5;
`FIG. 7 is a flow diagram illustrating a method for nego(cid:173)
`tiating private network addresses;
`FIG. 8 is a flow diagram illustrating a method for nego(cid:173)
`tiating private Internet Protocol addresses;
`FIG. 9 is a block diagram illustrating the message flow of
`the method illustrated in FIG. 8;
`FIG. 10 is a flow diagram illustrating a method for 40
`negotiating private network addresses;
`FIG. 11 is a flow diagram illustrating a method for
`negotiating private Internet Protocol addresses;
`FIG. 12 is a block diagram illustrating the message flow
`of the method illustrated in FIG. 11;
`FIG. 13 is a flow diagram illustrating a method for
`negotiating private Internet Protocol addresses;
`FIG. 14 is a block diagram illustrating the message flow
`of the method illustrated in FIG. 13;
`FIG. 15 is a flow diagram illustrating a method for
`negotiating private Internet Protocol addresses;
`FIG. 16 is a block diagram illustrating the message flow
`of the method illustrated in FIG. 15; and
`FIG. 17 is a block diagram illustrating a configuration of 55
`network devices.
`
`DETAILED DESCRIPTION OF PREFERRED
`EMBODIMENTS
`FIG. 1 is a block diagram illustrating an exemplary data
`network 10 for an illustrative embodiment of the present
`invention. The data network 10 includes a public network 12
`(e.g. the Internet or a campus network), a first network
`device 14, and a second network device 16. The public
`network 12 is public in the sense that it may be accessible
`by many users who may monitor communications on it.
`Additionally, there may be present multiple private networks
`
`Petitioner Apple Inc. - Exhibit 1007, p. 21
`
`

`
`US 6,496,867 Bl
`
`5
`URL "www.ietf.org." The WAP standards can be found at
`the URL "www.wapforum.org."
`It will be appreciated that the configuration and devices of
`FIG. 1 are for illustrative purposes only and the present
`invention is not restricted to network devices such as edge
`routers, cable modems, cable modem termination systems,
`domain name servers, and telephony or multimedia devices.
`Many other network devices are possible. Moreover, the
`configuration of data network 10 is not restricted to one
`public network 12 and one private network 20 as shown in 10
`FIG. 1. Many different configurations of the data network 10
`with multiple public networks and/or multiple private net(cid:173)
`works at various positions in the data network 10 are
`possible.
`An operating environment for network devices and modi- 15
`fied routers of the present invention include a processing
`system with at least one high speed Central Processing Unit
`("CPU") and a memory. In accordance with the practices of
`persons skilled in the art of computer programming, the
`present invention is described below with reference to acts
`and symbolic representations of operations or instructions
`that are performed by the processing system, unless indi(c