TWI291295B - Bilateral IP sharing method and device - Google Patents

Abstract

A method and network device which consists of two parts: a bilateral NAT (network address translation) IP sharing device, and an on-line service software which bases on DNS (domain name service) system for providing address trigger function. Both two components coordinate and provide bidirectional access capacity between intranet and Internet. The device is capable of multiply private IP address sharing single public IP address to access the whole internet (through internal to external) base on traditional NAT method, it is also capable of multiply public IP address passing and sharing single private IP address to access the whole intranet via domain-name addressing method (through external to internal) base on bilateral NAT technology. In other words, this device can be allowed to share with as well as to have its own unique domain-name over the Internet for those people who own the host private IP address. Additionally, the device relieves the limitation of IPv4 addressing space from 2<32> to 2<64> and above. It is very helpful to solve the problem for people who exhaust the IP address in Internet.

Description

1291295 IX. Description of the invention: [Technical field of the invention] The present invention is a service for a network device and its collocation; more than 1 problem of insufficient use of IPv4 addressing space, providing a call without a fixed Internet connection instead of a call] [p, let at least 2 illusions on the entire Internet: the domain name of the system and every legal ΠΜ record, _ 65_ ^ ^ ^ program, two-way normal operation; another read system _ network address The conversion _ &amp; part of the _ program does not work properly (can not be from the external network two &amp; 1 ^ ^ illegal IP to establish a reverse link), the present invention also provides S; Aspects of traditional one-way sharing (9)^ [Prior Art] The Internet (Internet) is the world's all computers, called the Transmission Control Protocol/Network Protocol (Transmissi〇nc〇ntr) (&gt;1 text

Protocol/IntemetProtoco, referred to as TCP/IP, is a standardized communication protocol that links networks to allow users in different countries or different networks to exchange information and share resources. Communicate with each other. Simply put, it is a large network that connects all the computers in the world. Therefore, the Internet is the largest computer system in the world. It provides a new and open mode of information communication and communication. The use of TCP/Ip-based communication network devices is also the mainstream of the current internal network systems; the TCP/IP protocol is composed of a series of protocol groups, the most basic of which is the use of the name network. The Internet Protocol (IP) is used as the addressing behavior on the entire network. In the current fourth-generation address agreement of the fourth generation (4) (10) #, referred to as jpv4), 32-bit length is used to address the global address. All network devices, which can be computers, printers, routers, switches, gateways or other network devices, have IP addresses issued by legitimate units, and the device can be directly referenced as the Internet. Source or destination; generally divides 32 bits into four parts in 8-bit units (octet), separated by "·&quot;, for example, &quot;1〇〇1〇〇〇1〇·〇 〇〇1〇〇1〇·〇1〇〇1111·〇〇〇111〇1&quot;, this is the "dottedbinary notation". Since the binary representation is too long to remember, it is usually used ten. Carry-in to indicate the above-mentioned binary The IP address can be expressed as &quot;162·18·82·29", which is called "dotted decimal notation". Since each part consists of 8 bits, each decimal value is between 0 and 255. However, when the specifications were originally formulated, the future development of the Internet was not considered so fast. Therefore, the 129's 1291295 address space should be allocated to the global network devices, so that every network device in the world has its own - No. 232 legal address, already has a warning message to distribute the singer, is unlikely to be realized; early companies can easily apply for several C-class (class c; 256 positive addresses, of which 254 are available Use the ip address to allow all network devices on the corporate intranet to directly access all other network devices on the Internet and use their services: the same, all network devices on the Internet, the same You can access the network device that has the legal jp address and use the service provided by it. However, after the IP address is not allocated enough, the network management unit that accepts the IP address of the issuer is accepted. Taiwan is a legal person in Taiwan online information

Networklnformation Center (TWNIC) is Asia Pacific Network Information Centre (APNIC) in the Asia-Pacific region. It also becomes cautious about the distribution of legal IP addresses. Generally speaking, enterprises are less likely to obtain the number of internal network devices. Equal or more legitimate IP addresses for internal distribution; on the other hand, for security reasons, having a legitimate IP address means having access to any source on the Internet. The most simple and economical way to isolate a business secret is to use an IP address to share a gateway (known as π&gt; sharer, broadband sharer, etc.) to isolate the internal network of the enterprise (intranet). And the external network (Internet), and the device handles the conversion action of the internal private π&gt; address to the legitimate Internet address of the external Internet, and the operation principle of the device is mainly based on the "private IP address". The concept of "PrivateIP" (also known as virtual address) and "Network Address Translation (NAT)"The concept of private IP address is actually just to standardize a group of π&gt; address spaces, which are not reserved on the Internet to ensure that there will never be any device using the IP address on the Internet. The IP address space is reserved for the internal network of the enterprise. The purpose is to avoid any duplication of IP addresses of the internal network and the external Internet, causing confusion on the address, due to the internal network of the enterprise. Independent of each other, these separate reserved IP address spaces do not conflict with each other. If the intranet is to be connected to the external Internet, it must provide a identifiable jp address to communicate with the outside world through the Network Address Translation (NAT) device. Since each enterprise internal network repeatedly uses the group IP address as all host addresses without conflicting each other, the problem of insufficient legal IP addresses can be improved. According to IETF RFC1918: Address Allocation for Private Internets (formerly RFC1597), three sections are defined for private ip use: Address Class Host IP Range

Class A 10·0·0·1 ~ 10.255.255.254 1291295 Class B 172.16.0.1 ~172·31·255·254 Class C 192.168.0.1 ~192·168·255·254 When using the above rp address Restricted: 1. The routing information of the private IP address cannot be distributed externally. 2. Packets that use private IP addresses as source or destination addresses cannot be transmitted directly to the Internet. 3. The packet using the private IP address as the source address can be sent through the Internet after the hacking of the network, but the direction of the session can only be established by the Intranet to the Internet. The direction, which means only by internal ^ two your external network, and vice versa. 4. The reference record (such as DNS) for private IP addresses can only be used on the internal network. The traditional network address translation technology is based on the IETF RFC_2993 and other related network bit-change technology principles, which is the packet to be transmitted! The p-transformation action, by the structure of τ (^ or UDP packet header (Head), we can find the information in the TCP or ^ packet header than the IP of the source and destination and the address of the service type (PortNumber). Save', the IP-sharing feature that network address translation technology can achieve, and the use of source/address (16-bit) as an extension of the Π&gt; (32-bit) address, so that multiple can only be internal The use and illegal private IP address can be translated into the same legal! ρ address for transmission over the Internet, where the source address is used as the segmentation, so that the data packet is not confused when transmitted. This can be used as the basis for translation. In the process of conversion, a group of pairs of NAT-NATTables will be dynamically generated inside the sharing device. The purpose is to save the subsequent data packets in accordance with the consistent translation method. The 1P packet is used as the basis for the interpretation of the reverse replacement logic. The network connection architecture is illustrated in Figure 2, which depicts the conventional one-way shared device network connection architecture. The user is connected to the internal network. NAT conversion program through IP sharing device Connected to the external network (Internet) server. Kawasaki Symbol Description: 110 Server computer (using public IP address) 120 Traditional IP sharing device 130 Client computer (using private IP address) 140 Client Computer (using private IP address) 150 Server computer (using private IP address) 160 Client computer (using public IP address) 170 External (Internet) network 1291295 180 Internal (regional) network detailed implementation Explanation·· The client computer 130 or 140 of the network 180 wants to send the data packet to the external neighboring ί Γ Γ Γ Γ ' 经由 经由 经由 经由 经由 经由 via the sharing device 12G ΝΑΤ conversion function ί with ^ user, computer 130 and 140 On the internal network 180, each uses a = IP address, but when accessing the external network 17 is shared with the jp sharing device 12, neighboring H bit = internal ugly 18G ship 11 computer l5G can only be connected Silk is also connected to the second computer 1 computer 130 or 140, but can not accept the external network ^ line, because the feeding machine computer 150 is only valid on the internal network, private IP address, client computer 160 Can't connect with JP sharing device 120, so =1?5 enjoy the device only Let the internal network access the external network to share the ability, and vice versa, the access to the external qi access to '_' is not shared, no special timed or even completely no ^ As for the principle of network address translation, the following is explained: Packet information code description: α · Source IP address before conversion (Source ip) - jp used by Ciient, usually private jp, will be translated by NAT action before ip) A: Source IP address after conversion (Source ip _ Positive sharing device used, usually IP, converted by NAT action ip β: Destination IP address (Destination IP) - Server used ip λ: Source before conversion address (Source Port Number) - The source address used by the client is the source address before the NAT action is converted. η : Source Port Number after conversion - The source address used by the client is Source address after NAT action conversion) μ ·· Destination Port Number According to the above IP data packet information code representation method, a client (client) computer sends the server to the server (Server) Data packet, as mentioned above When there are four pieces of information: the source positive, the destination positive, the source 埠 address, and the destination 埠 address, the representation type sent from the source IP [source 埠 address] to the destination IP [source 埠 address] is α [ λ]-&gt;β[μ] 1291295 Substitute vane 1 can be expressed as 192·168·1·1[1024]-&gt;61·87·143·5[80], which means 192·168· 1.1 This device needs to access the global information web service of 61.87 143 5, using the destination address 80 to represent the www service, and www is the port 80 for the international j line usage convention (Well-Known) ), and the source 埠 address of 1 〇 24 is randomly generated, no special meaning 'should be used as identification for the other party to return data packets, but because the previous number is reserved for some popular services (For example, 80 is WWW, 21 is FTP, 23 is Telnet, etc.) 'So it is generally used after 1000; and after conversion by network address translation device, the packet changes to Α[η]-&gt;β[μ] The substitution example can be expressed as 211·15·188·69[3001]-&gt;61.87·143·5[80], the meaning is 211·15·188·69, this device needs to access 61·87 ·143·5 The WWW service of this device has no change in the destination IP address and IP address, and the source !p is changed from 192 168 为 to 211 15 188 69. The reason is that 192.168.1.1 is a private IP and cannot be transmitted over the Internet. Therefore, it is necessary to use the replacement to be legal 211·15·188·69, then the normal transmission and return on the Internet, and the source address is replaced by 1024 to 3001, 3001 is also randomly generated, this replacement action can also be Omitted not to do, but completely omitted, may be caused by two different sources Π> use the same source 埠 address, causing repeated conflicts after the conversion, so the implementation can be forced to replace, or repeat It can be replaced by two methods. In the above network address translation operation, a network address translation record is generated inside the network address translation device, and there is a network address translation comparison table (NATTable), and the other party responds through the record of the comparison table. The packet can be converted and restored to the correct packet header information of the internal network. °) Complete the data packet transmission and the complete operation of the reception. The record of the address conversion comparison table includes the source IP before conversion, the source IP after conversion, and the destination IP address. , the pre-conversion source 埠 address, the converted source 埠 address, the destination 埠 address six information, and the counter time of the record validity time, when the record is not referenced for a certain period of time, the record is The network address conversion is deleted in the &amp; to save memory space and search time; when the network address translation device receives the destination ^ return data packet, its alignment and reverse replacement logic is as follows:

If ((Α =β) &amp;&amp; (β=Α) &amp;&amp; (η=μ) &amp;&amp; (μ=η))

Then { (Α=α) ; (η=λ) ; }

If ((Α =β) &amp;&amp; (β=Α) &amp;&amp; (η=μ) &amp;&amp; (μ=η)) 1291295

Then {(A=a); (η=λ) ; } The in-package valley 'non-bold words indicate the contents of the network address translation table, which means that the purpose is equal to the conversion in the network address translation table. The purpose 1p in the ϊΐ ϊΐ 料 封 置换 置换 置换 置换 置换 置换 置换 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的The benefit example can be expressed as 6ΐ·87·ΐ43·5_-&gt;211·15·188 21ι This WW^〇rt 80) The ship responds to the message to the original request f _1] 'but this response message is true The receiver shall be the aforementioned printer, and the network address translation device shall use the record of searching for the internal address conversion comparison table ΐι22 to find the 1 u pen as the conversion basis, as in the foregoing comparison logic. The statement is that when the purpose of i Zhao 2!! is equal to the source in the comparison table, the source 1P in the data packet is equal to 1. The source address in the data packet is equal to the destination location in the comparison table. The purpose of the side 1 is equal to the comparison table _ conversion of the material address of the four items? When i is i, it represents a record search for a life towel. The information packet is a replacement action that must be converted and forwarded. This is the source 1P before the conversion in the hit record, and the two pieces of information are converted, and the replacement is replaced by the dragon package. In the original source 1p, source 埠 address two information, complete the reverse replacement action. [Description of the Invention] The prostitute mip sharing device is based on the above-mentioned network address conversion technology, and its user actively accesses the service from the internal network (CUent end) to the external network (Server side). In the detailed and detailed operation process, it is known that the network address translation device is correcting the network address = changing the control record, and the return data packet is used by the network inspection (four) Lin Zhao table to make the basis for conversion and recovery. It has the function of Ip replacement sharing; but if the ship is placed in the inner network segment, the client computer of the external network (cl_ will not be able to pass through the device; the known IP sharing device uses static mapping (StaticMap) In order to solve the problem, the internal private network or the specific service (P〇rtNumber) must be single-mapped to the external network j: the mother of a legitimate IP or service (p〇rtNumber), then multiple devices in the internal network provide the same service. The type of service is different from the main machine of the feeding machine. At the same time, only one station can provide a special service according to the preset mapping. Other hosts cannot provide external services. In other words, when the meeting is connected (Sessi〇n) 1291295 When it is started from the outside, it is not available at this time. The ability to share, this is its ... ;: inverse ^ ' but unfortunately, this move also saves _ after, this A, ^ n terminal a regular action ==, road users can use the known positive sharing device to save legal The amount of usage, ίί one's one-way paste road lion, if the legal IP obtained by the service provider can provide external services. Technical means: π> space is fixed length, capacity limit, and jp bit The address is issued by the Internet Service (ISP). The user does not have ownership. In order to avoid the impact on the user's use caused by the conversion of the Internet Service Company address, the domain name service is used to do the transfer. In order to facilitate the replacement of the IP address of the memory, the user owns the ownership of the domain name, such as the IP address, as long as the translation of the domain name pair π&gt; is changed; that is, the call address 7 Address) is changed to the call name. (Call by Name), but the address is limited, the domain name of the network is less than the upper limit, so the technology uses the domain name query to interpret the translation of the jp address, mapping a traditional domain name to a The action of the IP address is changed to a domain name mapping When the IP address, and another private IP address located next to a private IP address, the user of the two jp addresses performs the action of querying the domain name, the domain name server will respond to the legal ρ address of the query end. The domain name server action is the same, but the domain name server will send a notification of the information such as the IP address and private IP address of the packet to the legality! The p-address, the legal address is a two-way capability 分享 &gt; sharing device, the two-way Π &gt; sharing device receives the touch notification, and within a preset minimum time, a reverse channel is opened, which will be later It is expected that the connection request from the query end will lead to the subsequent private IP address 'to achieve the two-way transparent addressing of the present invention. 11 1291295 Efficacy: The owner of the shirt in the sharer; ^ Π> host or Two-way 1 Ρ outside 'The invention also revolutionizes the current limit of the heart 4 2: Due to the number of addresses of the TCP/UDP protocol (ye), the η address space, in actual implementation, the most Α#6, immediately improve the target There is a limit to the chest i :: two = no coincidence, the current use of the tight position of the site, there should be a certain fiber 5 solution = (with the approximate value) times the effect, on the [implementation] + A FiH Liangzhi domain name feeding device and two-way IP mourning department rain girl Qiu Bagan user by '= set, through reverse NAT conversion process = private == within the symbol Description: 110 client computer (using public IP address Address) 120 Domain Name Server 130 Bidirectional IP Sharing Device 140 150 160 165 170 180 Server Computer ( Use a private IP address) Server computer (using a private IP address) Client computer (using a private IP address) Client computer (using a private IP address) Server computer (using a public IP address) External (internet) network 190 internal (regional) network detailed implementation instructions: = client computer 16 () or l6s of the internal network 19G want to send data packets to the external site 12 1291295; = take r, 〇 The unidirectional NAT sharing function of the _share=shared device is accessed by the internal network when accessing the external network. When the internal network is accessed by the external network, the external network is not allowed to feed. When the computer 140 is connected, the server computer 14 will first query the domain name server 120 for the server power 10 and the domain name ship _ _ the _, the trigger 130 is sent to notify the IP point. The early device 13 () has a request from the client computer UG to connect with the internal computer ^ 14 on the servo computer 14 ,, at this time! ρ sharing device 1; 3 〇 will establish a reverse 3 stand computer 110 data packet Transfer to the ship computer 140 to establish its reverse connection. For more detailed connection steps and procedures, please refer to Figure 3. On the side of the company, you can find the ambiguity of the new game. When you look at it, the external network (which can be guilty of the Internet) triggers the two-way JP sharing device through the action of the domain name query, and the NAT conversion program and the private use. The program of the internal area network ship connection of the π&gt; address. Figure 4 is a sample exchange and processing program example table, which is intended to illustrate the purpose of explaining the third, for the purpose of displaying the client, the domain name server of the present invention, the two-way positive branching device of the present invention, and the servo Between the four terminals, the data packet header is processed from the external network via the target of the invention on the internal network, and the connection establishment and data exchange procedures are set. Figure 3 is the simplification of the necessary components in Section ii, the components necessary to complete a complete procedure, and the step number indicated by the clever arrow, and the relevant components are listed in the actual JP address. For the purpose of detailed process description, Figure 3 and Figure 4 must be used in conjunction with each other. Detailed implementation flow description: Step 1: Send a DNS query packet from 61·87·143·5 (client computer 110) 168.95·1.1 (domain name server 120) to inquire about the target server computer to be connected 14 〇 (representing the domain name of the network called xyzidv.tw) IP address Step 2 · Query the internal database. If the domain name information is not available, the domain name is a traditional single-layer mapping domain name, and the query request to the root (R0〇t) domain name server is not processed. If the domain name information is successfully queried, the external IP address 21U5.188.69 and the internal private IP address 192·168·1·1 will be obtained, representing the two-way jp sharing device 13〇 and the servo 13 1291295 computer. 140. =3: ά168·95·1·1 (domain name server 12〇) sends a connection trigger message to the external IP address 211·15·188·69 (ΓΡ sharing device 130) obtained by the query. =4 : 211·15·188·69 (ΙΡ分享装置_ After receiving the notification message, the reverse IP address is established according to the external IP address, private address, source! p address in the message. Conversion (RNAT) mapping table. ^Weigh 5 · 211·15.188·69 (ΙΡ sharing device 130) sends a successful permission response to 168 95] chat domain name server 120) step number 6 · 168·95·1·1 ( After receiving the successful license response, the domain name server 12〇 responds with a DNS response packet to 61·87·143·5 (client computer 110), and informs the domain name that it solves, and its IP address is 211·15.188. · 69 (ΓΡ sharing device 130) Step 7: 61·87·143·5 (client computer 110) sends a TCP connection request message to 211·15·188·69 (ΙΡ sharing device 130) Step 8: 211·15·188·69 (ΙΡ sharing device 130) compares the records of the first-stage reverse network address translation (RNAT) mapping table according to the source IP address 61·87·143·5 in the packet, If the result is consistent with the source 埠 address establishment, destination 埠 address and the first stage reverse network address translation mapping table in the packet, the second phase reverse network address is turn Mapping table, after the completion of phase two, the inverse network address conversion will be converted to replicate the mapping table to forward the network address translation bit of the mapped table, and delete it. Step 9: The original π&gt; address 211·15·188·69 in the packet from 61·87·143·5 (client computer 11〇) will be replaced with 192·168·1·1 (祠After the server computer 140) is transferred to 192·168·1·1 (the server computer 140) Step 10: 192·168·1·1 (the server computer 140) receives the handshake message of the connection permission to 61 ·87·143·5 (client computer 11〇) Step 11: After 211·15·188·69 (ΙΡ sharing device 130) address conversion, the original source IP address 192·168·1·1 (feeding clothes) The computer 140) will be replaced by 211·15·188·69 (ΙΡ sharing device 130) to 61.87.143.5 (client computer 110) Step 12: 61·87·143·5 (client computer 11〇) After responding to the handshake message of the connection license, 14 1291295 will send the connection completion message to 21i.15.188.69 (IP sharing device 130) · J11·15·188·6—share device 130) After the line completes the message, the original destination address 211·15·188·69 will be replaced with 192.168.U (feeding device 140) and then transferred to 192·168丄丨 (the feeding machine computer 14〇) , complete the reverse connection program sticky example can be found in the client Brain, improved domain name server (°NS), two potentials: the implementation of the device, the detailed implementation of the ship computer, the improved name of the present invention, must improve its front-end processing program, in Figure 5, describe this The improved network usage decision flow chart of the invention is used to process the program sent from the query client, the feed server query packet processing and the notification two-way P sharing device. Detailed implementation flow) said that the server receives the DNS query packet (step S100), and starts to compare the internal database Jit II (step S110), and if the comparison is successful, the record is taken, and the second 1/2 spoon is taken out. Installed as a reverse trigger message packet (step S120), and send a trigger message to the current layer 1 IP address (step S130), the JP address is a bidirectional positive branch ϊϊ 器 f S 140 140 140 140 140 140 140 140 ( ( ( ( ( ( ( The response of the sharing device (step _ HI] is to step S230 to send the query failure result to the query end, if successful (step S160) 'that is, send the query result to the query end (step 琢 7〇). Pen record, indicating that this DNS query may be a traditional single Cl cm d domain name, P forwards the DNS query to the Root DNS feeder (step

Waiting for the other party = mDNs ship ^ positive f processing program, start the mailing (_ si9 〇) to wait) if (root _ server) response (step S200), if the timeout, then go to step S230 to send the I end, If the side responds (step S21G), that is, the query result is sent, the two-way 〇&gt; sharing device of the present invention is also synchronized with the device in the above FIG. 5, and the two-way description of the present invention is described in FIG. ^ Enjoy the use of the device before the H ^ domain name server to send the connection trigger message, and the sunny person pulls the forest __ bribe package. Detailed implementation process Check the temporary storage of external network packet reception (step s

The NAT mapping is recorded in the reverse NAT mapping table (4) slot (4), and the three parameters (step S120) of the IP/internal destination IP (private IP) of the source U 15 1291295 are filled in (step S120). The parameters are all from the reverse trigger message packet sent by the improved domain name server of the present invention, and then the timer is started (step S130) to wait for the establishment of the second stage reverse NAT mapping record (the establishment of the record depends on = Receiving the data packet of the reverse NAT mapping record in the first stage, and the recorded content is from the IP header of the data packet), the first stage reverse network address translation (rnat) mapping record will be After a very short predetermined time (about 1, 〇〇〇 microseconds) expires (step S140), then automatically expires (deletion and deletion), regardless of whether it is referenced by the second stage reverse NAT mapping record ( Step S150). In the operation of checking the temporary storage of the external network packet (step S1), when receiving the data packet of TCP (step S160) or UDP (step S170), the purpose of the packet is compared according to the implementation method of the foregoing standard NAT. The IP, source IP, destination 槔 address, source 埠 address four conditions and all records in the NAT mapping table (step S180), when simultaneously established, the record is valid, the network address translation device will The destination IP in the data packet is replaced with the pre-conversion source jp, and the destination address is replaced with the pre-conversion source address (step S190) (step S210), and the re-calculation code (CRC) is recalculated and sent to the internal network. (Step S200) (Step S220). Because the TCP and UDP data packet headers are different in structure, the comparison principle is the same, but the processing is different, so there are steps S160 and 170, step S190 and step 210, step S200, and step S220. 0 If the data packet does not fit any record in the NAT mapping table, in the implementation of the conventional network address translation device, the data packet will be discarded and will not be processed; in the present invention, The check procedure of the reverse NAT mapping table (RNATTable) is added: firstly, it is confirmed whether it is in the foregoing second stage reverse mapping waiting state, that is, it is checked whether there is any record of the reverse 1^ octagonal mapping table present (step S230) ), if not, the data packet will be discarded (step S27〇), if there is an external 1p address in the packet, the source positive address and the first phase reverse network bit == JKRNAT) Recording the comparison (step S24〇), if not, discarding the data packet (step)', if the result meets the two parameters of the source address, the destination address, and the first network address in the packet The record of the map is tied to the second Segment reverse network address translation: Γ·25〇), after the completion of the two phases, the reverse network address translation mapping table will be converted to the network address and converted to the network address and deleted. (Step Magic (10), then the packet is TCP (return to step S190) or UDP (return to step S2I〇), the data packet r is changed to the pre-conversion source 1p, and the destination address is replaced by the pre-conversion source. Address...Step 51210), and recalculate the check code (CRC) and send it to the internal network (steps to sneak 2), and finally the network address translation and transfer to the internal network, because NAT records, Therefore, in the foregoing second stage reverse network address conversion mapping table 16 1291295 in the foregoing dual-IP IP sharing device usage decision flow chart of the present invention, the related knowledge is positive and the present invention The relationship between the reverse network address translation mapping table (RNATTable) and its data structure, described in Figure 1, Figure 3, Figure 4 and the main shirt 6; The two-way Π&gt; / the internal network address conversion and the reverse network address conversion Fill in the person and ride the face flap; the detailed implementation process is as follows: The forward-looking network address conversion mapping table is generated by the internal loop transmission to the outer packet, and the domain meaning translation is translated. Electricity = p will be generated internally - the pen includes the conversion (4), the source after conversion ^, the destination = the location of the source, the address, the source address after the conversion, the destination address, the address of the six information network address Conversion record, save the fine road Wei-Lin Lin _; Tabl Ming, through the Shansi record, the other party's response packet can be converted back to the correct network header information, complete the packet transmission and reception complete Action, when the record is not referenced for a certain period of time, the record is deleted from the network address conversion table to save memory space and search space; when the network address translation device receives the purpose of the return When data is encapsulated, and according to the conventional comparison and reverse replacement logic: when the received data packet is encapsulated, the destination JP and other fine-grained address conversion pairs, the converted source IP and source IP in the table are equal to the purpose! P. The destination address is equal to the source address after conversion, the source address is equal to the destination address, and the four conditions are valid. The network address translation device will encapsulate the data (10). The replacement is the source before the conversion, the destination address is replaced by the source address before the conversion, and the verification code is recalculated (the CRC is sent to the internal network. The generation of the reverse network address translation mapping table is received. The connection trigger message (first phase) sent by the domain name server of the present invention includes internal purpose jp, external destination ιρ, source IP information, and the first packet sent by the connection requester. The header content (the second phase), including the source 埠 address, destination 埠 address information, after the completion of the two phases, the reverse network address translation mapping table will be converted to the forward network The address conversion mapping table is deleted and the conversion copy implementation method is as follows: the internal destination JP of the reverse network address conversion mapping table is copied to the source IP of the conversion of the forward network address conversion mapping table, External purpose JP replication After the conversion, the source IP' source IP is copied to the destination IP, and the destination address is copied to the pre-conversion source 埠 address and the converted source 埠 address 'source 槔 address is copied to the destination 埠 address, note that it is reversed The NAT mapping table is copied to the forward NAT mapping table, so the source and purpose of the replication action are reversed. When the reverse network address translation mapping table converts the conversion to the forward network address translation mapping After the table 1 1291295, the first packet sent by the connection requester can successfully refer to the record, and after the network address conversion action, it is forwarded to the server computer of the internal network, and later to the destination server. Any response packet sent by the computer to the connection requester can also effectively refer to the same record of the network address conversion mapping table. After the network address conversion action, the original connection requester is transferred to the external network. The terminal computer completes the complete connection negotiation establishment procedure and exchanges the data packets (messages) of both parties. 1291295 [Simplified Schematic] FIG. 1 is a diagram showing the network connection architecture of the present invention, the remote user network) Domain name queries trigger action of two-way sharing JP Ministry of network, exchange program with the private system (iv) JP bit like a thief turn his material |. Through the anti-Xiao NAT to ^ 2 map to describe the conventional one-way sharing device network connection architecture ^ over IP sharing device calendar conversion program and external network (may be H channel ^ server connected to the third picture description In the overall operation procedure of the invention, the remote user triggers the two-way positive sharing device by the action of the query field, and the internal area network feeder connection through the i-direction =&lt; 'test private ρ address The program description: please refer to the example table, please refer to the example table of the package exchange and processing program, which is intended to apply the example to describe the purpose of FIG. 3, which is the display client, the domain name server of the present invention, and the two-way sharing of the present invention. Between the device and the server, the data packet header is processed from the external network via the connection between the present invention and the target device on the internal network. The fifth figure describes the improved network of the present invention. The flow chart of the domain name server usage decision is used to process the DNS query packet processing and the notification of the two-way jp sharing device sent from the query client. The sixth figure describes the bidirectional jp of the present invention. Minute A flow chart of device usage decisions for handling connection trigger messages sent from the aforementioned domain name server and data packets sent by external (internet) users to the internal network of the device. Figure 7 provides For reference to FIG. 1 , FIG. 3 , FIG. 4 , and mainly FIG. 6 ; the forward network address translation (NAT) and reverse network address translation in the bidirectional IP sharing device of the present invention ( The description of the RNAT) mapping table, including the filling of data and the conversion action between them; the generation of the reverse network address conversion mapping table, which is triggered by the connection received by the domain name server of the present invention. Message (Phase 1), and the header content of the first packet sent by the connection requester (Phase 2). After the two phases are completed, the reverse network address translation mapping table will be converted and copied. Convert to the forward network address in the mapping table and delete it. 19

Claims (1)

!29l295 X. Patent application scope: Two or more layers of the concept of "^" The domain name mapping implementation includes: KB·C· accepts the client's domain name query request; Query the internal database ; ' ' This domain name is the traditional single-layer mapping of the traditional domain name, the second-level request to the township domain name server, no processing; ip bit ^2 ^ domain information 'will get the external 1 &quot; address, and internal The private department ^This bit is used in this invention to establish/establish a temporary virtual network address translation mapping table, α 纠 砸 (10) fiber _ correct G 2 · bidirectional IP sharing device will respond with a success message; ίϊίΐ After the message, reply to the customer's domain name query request, indicating that the query result is the previous one of the domain name name feeders, and wherein the method is the standard domain name query recommended by IETF RFC_1035. The requirements are as follows: ^Please refer to the patent scope 帛1 - the front-end processing method of the domain name server, wherein the internal database of the B' D is a data structure, which is a plurality of internal domain names The 5-address mapping data table is stored in the improved domain name feeder. It is about the concept of two-layer or more!p address of the domain name mapping, and the name of each domain name. The structure is mapped to the external positive address of the external device of the external network and the private JP address of the network device of the local area network within the present mapping data table. The method for processing a front end of a domain name server, wherein the step C is implemented according to a standard domain name recursive query method recommended by IETF RFCM 032 to 1035. S. The domain name server front-end processing method, wherein the steps E and G are a message notification protocol and a method, and the message content includes the query end 20 1291295 6. 8· Please the second t:::: redundant: address four items Capital:., two i for the common facts. Detailed description. Xiang exists, Jixian _ the two-way Π > sharing device has = _ can _ former Le Department regional network device sees the external network Device phase _ p private $ address and committed enough A', a passer The packet is translated into the legal address of the internal network, and the network transmits the data packet to the aforementioned intranet and the device that converts the illegal address from the foregoing packet to the external network; The mechanism for the network device to deliver the data packet to the device of the aforementioned internal network is the domain name ϊΐ 藉 before the connection request is sent from the network device of the internal network network to be delivered to the aforementioned internal network. The pre-sent domain name query data packet, and the domain name key device determines whether the domain name data is a traditional single-level mapping (domain name_&gt;π&gt;) or a two-level mapping of the present invention ( Domain name -> external positive ^ internal positive type; multiple temporary internal reverse network address translation _ ΑΤ) mapping table, the private IP address of the network device of the aforementioned internal network, the aforementioned external The external device's external ΓΡ address, destination ip address, source 埠 address, random replacement source 埠 address, destination 埠 address directory combination; steps B, e respectively handle the first Stage and second stage Tying material, after the completion of phase two, the inverse conversion network address mapping table replication converted to forward to the network address conversion using the mapping table, and delete the note record. A method for processing IP data encapsulation for realizing bidirectional connection establishment of a bidirectional IP sharing device: including the concept that a private IP address has a legal domain name, accepting the concept of notification triggering, and generating a reverse address translation pair internally The concept of mapping, the comparison calculation method, the replacement method and the code, the implementation steps include: 'A·Connecting the connection trigger message sent by the improved domain name server of the present invention; B·According to the external IP in the message The first phase of the reverse network address translation (RNAT) mapping table is established by the three parameters of the address, the private IP address, and the source IP address; C. Start timer, the first stage reverse network address The conversion (rnat) mapping record will automatically fail after a very short predetermined time (approximately 1,000 microseconds); Β·C·D· 21 1291295 t ^ sent 1 packet, usually the connection requirement; The net t clock address, the source positive address two parameters and the first phase reverse ί=2ϊ division) on the silk record series, such as silk meets the job package ί ί ί ί ί ί ί ί ί ί ί - Phase reverse network address F is tied to the second phase of the reverse Network address translation mapping table; • Reverse network address conversion mapping table will be converted and copied to the forward network address translation mapping table and deleted; G. Address conversion mapping table There is an mapping record inside, and then used to execute the device for transferring the address of the data packet between the previous ίϋίί domain road and the aforementioned external network. 9. The processing method of the positive data packet method according to the eighth item, wherein the step实现 时 - 享 享 享 享 享 享 享 享 享 享 享 享 享 享 享 享 享 享 享 享 享 享 享 享 享 享 享 享 享 享 享 享 享 享 享 享 享 享 享 享 享 享 享 享 享 享The content of the message includes the client IP address of the query side, the domain name, the external !p address, and the internal private address. The information is as described in item 8 of the patent application scope. The IP data encapsulation method, wherein the steps B and E are a data structure and a data binding method inside the bidirectional IP sharing device of the present invention, and a plurality of internal anti-road recordings and NAT mappings are displayed in the front row. Network device The combination of the target IP, external destination π&gt;, source!p, source/address, destination/address five information parameters; PB, E, and materials-stage (the first three items, from the improvement of the present invention) The domain name feed device is tied to the second phase of the data (the latter two information, the data packet from the remote linker). After the two phases are completed, the reverse network address translation mapping table will be converted. Copy to the forward network address conversion mapping table and delete the record. μ 11· The processing IP data encapsulation method described in item 8 of the patent application further includes the reverse in step F Network address translation _Τ) The information interception method when the mapping table is copied to the forward network address translation (NAT) mapping table: , The internal destination IP of the A·RNAT table is copied to &gt;^ The source of the Dp table before conversion Ip; Β · RNAT table external destination ip copy to the NAT table after the conversion source jp; C · RNAT table source IP copy to the NAT table purpose ip; D · RNAT table destination 埠 address Repeatedly copying the pre-conversion source address and the converted source address to the NAT table Bit; Source E · RNAT table of port addresses copied to the destination port address of the NAT table. 12. The method for processing an IP data packet as described in claim 8 of the patent application, further comprising the step 1 of the reverse network address translation (RNAT) mapping step described in step 22 1291295 C to the second phase Steps to start a timer when converting the _ octane to the network address: A. Reset the aforementioned timer when the first stage reverse network address translation _AT) has been established. B. A timeout signal is transmitted when the aforementioned timer is operating and the aforementioned timer has been started and the predetermined time has elapsed. 13. The method for processing the front end of the domain name server according to item 1 of the patent application scope is that the external network is the Internet, and the external IP address is the legal ip of the Internet. „ Address (LegalEP/Internet IP), or public IP (Public IP) address, wide area IP (, Mde IP) · Address. 14 · The two-way IP sharing device as described in claim 7 The external network is the Internet, and the external IP address (External IP) is the legal IP address of the Internet (Legal IP/Internet IP), or the public IP address (Public IP) address, wide area IP. (Wide IP) address. _ 15 · The IP network packet processing method described in item 8 of the patent application scope, the external network is the Internet, and the external IP address (ExtemallP) is the legality of the Internet. 〇>address (Legal IP/IntemetIP), or public IP (PublicIP) address, wide area ip (WidelP) address. 16 · The front end of a domain name server as described in claim 1 The processing method is that the internal network is the regional network, and the internal IP address (internal IP) is the illegal IP of the internal network of the enterprise. Intranet IP/Illegal IP, or private (n) (private jp) address, also known as virtual IP (VirtualIP) address, area n &gt; (L〇canp) address. In the two-way ip sharing device described in item 7 of the patent application, the internal !p address (intemal setting) is the illegal 1 address of the internal network of the enterprise (111 shirts 11 &gt;/111嚷11?), Or private (use) IP (PriVate IP) address, also known as virtual ιρ) address, area positive) IP) address. 18 · As described in the scope of application of patent scope 8 IP data packet method, The internal IP is the illegal address of the internal network of the enterprise (the IP address of the IPP) or the private IP address (Private IP). It can also be called the virtual MLocallPVf: hi* 〇7 ^ ^ 23 1291295 VII. Designated representative map: (1) The representative representative of the case is: (1). (2) The symbol of the representative figure is simple: 110 client computer (using public IP address) 120 domain name server 130 bidirectional IP sharing device 140 server computer (using private IP address) 150 server computer (using private IP address) 160 client computer (using private IP address) 165 client computer (using private IP address) 170 server computer (using public IP address) 180 external (internet) network 190 internal (area) network eight If there is a chemical formula in this case, please reveal the chemical formula that best shows the characteristics of the invention: