TWI291295B - Bilateral IP sharing method and device - Google Patents
Bilateral IP sharing method and device Download PDFInfo
- Publication number
- TWI291295B TWI291295B TW92125442A TW92125442A TWI291295B TW I291295 B TWI291295 B TW I291295B TW 92125442 A TW92125442 A TW 92125442A TW 92125442 A TW92125442 A TW 92125442A TW I291295 B TWI291295 B TW I291295B
- Authority
- TW
- Taiwan
- Prior art keywords
- address
- network
- domain name
- internal
- external
- Prior art date
Links
Landscapes
- Data Exchanges In Wide-Area Networks (AREA)
- Small-Scale Networks (AREA)
Abstract
Description
1291295 九、發明說明: 【發明所屬之技術領域】 本發明係為一種網路設備與其搭配之服務;更絲^ 1 使用IPv4定址空間不足之問題,提供以呼叫沒有定網際網路上 代替呼叫合法][p,讓整個網際網路上至少增加2幻 :制的網域名稱 而每-個合法的ΠΜ的錄之後,_ 65_個^ ^方案, 雙向正常運作;另外對讀統_網路位址轉換_ & 對部分_程式下無法正常運作(無法由外部網二&向1^^ 不合法IP以建立反向鏈結)之問題,本發明亦提供 S;;案讓时享裝置由傳統單向分享的方面言⑼^ 【先前技術】 網際網路(Internet)是將世界上的所有電腦,由全球各地的區域 一種稱為傳輸控制通訊協定/網路通訊協定(Transmissi〇n c〇ntr(>1 文用1291295 IX. Description of the invention: [Technical field of the invention] The present invention is a service for a network device and its collocation; more than 1 problem of insufficient use of IPv4 addressing space, providing a call without a fixed Internet connection instead of a call] [p, let at least 2 illusions on the entire Internet: the domain name of the system and every legal ΠΜ record, _ 65_ ^ ^ ^ program, two-way normal operation; another read system _ network address The conversion _ & part of the _ program does not work properly (can not be from the external network two & 1 ^ ^ illegal IP to establish a reverse link), the present invention also provides S; Aspects of traditional one-way sharing (9)^ [Prior Art] The Internet (Internet) is the world's all computers, called the Transmission Control Protocol/Network Protocol (Transmissi〇nc〇ntr) (>1 text
Protocol/IntemetProtoco卜簡稱TCP/IP)的標準化通訊協定連結而成 網^網路的連接,讓不同國家或不同網路的使用者可以彼此交換資訊、共 用資源。彼此相互通訊。簡單地說,就是將全球所有的電腦連接起來的^ 級大網路,因此網際網路是全世界最大的電腦系統,它提供的是一種新的、 開放的資訊交流與溝通模式。使用以TCP/Ip為基礎的通訊網路裝置,亦為 目前企業内部建置網路系統的主流;TCP/IP協定由一系列的協定群組構μ 成,其中最基礎的即是利用名為網路通訊協定(IntemetProtocol,簡稱ip)來 做為整個網路上的定址行為,在現行的第四代正呀乂㈣⑽#,簡稱jpv4) 的定址協議中,運用了 32位元的長度,來定址全球的所有網路裝置,此裝 置可以是電腦、印表機、路由器、交換器、閘道器或其它網路裝置,擁有 合法單位發放的IP位址,該裝置即能夠被直接參考當做網際網路上的來源 或目的地;一般以8位元為單位(octet)將32位元分成四部份,彼此間 以”·"做區隔,例如"1〇〇1〇〇〇1〇·〇〇〇1〇〇1〇·〇1〇〇1111·〇〇〇111〇1",此即為「加 點二進位表示法(dottedbinarynotation)」,由於二進位表示法太長不易記 憶,故通常使用十進位來表示,上述的二進位IP位址即可表示成 "162·18·82·29”,此即為「加點十進位表示法(dotted decimal notation)」。由 於每一部份均由8位元所组成,故每個十進位值均介於0〜255之間。 但當初制定規格時未考量到網際網路未來的發展如此快速,故以232的 1291295 疋址空間,要分配給全球的網路裝置使用,讓全球的每一台網路裝置,都 擁有其獨-無二的232合法地址,早已經有著分配告馨的警訊,不太可能實 現;早期各企業可以輕易地申請到數個C級(class c ; 256個正位址,其 中254個可供使用)的ip位址,讓其企業内部網路所有之網路裝置,可直 接存取網際網路上的所有其它網路裝置,使用其服務:同樣的,網際網路 上的所有網路裝置,一樣可以存取擁有合法jp位址之網路裝置,使用其提 供的服務·但疋在IP位址出現不夠分配的狀況以後,負貴受理申諸發放人法 IP位址的網路管理單位,在台灣是關法人台灣網路資訊中Protocol/IntemetProtoco, referred to as TCP/IP, is a standardized communication protocol that links networks to allow users in different countries or different networks to exchange information and share resources. Communicate with each other. Simply put, it is a large network that connects all the computers in the world. Therefore, the Internet is the largest computer system in the world. It provides a new and open mode of information communication and communication. The use of TCP/Ip-based communication network devices is also the mainstream of the current internal network systems; the TCP/IP protocol is composed of a series of protocol groups, the most basic of which is the use of the name network. The Internet Protocol (IP) is used as the addressing behavior on the entire network. In the current fourth-generation address agreement of the fourth generation (4) (10) #, referred to as jpv4), 32-bit length is used to address the global address. All network devices, which can be computers, printers, routers, switches, gateways or other network devices, have IP addresses issued by legitimate units, and the device can be directly referenced as the Internet. Source or destination; generally divides 32 bits into four parts in 8-bit units (octet), separated by "·", for example, "1〇〇1〇〇〇1〇·〇 〇〇1〇〇1〇·〇1〇〇1111·〇〇〇111〇1", this is the "dottedbinary notation". Since the binary representation is too long to remember, it is usually used ten. Carry-in to indicate the above-mentioned binary The IP address can be expressed as "162·18·82·29", which is called "dotted decimal notation". Since each part consists of 8 bits, each decimal value is between 0 and 255. However, when the specifications were originally formulated, the future development of the Internet was not considered so fast. Therefore, the 129's 1291295 address space should be allocated to the global network devices, so that every network device in the world has its own - No. 232 legal address, already has a warning message to distribute the singer, is unlikely to be realized; early companies can easily apply for several C-class (class c; 256 positive addresses, of which 254 are available Use the ip address to allow all network devices on the corporate intranet to directly access all other network devices on the Internet and use their services: the same, all network devices on the Internet, the same You can access the network device that has the legal jp address and use the service provided by it. However, after the IP address is not allocated enough, the network management unit that accepts the IP address of the issuer is accepted. Taiwan is a legal person in Taiwan online information
Networklnformation Center ,簡稱 TWNIC),在亞太地區是 Asia Pacific Network Information Centre(簡稱APNIC),對合法IP位址的發放也變得較為 謹慎,一般來說,企業已不太可能取得與其内部網路裝置數量相等或更多 的合法IP位址,供其内部分配使用;另一方面也為了安全考量,擁有合法 IP位址即代表在網際網路上具有被任何來源存取的特性,企業為避免被網 路駭客入侵’造成營業機密外洩或作業癱瘓等情況,最簡易經濟的做法就 是以一台IP位址分享閘道(通稱π>分享器,寬頻分享器等)來隔離企業内部 網路(Intranet)和外部網路(Internet),而由該裝置來處理内部私有π>位址對 外部網際網路合法IP位址的轉換動作,而該裝置的運作原理主要則是架構 在「私用IP位址(PrivateIP)」(亦可稱為虛擬ΠΡ位址)的概念和「網路位址 轉換技術(Network Address Translation,簡稱NAT)」兩個基礎上。 所謂私用IP位址的概念,其實只不過是規範一群π>位址空間,在網際 網路上保留起來不予發放,以確保網際網路上永遠不會有任何裝置使用該 段IP位址,而將這群IP位址空間,保留給企業内部網路使用,其目的為避 免企業内部網路和外部網際網路的IP位址有任何重覆,造成定址上的錯 亂,由於企業内部網路彼此間獨立,故分別使用這些保留的IP位址空間, 並不會互相衝突。若Intranet要與外部的Internet連繫,必須透過「網路 位址轉譯(NAT)」裝置提供一個可辨識使用的jp位址與外界溝通。由於各 個企業内部網路均重覆使用該群IP位址為所有主機位址而不會互相衝突, 故可改善合法IP位址不足的現象。 依據 IETF RFC1918 : Address Allocation for Private Internets(原為 RFC1597),定義三個區段作為私用ip使用: 位址類別 主機IP範圍Networklnformation Center (TWNIC) is Asia Pacific Network Information Centre (APNIC) in the Asia-Pacific region. It also becomes cautious about the distribution of legal IP addresses. Generally speaking, enterprises are less likely to obtain the number of internal network devices. Equal or more legitimate IP addresses for internal distribution; on the other hand, for security reasons, having a legitimate IP address means having access to any source on the Internet. The most simple and economical way to isolate a business secret is to use an IP address to share a gateway (known as π> sharer, broadband sharer, etc.) to isolate the internal network of the enterprise (intranet). And the external network (Internet), and the device handles the conversion action of the internal private π> address to the legitimate Internet address of the external Internet, and the operation principle of the device is mainly based on the "private IP address". The concept of "PrivateIP" (also known as virtual address) and "Network Address Translation (NAT)"The concept of private IP address is actually just to standardize a group of π> address spaces, which are not reserved on the Internet to ensure that there will never be any device using the IP address on the Internet. The IP address space is reserved for the internal network of the enterprise. The purpose is to avoid any duplication of IP addresses of the internal network and the external Internet, causing confusion on the address, due to the internal network of the enterprise. Independent of each other, these separate reserved IP address spaces do not conflict with each other. If the intranet is to be connected to the external Internet, it must provide a identifiable jp address to communicate with the outside world through the Network Address Translation (NAT) device. Since each enterprise internal network repeatedly uses the group IP address as all host addresses without conflicting each other, the problem of insufficient legal IP addresses can be improved. According to IETF RFC1918: Address Allocation for Private Internets (formerly RFC1597), three sections are defined for private ip use: Address Class Host IP Range
類別A 10·0·0·1 〜10.255.255.254 1291295 類別 B 172.16.0.1 〜172·31·255·254 類別 C 192.168.0.1 〜192·168·255·254 當使用以上的rp位址的時候是有所限制的: 1·私用IP位址的路由資訊不能對外散播。 2·使用私用IP位址作為來源或目的地址的封包,不能直 Internet 來傳送。 3·使用私用IP位址作為來源地址的封包,經過網路仇址 後’可透過Internet來送,但其會談(Session)的建立方向只能由 路(Intranet)往外部網路(Internet)的方向,意即只能由内部^ 二你 外部網路,反之則有限制。 、 得取 4·關於私用IP位址的參考紀錄(如DNS),只能限於内部網路使用。 而習知之網路位址轉譯技術,係利用IETF RFC_2993等相關網路位 換技術原理所規範,就是將要傳送出去的封包進行!p轉換的動作,由τ(^ 或UDP封包標頭(Head)的結構,我們可以發現TCP或^封包頭内比 來源與目的地的IP及代表服務型態的槔位址(PortNumber)之資訊存' ,網路位址轉譯技術所能達成之IP分享特性,及是利用來源埠位址(16位 元)當作Π>(32位元)位址的延伸,使得多個只能在内部使用、不合法的私用 IP位址,可轉譯為相同一個合法!ρ位址,以透過網際網路傳遞,其中以 來源埠位址做為區隔,使得資料封包傳送時不至混淆,而接收時得藉此做 為轉譯之依據,在轉換的過程中,正分享裝置内部會動態產生一組對昭 表-NATTable,其目的除了讓後續的資料封包依循一致的轉譯方式外了並 析返回的1P封包,做為判讀反轉置換邏輯之依據,其網路連接架構 示意請參考圖式之第2圖,係描述習知之單向正分享裝置網路連接架構, 使用者由内部網路,透過IP分享裝置的NAT轉換程序與外部網路(可 網際網路)之伺服器連結。 崎 符號說明: 110 伺服器電腦(使用公共ip位址) 120 傳統IP分享裝置 130 客戶端電腦(使用私用ip位址) 140 客戶端電腦(使用私用IP位址) 150 伺服器電腦(使用私用ip位址) 160 客戶端電腦(使用公共IP位址) 170 外部(網際)網路 1291295 180 内部(區域)網路 詳細之實施說明·· 網網路180之客戶端電腦130或140欲發送資料封包到位於外邻 成ί奴建Γ 5時’經由1分享裝置12G的ΝΑΤ轉換功能而ί 同之^用戶、電腦130及140在内部網路180上係使用各自ί 一=用IP位址,然而在存取外部網路17〇時係共用jp分享裝置12〇 邻絪H位 =内部醜18G之舰11電腦l5G只能接絲自同樣位於二 戶1電腦130或140的連線,卻無法接受來自外部網路^ 線,因為飼服器電腦150係使用只有在内部網路有效 ,私用IP位址,客戶端電腦160無法穿過JP分享裝置120與其連線,故 =1?5享裝置只能讓内部網路存取外部網路具有分享能力,反之由外邱 存取欲存取’_時’雜不具分享能力,未特舰定時甚至完全無^ 至於網路位址轉譯動作原理說明如下: 封包資訊代碼說明: α ·轉換前來源IP位址(Source ip) - Ciient端所使用的jp,通常為私有jp, 將被NAT動作轉換前之ip) A :轉換後來源IP位址(Source ip) _正分享裝置所使用的正,通常為合 IP,被NAT動作轉換後之ip β :目的 IP 位址(Destination IP) - Server 端所使用的 ip λ :轉換前來源埠位址(Source Port Number) - Client端所使用的來源槔位 址,將被NAT動作轉換前之來源埠位址) η :轉換後來源槔位址(Source Port Number) - Client端所使用的來源埠位 址,被NAT動作轉換後之來源槔位址) μ ··目的槔位址(Destination Port Number) 依上述IP資料封包資訊代碼表示方法,一個由客戶端(client)電腦發送 到伺服器(Server)端電腦的資料封包,如前述應當含有來源正、目的正、來 源埠位址、目的埠位址四項資訊,表示為自來源IP[來源埠位址]發送到目的 IP[來源埠位址]之表示型態即為 α[λ]->β[μ] 1291295 代換範1 來說明可表示為192·168·1·1[1024]->61·87·143·5[80],其意義為 192·168·1·1這台裝置要存取61·87 143 5這台裝置的全球資訊網頁 服^,使用目的埠位址80來代表www服務,而www為Port80為國際 j行之使用慣例(Well-Known),而來源埠位址之1〇24為隨機產生,無特殊 意義’謹做為對方回送資料封包時做為辨識之用,但因1〇〇〇以前的數字依 慣例保留給一些通行的服務(如80為WWW,21代表FTP,23代表Telnet 等)’所以一般係從1000以後使用;而經由網路位址轉譯裝置轉換之後,該 封包變化為 Α[η]->β[μ] 代換範例來說明可表示為211·15·188·69[3001]->61.87·143·5[80],其意義 ) 為211·15·188·69這台裝置要存取61·87·143·5這台裝置的WWW服務,目的 之IP和槔位址並無改變,而來源!p由192 168丨丨更換為211 15 188 69, 其原因為192.168.1.1為私有IP,無法在網際網路上傳遞,故須藉助置換為 合法之211·15·188·69後,才得以在網際網路上正常傳遞與回返,而來源埠 位址由1024置換為3001,3001亦為隨機產生,此置換動作亦可省略不做, 但完全省略不做可能會遭逢兩個不同的來源Π>使用相同來源埠位址,在轉 換後造成重覆衝突的狀況,故在實現上可採取一律強制置換,或發生重覆 時再置換兩種方式皆可。 在上述網路位址轉譯動作中’網路位址轉譯裝置内部會產生一筆網路位 址轉換記錄,存在網路位址轉換對照表(NATTable)内,經由該對照表的記 錄,對方回應的封包才得以再被轉換還原為内部網路正確的封包頭資訊°, ) 完成資料封包傳送以及接收的完整動作,該位址轉換對照表的記錄包括轉 換前來源IP、轉換後來源IP、目的IP、轉換前來源埠位址、轉換後來源埠 位址、目的埠位址六項資訊,以及該筆記錄有效時間的計數器資^,當超 過一定時間該筆記錄未被參考過時,即將本記錄由網路位址轉換對照&中 刪除,以節省記憶空間和搜尋時間;當網路位址轉譯裝置收到目的^回 得資料封包時,其比對與反轉置換邏輯如下:Class A 10·0·0·1 ~ 10.255.255.254 1291295 Class B 172.16.0.1 ~172·31·255·254 Class C 192.168.0.1 ~192·168·255·254 When using the above rp address Restricted: 1. The routing information of the private IP address cannot be distributed externally. 2. Packets that use private IP addresses as source or destination addresses cannot be transmitted directly to the Internet. 3. The packet using the private IP address as the source address can be sent through the Internet after the hacking of the network, but the direction of the session can only be established by the Intranet to the Internet. The direction, which means only by internal ^ two your external network, and vice versa. 4. The reference record (such as DNS) for private IP addresses can only be used on the internal network. The traditional network address translation technology is based on the IETF RFC_2993 and other related network bit-change technology principles, which is the packet to be transmitted! The p-transformation action, by the structure of τ (^ or UDP packet header (Head), we can find the information in the TCP or ^ packet header than the IP of the source and destination and the address of the service type (PortNumber). Save', the IP-sharing feature that network address translation technology can achieve, and the use of source/address (16-bit) as an extension of the Π> (32-bit) address, so that multiple can only be internal The use and illegal private IP address can be translated into the same legal! ρ address for transmission over the Internet, where the source address is used as the segmentation, so that the data packet is not confused when transmitted. This can be used as the basis for translation. In the process of conversion, a group of pairs of NAT-NATTables will be dynamically generated inside the sharing device. The purpose is to save the subsequent data packets in accordance with the consistent translation method. The 1P packet is used as the basis for the interpretation of the reverse replacement logic. The network connection architecture is illustrated in Figure 2, which depicts the conventional one-way shared device network connection architecture. The user is connected to the internal network. NAT conversion program through IP sharing device Connected to the external network (Internet) server. Kawasaki Symbol Description: 110 Server computer (using public IP address) 120 Traditional IP sharing device 130 Client computer (using private IP address) 140 Client Computer (using private IP address) 150 Server computer (using private IP address) 160 Client computer (using public IP address) 170 External (Internet) network 1291295 180 Internal (regional) network detailed implementation Explanation·· The client computer 130 or 140 of the network 180 wants to send the data packet to the external neighboring ί Γ Γ Γ Γ ' 经由 经由 经由 经由 经由 经由 via the sharing device 12G ΝΑΤ conversion function ί with ^ user, computer 130 and 140 On the internal network 180, each uses a = IP address, but when accessing the external network 17 is shared with the jp sharing device 12, neighboring H bit = internal ugly 18G ship 11 computer l5G can only be connected Silk is also connected to the second computer 1 computer 130 or 140, but can not accept the external network ^ line, because the feeding machine computer 150 is only valid on the internal network, private IP address, client computer 160 Can't connect with JP sharing device 120, so =1?5 enjoy the device only Let the internal network access the external network to share the ability, and vice versa, the access to the external qi access to '_' is not shared, no special timed or even completely no ^ As for the principle of network address translation, the following is explained: Packet information code description: α · Source IP address before conversion (Source ip) - jp used by Ciient, usually private jp, will be translated by NAT action before ip) A: Source IP address after conversion (Source ip _ Positive sharing device used, usually IP, converted by NAT action ip β: Destination IP address (Destination IP) - Server used ip λ: Source before conversion address (Source Port Number) - The source address used by the client is the source address before the NAT action is converted. η : Source Port Number after conversion - The source address used by the client is Source address after NAT action conversion) μ ·· Destination Port Number According to the above IP data packet information code representation method, a client (client) computer sends the server to the server (Server) Data packet, as mentioned above When there are four pieces of information: the source positive, the destination positive, the source 埠 address, and the destination 埠 address, the representation type sent from the source IP [source 埠 address] to the destination IP [source 埠 address] is α [ λ]->β[μ] 1291295 Substitute vane 1 can be expressed as 192·168·1·1[1024]->61·87·143·5[80], which means 192·168· 1.1 This device needs to access the global information web service of 61.87 143 5, using the destination address 80 to represent the www service, and www is the port 80 for the international j line usage convention (Well-Known) ), and the source 埠 address of 1 〇 24 is randomly generated, no special meaning 'should be used as identification for the other party to return data packets, but because the previous number is reserved for some popular services (For example, 80 is WWW, 21 is FTP, 23 is Telnet, etc.) 'So it is generally used after 1000; and after conversion by network address translation device, the packet changes to Α[η]->β[μ] The substitution example can be expressed as 211·15·188·69[3001]->61.87·143·5[80], the meaning is 211·15·188·69, this device needs to access 61·87 ·143·5 The WWW service of this device has no change in the destination IP address and IP address, and the source !p is changed from 192 168 为 to 211 15 188 69. The reason is that 192.168.1.1 is a private IP and cannot be transmitted over the Internet. Therefore, it is necessary to use the replacement to be legal 211·15·188·69, then the normal transmission and return on the Internet, and the source address is replaced by 1024 to 3001, 3001 is also randomly generated, this replacement action can also be Omitted not to do, but completely omitted, may be caused by two different sources Π> use the same source 埠 address, causing repeated conflicts after the conversion, so the implementation can be forced to replace, or repeat It can be replaced by two methods. In the above network address translation operation, a network address translation record is generated inside the network address translation device, and there is a network address translation comparison table (NATTable), and the other party responds through the record of the comparison table. The packet can be converted and restored to the correct packet header information of the internal network. °) Complete the data packet transmission and the complete operation of the reception. The record of the address conversion comparison table includes the source IP before conversion, the source IP after conversion, and the destination IP address. , the pre-conversion source 埠 address, the converted source 埠 address, the destination 埠 address six information, and the counter time of the record validity time, when the record is not referenced for a certain period of time, the record is The network address conversion is deleted in the & to save memory space and search time; when the network address translation device receives the destination ^ return data packet, its alignment and reverse replacement logic is as follows:
If ((Α =β) && (β=Α) && (η=μ) && (μ=η))If ((Α =β) && (β=Α) && (η=μ) && (μ=η))
Then { (Α=α) ; (η=λ) ; }Then { (Α=α) ; (η=λ) ; }
If ((Α =β) && (β=Α) && (η=μ) && (μ=η)) 1291295If ((Α =β) && (β=Α) && (η=μ) && (μ=η)) 1291295
Then {(A=a); (η=λ) ; } 包内谷’非粗體字表示網路位址轉換對照表内容,意 其目的正等於網路位址轉換對照表内的轉換後 ΐί ί ϊΐ貝料封包内的目的1p置換為轉換前來源1p,目的埠位址 罝換馬轉細來轉健,並重新計算核對碼(CRC)紐助部網路。 益例來說明可表示為6ΐ·87·ΐ43·5_->211·15·188 21ι 這台WW^〇rt 80)舰器回應訊息給原來發送要求的 f _1] ’但此回應訊息真正的接收者應為前述之 的印鐮·, 對’網路位址轉譯裝置即經由搜尋内部位址轉換對照表 次ΐι二二找1 u筆相符的記錄做為轉換依據,如前述比對邏輯而言即為當 i昭二!!的目的正等於對照表内的來源正、資料封包内的來源1P等於 的1、資料封包内的來源璋位址等於對照表内的目的槔位 此封t内的目的埠侧1等於對照表_轉換後來料位址這四項條 二?成i時i代表記錄搜尋命巾,該資訊封包為必須轉換並予轉送之有 下來的置換動作即為依該·命中記錄中的轉換前來源1P、轉換 兩項資訊,分別置換取代該龍封包中的原有來源1p、來源 埠位址兩項資訊,完成反轉置換動作。 【發明内容】 々女mip分享裝置係依上述之網路位址轉換轉^技術為基礎,其使用 方,於由内部網路(CUent端)向外部網路(Server端)主動存取服務 前述詳、細運作流程中得知,網路位址轉譯裝置在糾建立網路位址 =換對照記錄,而回权資料封包職由網驗㈣麟照表之記錄,做 轉換復原之依據’此時具有Ip置換分享之功能;但如果舰器 置放於内網段,則外部網路之客戶端電腦(cl_將無法有效 透=裝置存取;已知之IP分享裝置如果利用靜態映射(StaticMap)來解 1内上母一私有逆或特定服務(P〇rtNumber)必須單一對映至外網 j:之母一合法IP或服務(p〇rtNumber),則内部網路中多台提供相同服務型 服務魄不同之飼服器主機,同時只有—台可依預設之對映提供一種 特疋服務,其它主機即無法對外提供服務,換言之,當會談連線(Sessi〇n) 1291295 之建立係由外部發動時,此時即不具分享之能力,這是其… ;:逆 ^ ’但不幸的,此舉亦造餘_後遺 、此A、^ n 戶端一常動作==, 路用戶可使用已知之正分享裝置來節省合法的使用量, ίί個者之單向存糊路獅,如果對服薇供者 湏取得之合法IP方能對外提供服務。 技術手段: π>定址空間為固定長度,有容量限制,且jp位址為網際網路服 (ISP)所發放,使用者並無所有權,為避免轉換網際網路服務公司 )址所帶來對使用者使用上的衝擊,-般係使用網域名稱服務轉 來做為助於記憶的IP位址替代轉換,使用者擁有域名之所有權,如 IP位址時,只要修改域名對π>之轉換對映即可;即為由呼叫位址 7 Address)改為呼叫名稱(Call by Name)的方式,但正位址有限,網域名^ 論上較無上限,故本技術即利用網域名稱查詢解譯為jp位址的動 定,將傳統一個域名對映到一個IP位址的動作,改為一個域名對映^一 合法IP位址,和另位於其後的一個私有IP位址共兩個jp位址的動 者 使用者執行查詢域名的動作時,域名伺服器會回應查詢端合法的ρ位址二 此部分與標準之域名伺服器動作一致,但域名伺^^器會另外送出一份包 查詢端IP位址與私有IP位址等資訊的通知給該合法!p位址,該合法正 址為具有雙向能力之Π>分享裝置,該雙向Π>分享裝置收到此觸^通知 會在預設的極短時間之内,開啟一反向通道,將稍後預期會來自該查詢端 的連線要求導至其後的私有IP位址’以達成本發明之雙向穿透定址的功 11 1291295 功效: 分享器内之所衫重使跡;^ Π>之主機或雙向1Ρ 外’本發明亦革命性的提昇目前心4之2限制: 因TCP/UDP協定的埠位址數目限制(ye個), η址空間,在實際實施上最Ακ#6 ,立即提昇目胸的有限定i ::二=無巧 目前曰益吃緊的ΠΜ位址之運用,應有一定纤5解 =(用約略值)倍之效盈,對 【實施方式】 +A FiH明主要狀良之網域名稱飼服器和雙向IP合哀裝署雨女邱八甘 使用者由‘ =置,透過反向NAT轉換程=私==之内 符號說明: 110客戶端電腦(使用公共IP位址) 120 網域名稱伺服器 130 雙向IP分享裝置 140 150 160 165 170 180 伺服器電腦(使用私用IP位址) 伺服器電腦(使用私用IP位址) 客戶端電腦(使用私用IP位址) 客戶端電腦(使用私用ΪΡ位址) 伺服器電腦(使用公共IP位址) 外部(網際)網路 190 内部(區域)網路 詳細之實施說明: =内Μ路19G之客戶端電腦16()或l6s欲發送資料封包到位於外部 12 1291295 上址所;=取r,〇時係_分享 =的單 向NAT分享功能 旱裝置由内部網路存取外部網路時的單 ^向由外部網路存取内部網路時,位於外部網路18〇之客 ϊ不之飼f器電腦140連接時,_服器電腦14〇跟 首先會向網域名稱飼服器120查詢代表伺服器電10 而^域名稱舰_ _該_時,Μ送出觸發 130,以通知IP分早裝置13()有來自客戶端電腦UG要與其内部網^置 上之伺服電腦14〇連線的要求,此時!ρ分享裝置1;3〇會建立一反向 3立電腦110的資料封包轉送至舰器電腦140 , 以建立其反向的連接,其更詳細的連結步驟及程序請參考第3圖· 丄目巧社侧之紐運雜序找辟意,遠峨时*外部網 路(可犯為網際網路),經由網域名稱查詢之動作觸發雙向JP分享裝置, ?反,NAT轉換程序與使用私有π>位址之内部區域網路舰器連結之程 序。第4圖係一封包交換暨處理程序範例表,旨在套用實例以描述解釋第3 ,之目的,係顯示客戶端、本發明之網域名稱伺服器、本發明之雙向正分 旱裝置、伺服器端四者間,處理資料封包標頭於從外部網路經由本發明盥 内部網路上之目標,置間的連線建立與資料交換程序。第3圖係由第i i 中’剔除非,要^元件,保留完成一完整程序之必要元件精簡而來,並加 上巧方向箭號表示之步驟編號,以及將相關元件編列以實際JP位址,以做 為詳細流程說明之目的,第3圖與第4圖必須相互對照使用· 詳細之實施流程說明: 步驟1 :由61·87·143·5(客戶端電腦110)發送一 DNS查詢封包給 168·95·1.1(網域名稱伺服器120)以詢問欲連接之目標伺服器電腦14〇(代表 網域名稱為xyzidv.tw)之IP位址 步驟2 ··查詢内部資料庫。如未有該筆域名資訊,表該筆域名為傳統單層 對映之傳統域名,轉送該查詢要求至根(R0〇t)網域名稱伺服器,不作處理。 如成功查詢到該筆域名資訊,將得到外部IP位址21U5.188.69 ,以及内部 私有IP位址192·168·1·1兩項資訊,分別代表雙向jp分享裝置13〇及伺服 13 1291295 器電腦140。 =3 :ά168·95·1·1(網域名稱伺服器12〇)發送連線觸發訊息至查詢所得 之外部IP位址211·15·188·69(ΓΡ分享裝置130)。 =4 : 211·15·188·69(ΙΡ分享裝置_收到該通知訊息後,依該訊息中之 外部IP位址、私有ΠΜ立址、來源!p位址三項參數建立階段反 位址轉換(RNAT)對映表。 ^称5 · 211·15.188·69(ΙΡ分享裝置130)發送成功許可回應給168 95]聊 域名稱伺服器120) 步称6 · 168·95·1·1(網域名稱伺服器12〇)收到成功許可回應後,即以DNS 答詢封包回應61·87·143·5(客戶端電腦110),告知其求解之域名, 其IP位址為211·15.188·69(ΓΡ分享裝置130) 步称7 : 61·87·143·5(客戶端電腦110)發送一 TCP連線要求訊息給 211·15·188·69(ΙΡ 分享裝置 130) 步琢8 : 211·15·188·69(ΙΡ分享裝置130)依該封包中之來源IP位址 61·87·143·5比對第一階段反向網路位址轉換(RNAT)對映表之記錄,如結果 符合將該封包中之來源埠位址建立、目的地埠位址兩項參數與第一階段反 向網路位址轉換對映表之記錄繫結為第二階段反向網路位址轉換對映表, 兩階段完成之後,本反向網路位址轉換對映表將會轉換複製至正向網路位 址轉換對映表内,並予以刪除。 步驟9:而來自61·87·143·5(客戶端電腦11〇)的該封包中之原目的π>位址 211·15·188·69會被置換為192·168·1·1(祠服器電腦140)後轉送至 192·168·1·1(祠服器電腦 140) 步驟10 : 192·168·1·1(伺服器電腦140)收到後回應連線許可之握手訊息給 61·87·143·5(客戶端電腦 11〇) 步驟11:經過211·15·188·69(ΙΡ分享裝置130)的位址轉換,原來源IP位址 192·168·1·1(飼服器電腦140)將被置換為211·15·188·69(ΙΡ分享裝置130)送至 61.87.143.5 (客戶端電腦 110) 步驟12 : 61·87·143·5(客戶端電腦11〇)收到後回應連線許可之握手訊息後, 14 1291295 會再送出連線完成之訊息給21i.15.188.69(IP分享裝置130) · J11·15·188·6—分享裝置130)收到後連線完成訊息後,經過位 原目的^位址211·15·188·69會被置換為192.168.U(飼服器電 胳140)後轉送至192·168丄丨(飼服器電腦14〇),完成反向之連線程序 黏驟實例中可得知在客戶端電腦、改良網域名稱伺服器(°NS)、 二势:享裝置、舰器電腦詳細之實施程序,在本發明之改良峨名稱 ,必須改良其前端處理程序,在第5圖中,描述本發明之改良網 使用決策之流程圖,用以處理從查詢客戶端發送,本飼服器 查詢封包處理及通知雙向P分享裝置之程序。詳細之實施流 )稱伺服器接收DNS查詢封包(步驟S100),開始比對内部資料庫 Jit二(步?S110),*果比對成功確實有該筆記錄,會取出第1/2 Ϊ勺裝為反向觸發訊息封包(步驟S120),並發送觸發訊息 今第1層IP位址(步驟S130),該JP位址即為雙向正分 ϊϊί ί器f驟S140)以等待對方(雙向1p分享裝置)的回應(步驟_ HI時’即到步称S230送出查詢失敗結果給查詢端,如果成功 (步驟S160) ’即發送查詢結果給查詢端(步琢幻7〇)。 ” -對該筆記錄,表示本DNS查詢可能為傳統單 Cl cm d域名,P轉送該筆DNS查詢至根(Root) DNS飼服器(步驟Then {(A=a); (η=λ) ; } The in-package valley 'non-bold words indicate the contents of the network address translation table, which means that the purpose is equal to the conversion in the network address translation table. The purpose 1p in the ϊΐ ϊΐ 料 封 置换 置换 置换 置换 置换 置换 置换 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的 目的The benefit example can be expressed as 6ΐ·87·ΐ43·5_->211·15·188 21ι This WW^〇rt 80) The ship responds to the message to the original request f _1] 'but this response message is true The receiver shall be the aforementioned printer, and the network address translation device shall use the record of searching for the internal address conversion comparison table ΐι22 to find the 1 u pen as the conversion basis, as in the foregoing comparison logic. The statement is that when the purpose of i Zhao 2!! is equal to the source in the comparison table, the source 1P in the data packet is equal to 1. The source address in the data packet is equal to the destination location in the comparison table. The purpose of the side 1 is equal to the comparison table _ conversion of the material address of the four items? When i is i, it represents a record search for a life towel. The information packet is a replacement action that must be converted and forwarded. This is the source 1P before the conversion in the hit record, and the two pieces of information are converted, and the replacement is replaced by the dragon package. In the original source 1p, source 埠 address two information, complete the reverse replacement action. [Description of the Invention] The prostitute mip sharing device is based on the above-mentioned network address conversion technology, and its user actively accesses the service from the internal network (CUent end) to the external network (Server side). In the detailed and detailed operation process, it is known that the network address translation device is correcting the network address = changing the control record, and the return data packet is used by the network inspection (four) Lin Zhao table to make the basis for conversion and recovery. It has the function of Ip replacement sharing; but if the ship is placed in the inner network segment, the client computer of the external network (cl_ will not be able to pass through the device; the known IP sharing device uses static mapping (StaticMap) In order to solve the problem, the internal private network or the specific service (P〇rtNumber) must be single-mapped to the external network j: the mother of a legitimate IP or service (p〇rtNumber), then multiple devices in the internal network provide the same service. The type of service is different from the main machine of the feeding machine. At the same time, only one station can provide a special service according to the preset mapping. Other hosts cannot provide external services. In other words, when the meeting is connected (Sessi〇n) 1291295 When it is started from the outside, it is not available at this time. The ability to share, this is its ... ;: inverse ^ ' but unfortunately, this move also saves _ after, this A, ^ n terminal a regular action ==, road users can use the known positive sharing device to save legal The amount of usage, ίί one's one-way paste road lion, if the legal IP obtained by the service provider can provide external services. Technical means: π> space is fixed length, capacity limit, and jp bit The address is issued by the Internet Service (ISP). The user does not have ownership. In order to avoid the impact on the user's use caused by the conversion of the Internet Service Company address, the domain name service is used to do the transfer. In order to facilitate the replacement of the IP address of the memory, the user owns the ownership of the domain name, such as the IP address, as long as the translation of the domain name pair π> is changed; that is, the call address 7 Address) is changed to the call name. (Call by Name), but the address is limited, the domain name of the network is less than the upper limit, so the technology uses the domain name query to interpret the translation of the jp address, mapping a traditional domain name to a The action of the IP address is changed to a domain name mapping When the IP address, and another private IP address located next to a private IP address, the user of the two jp addresses performs the action of querying the domain name, the domain name server will respond to the legal ρ address of the query end. The domain name server action is the same, but the domain name server will send a notification of the information such as the IP address and private IP address of the packet to the legality! The p-address, the legal address is a two-way capability 分享 > sharing device, the two-way Π > sharing device receives the touch notification, and within a preset minimum time, a reverse channel is opened, which will be later It is expected that the connection request from the query end will lead to the subsequent private IP address 'to achieve the two-way transparent addressing of the present invention. 11 1291295 Efficacy: The owner of the shirt in the sharer; ^ Π> host or Two-way 1 Ρ outside 'The invention also revolutionizes the current limit of the heart 4 2: Due to the number of addresses of the TCP/UDP protocol (ye), the η address space, in actual implementation, the most Α#6, immediately improve the target There is a limit to the chest i :: two = no coincidence, the current use of the tight position of the site, there should be a certain fiber 5 solution = (with the approximate value) times the effect, on the [implementation] + A FiH Liangzhi domain name feeding device and two-way IP mourning department rain girl Qiu Bagan user by '= set, through reverse NAT conversion process = private == within the symbol Description: 110 client computer (using public IP address Address) 120 Domain Name Server 130 Bidirectional IP Sharing Device 140 150 160 165 170 180 Server Computer ( Use a private IP address) Server computer (using a private IP address) Client computer (using a private IP address) Client computer (using a private IP address) Server computer (using a public IP address) External (internet) network 190 internal (regional) network detailed implementation instructions: = client computer 16 () or l6s of the internal network 19G want to send data packets to the external site 12 1291295; = take r, 〇 The unidirectional NAT sharing function of the _share=shared device is accessed by the internal network when accessing the external network. When the internal network is accessed by the external network, the external network is not allowed to feed. When the computer 140 is connected, the server computer 14 will first query the domain name server 120 for the server power 10 and the domain name ship _ _ the _, the trigger 130 is sent to notify the IP point. The early device 13 () has a request from the client computer UG to connect with the internal computer ^ 14 on the servo computer 14 ,, at this time! ρ sharing device 1; 3 〇 will establish a reverse 3 stand computer 110 data packet Transfer to the ship computer 140 to establish its reverse connection. For more detailed connection steps and procedures, please refer to Figure 3. On the side of the company, you can find the ambiguity of the new game. When you look at it, the external network (which can be guilty of the Internet) triggers the two-way JP sharing device through the action of the domain name query, and the NAT conversion program and the private use. The program of the internal area network ship connection of the π> address. Figure 4 is a sample exchange and processing program example table, which is intended to illustrate the purpose of explaining the third, for the purpose of displaying the client, the domain name server of the present invention, the two-way positive branching device of the present invention, and the servo Between the four terminals, the data packet header is processed from the external network via the target of the invention on the internal network, and the connection establishment and data exchange procedures are set. Figure 3 is the simplification of the necessary components in Section ii, the components necessary to complete a complete procedure, and the step number indicated by the clever arrow, and the relevant components are listed in the actual JP address. For the purpose of detailed process description, Figure 3 and Figure 4 must be used in conjunction with each other. Detailed implementation flow description: Step 1: Send a DNS query packet from 61·87·143·5 (client computer 110) 168.95·1.1 (domain name server 120) to inquire about the target server computer to be connected 14 〇 (representing the domain name of the network called xyzidv.tw) IP address Step 2 · Query the internal database. If the domain name information is not available, the domain name is a traditional single-layer mapping domain name, and the query request to the root (R0〇t) domain name server is not processed. If the domain name information is successfully queried, the external IP address 21U5.188.69 and the internal private IP address 192·168·1·1 will be obtained, representing the two-way jp sharing device 13〇 and the servo 13 1291295 computer. 140. =3: ά168·95·1·1 (domain name server 12〇) sends a connection trigger message to the external IP address 211·15·188·69 (ΓΡ sharing device 130) obtained by the query. =4 : 211·15·188·69 (ΙΡ分享装置_ After receiving the notification message, the reverse IP address is established according to the external IP address, private address, source! p address in the message. Conversion (RNAT) mapping table. ^Weigh 5 · 211·15.188·69 (ΙΡ sharing device 130) sends a successful permission response to 168 95] chat domain name server 120) step number 6 · 168·95·1·1 ( After receiving the successful license response, the domain name server 12〇 responds with a DNS response packet to 61·87·143·5 (client computer 110), and informs the domain name that it solves, and its IP address is 211·15.188. · 69 (ΓΡ sharing device 130) Step 7: 61·87·143·5 (client computer 110) sends a TCP connection request message to 211·15·188·69 (ΙΡ sharing device 130) Step 8: 211·15·188·69 (ΙΡ sharing device 130) compares the records of the first-stage reverse network address translation (RNAT) mapping table according to the source IP address 61·87·143·5 in the packet, If the result is consistent with the source 埠 address establishment, destination 埠 address and the first stage reverse network address translation mapping table in the packet, the second phase reverse network address is turn Mapping table, after the completion of phase two, the inverse network address conversion will be converted to replicate the mapping table to forward the network address translation bit of the mapped table, and delete it. Step 9: The original π> address 211·15·188·69 in the packet from 61·87·143·5 (client computer 11〇) will be replaced with 192·168·1·1 (祠After the server computer 140) is transferred to 192·168·1·1 (the server computer 140) Step 10: 192·168·1·1 (the server computer 140) receives the handshake message of the connection permission to 61 ·87·143·5 (client computer 11〇) Step 11: After 211·15·188·69 (ΙΡ sharing device 130) address conversion, the original source IP address 192·168·1·1 (feeding clothes) The computer 140) will be replaced by 211·15·188·69 (ΙΡ sharing device 130) to 61.87.143.5 (client computer 110) Step 12: 61·87·143·5 (client computer 11〇) After responding to the handshake message of the connection license, 14 1291295 will send the connection completion message to 21i.15.188.69 (IP sharing device 130) · J11·15·188·6—share device 130) After the line completes the message, the original destination address 211·15·188·69 will be replaced with 192.168.U (feeding device 140) and then transferred to 192·168丄丨 (the feeding machine computer 14〇) , complete the reverse connection program sticky example can be found in the client Brain, improved domain name server (°NS), two potentials: the implementation of the device, the detailed implementation of the ship computer, the improved name of the present invention, must improve its front-end processing program, in Figure 5, describe this The improved network usage decision flow chart of the invention is used to process the program sent from the query client, the feed server query packet processing and the notification two-way P sharing device. Detailed implementation flow) said that the server receives the DNS query packet (step S100), and starts to compare the internal database Jit II (step S110), and if the comparison is successful, the record is taken, and the second 1/2 spoon is taken out. Installed as a reverse trigger message packet (step S120), and send a trigger message to the current layer 1 IP address (step S130), the JP address is a bidirectional positive branch ϊϊ 器 f S 140 140 140 140 140 140 140 140 ( ( ( ( ( ( ( The response of the sharing device (step _ HI] is to step S230 to send the query failure result to the query end, if successful (step S160) 'that is, send the query result to the query end (step 琢 7〇). Pen record, indicating that this DNS query may be a traditional single Cl cm d domain name, P forwards the DNS query to the Root DNS feeder (step
待對方=mDNs舰^之正f處理程序,啟動計邮(_ si9〇)以等 )if (根_伺服器)的回應(步琢S200),如果逾時,即到步驟S230送I 端,如果成侧回應(步驟S21G),即發送查詢結果 =的,本發明之雙向〇>分享裝置也要配合前述第5圖中之 器同步,用,在第6圖中係描述本發明之雙向^享裝置使用 處H前^域名綱服器縮發送之連線觸發訊息,及 晴者發拉林置__之資贿包。詳細之實施流程 檢查外部網路封包接收之暫存(步驟sWaiting for the other party = mDNs ship ^ positive f processing program, start the mailing (_ si9 〇) to wait) if (root _ server) response (step S200), if the timeout, then go to step S230 to send the I end, If the side responds (step S21G), that is, the query result is sent, the two-way 〇> sharing device of the present invention is also synchronized with the device in the above FIG. 5, and the two-way description of the present invention is described in FIG. ^ Enjoy the use of the device before the H ^ domain name server to send the connection trigger message, and the sunny person pulls the forest __ bribe package. Detailed implementation process Check the temporary storage of external network packet reception (step s
向NAT對映記錄在反向NAT對映表中㈣縫㈣,填入預筆估第來源U 15 1291295 部目地IP/内部目地IP(私用IP)三項參數(步驟S120),此三項參數皆來自本 發明之改良網域名稱伺服器所發送之反向觸發訊息封包,之後啟動計時器 (步驟S130)以等待第二階段反向NAT對映記錄之建立(該記錄之建立取決於 =收到合於第一階段反向NAT對映記錄之資料封包,而記錄内容則來自該 資料封包之IP標頭),該筆第一階段反向網路位址轉換(rnat)對映記錄將 於一極短之預定時間(約1,〇〇〇微秒)後逾時(步驟S140),之後自動失效(刪 •除),無論其有無被第二階段反向NAT對映記錄所參考(步驟S150)。 在檢查外部網路封包接收之暫存(步驟Sl〇〇)動作中,當收到TCP(步驟 S160)或UDP(步驟S170)資料封包時,會依前述標準NAT之實施方式比對 封包内目的IP、來源IP、目的槔位址、來源埠位址四項條件與NAT對映表 内之所有記錄(步驟S180),當同時成立時,則代表該記錄有效,網路位址 轉譯裝置會將該資料封包内的目的IP置換為轉換前來源jp ,目的埠位址 ^換為轉換前來源埠位址(步驟S190)(步驟S210),並重新計算核對碼(CRC) 後送至内部網路(步驟S200)(步驟S220)。此部分因TCP與UDP資料封包 標頭因結構不同,雖比對原則相同,但比對完畢之處理方式不相同,故有 步驟S160和步驟170、步驟S190和步驟210、步驟S200和步驟S220等分 別0 如果該資料封包並不合於NAT對映表内之任何一筆記錄,在前述習知 之網路位址轉譯裝置的實施中,將會丟棄該資料封包,不予處理;在本發 明中則會加入反向NAT對映表(RNATTable)之檢查程序:首先確認是否處 於前述第二階段反向對映等待狀態,意即檢查是否有任何反向1^八丁對映表 的記錄目前存在(步驟S230),如無才會丟棄該資料封包(步驟S27〇),如有 包中之外部1p位址、來源正位址兩項參數與第一階段反向網路位 ==JKRNAT)對映表之記錄比對(步驟S24〇),如無則丟棄該資料封包(步驟 )’如結果符合將該封包中之來源槔位址、目的地埠位址兩項參數與第 向網路位址轉換對映表之記錄繫結為第二階段反向網路位址轉換 :Γ·25〇),兩階段完成之後,本反向網路位址轉換對映表將會轉 -f 向網路位址轉換對映表内,並予以刪除(步驟幻⑽,之後視該 封包為TCP(回到步驟S190)或UDP(回到步驟S2I〇),將該資料封包 r細目換為轉換前來源1p,目的璋位址置換為轉換前來源槔位址 …驟51210),並重新計算核對碼(CRC)後送至内部網路(步驟 斜士驟幻2〇),最後網路位址轉換與轉送至内部網路的動作,因為NAT 錄,故可前述第二階段反向網路位址轉換對映表内的記 16 1291295 在前述本發明中之雙肖IP分享裝置使用決策流程圖中,有關習知之正 t 映 職)與本發明之反向網路位址轉換對映表 (RNATTable)之間’其相互作用之關係與資料結構,描述於第 供考第1圖、第3圖、第4 ®及主要衫6圖;為本發明之 雙向Π> /刀旱裝置内部之正向網路位址轉換與反向網路位址轉換 映权贿,包姆填人及其騎麵瓣;詳細之實施流 程%明如下: 其正向網路位址轉換對映表之產生,係接收自内部纟路 發送到外侧狀封包,域義餘址轉譯動 =^電= p置内部會產生-筆包括轉換前來㈣、轉換後來源^、目=位^ 則士源,位址、轉換後來源棒位址、目的槔位址六項資訊的網路位址轉換 記錄,存細路魏轉麟絲_;Tabl明,經由珊絲攸錄,對 方回應的封包才得以再被轉換還原為内部網路正確的封包頭資訊,完成資 ^封包傳送以及接收的完整動作,當超過一定時間該筆記錄未被參考過 時,即將本記錄由網路位址轉換對照表中刪除,以節省記憶空間和搜 間;當網路位址轉譯裝置收到目的的回傳得資料封包時,並依習知之比對 與反轉置換邏輯:當所收刺資料封包内,其目的JP等細路位址轉換對 ,表内的轉換後來源IP、來源IP等於目的!P、目的埠位址等於轉換後來源 埠位址、來源埠位址等於目的埠位址四項條件同時成立時,則代表該記錄 有效,網路位址轉譯裝置會將該資料封包⑽目的jp置換為轉換前來源正, 目的埠位址置換為轉換前來源埠位址,並重新計算核對碼(CRC後送至内 網路。 其反向網路位址轉換對映表之產生,係接收自本發明之網域名稱伺服器 所發送之連線觸發訊息(第一階段),包括内部目的jp、外部目的ιρ、來源 IP二項資訊,以及來自連線要求者所發送之第一個封包的標頭内容(第二階 段),包括來源埠位址、目的埠位址兩項資訊,兩階段完成之後,本反向網 路位址轉換對映表將會轉換複製至正向網路位址轉換對映表内,並予以刪 除,其轉換複製實施方式如下:反向網路位址轉換對映表之内部目的JP複 製至正向網路位址轉換對映表之轉換前來源IP ,外部目的JP複製至轉換後 來源IP’來源IP複製到目的IP,目的埠位址分別複製到轉換前來源埠位址 及轉換後來源埠位址’來源槔位址複製到目的埠位址,注意因其由反向NAT 對映表複製到正向NAT對映表,故其複製動作來源與目的都是反轉的。 當反向網路位址轉換對映表將轉換複製至正向網路位址轉換對映表内 17 1291295 後,連線要求者所發送之第一個封包即可成功參考該筆記錄,通過網路位 址轉換動作後,轉送至内部網路之目的伺服器電腦,稍後目的伺服器電腦 對連線要求者所發送的任何回應資料封包,亦可有效參考網路位址轉換對 映表的相同記錄,通過網路位址轉換動作後,轉送至外部網路之原連線要 求者端電腦,完成完整的連線會談建立程序並交換雙方的資料封包(訊息)。 1291295 【圖式簡單說明】 第1圖係描述本發明之網路連接架構,遠端使用者 網路),經由網域名稱查詢之動作觸發雙向JP分享部為網, 換程序與制私有JP位狀㈣賊轉他料|。,透過反肖NAT轉 ^ 2圖係描述習知之單向正分享裝置網路連接架構 ^過IP分享裝置的歷轉換程序與外部網路(可能為H路^服器連 第3圖係描述本發明之整體運作程序,遠端使用者由外 Ξίϋ由Γ域ί稱查詢之動作觸發雙向正分享裝置,透過i向=< ‘考ϋ用私有ρ位址之内部區域網路飼服器連結之程序。實例說明請 =4,係一封包交換暨處理程序範例表,旨在套用實例以描述第3圖之目 的’係顯示客戶端、本發明之網域名稱伺服器、本發明之雙向分享裝置、 伺服器端四者間,處理資料封包標頭於從外部網路經由本發明與内部網路 上之目標裝置間的連線建立與資料交換程序。 、 第5圖係描述本發明之改良網域名稱祠服器使用決策之流程圖,用以處理 從查詢客戶端發送,本飼服器所接收的DNS查詢封包處理及通知雙向jp 分享裝置之程序。 第6圖係描述本發明之雙向jp分享裝置使用決策之流程圖,用以處理從前 述網域名稱伺服器縮發送之連線觸發訊息,及外部(網際網路)使用者發送至 本裝置内部網路之資料封包。 第7圖係提供用來參考第1圖、第3圖、第4圖及主要為第6圖;為本發 明之雙向IP分享裝置内部之正向網路位址轉換(NAT)與反向網路位址轉換 (RNAT)對映表之描述,包括資料的填入及其間的轉換動作;其反向網路位 址轉換對映表之產生,係接收自本發明之網域名稱伺服器所發送之連線觸 發訊息(第一階段),以及來自連線要求者所發送之第一個封包的標頭内容 (第二階段),兩階段完成之後,本反向網路位址轉換對映表將會轉換複製至 正向網路位址轉換對映表内,並予以刪除。 19The NAT mapping is recorded in the reverse NAT mapping table (4) slot (4), and the three parameters (step S120) of the IP/internal destination IP (private IP) of the source U 15 1291295 are filled in (step S120). The parameters are all from the reverse trigger message packet sent by the improved domain name server of the present invention, and then the timer is started (step S130) to wait for the establishment of the second stage reverse NAT mapping record (the establishment of the record depends on = Receiving the data packet of the reverse NAT mapping record in the first stage, and the recorded content is from the IP header of the data packet), the first stage reverse network address translation (rnat) mapping record will be After a very short predetermined time (about 1, 〇〇〇 microseconds) expires (step S140), then automatically expires (deletion and deletion), regardless of whether it is referenced by the second stage reverse NAT mapping record ( Step S150). In the operation of checking the temporary storage of the external network packet (step S1), when receiving the data packet of TCP (step S160) or UDP (step S170), the purpose of the packet is compared according to the implementation method of the foregoing standard NAT. The IP, source IP, destination 槔 address, source 埠 address four conditions and all records in the NAT mapping table (step S180), when simultaneously established, the record is valid, the network address translation device will The destination IP in the data packet is replaced with the pre-conversion source jp, and the destination address is replaced with the pre-conversion source address (step S190) (step S210), and the re-calculation code (CRC) is recalculated and sent to the internal network. (Step S200) (Step S220). Because the TCP and UDP data packet headers are different in structure, the comparison principle is the same, but the processing is different, so there are steps S160 and 170, step S190 and step 210, step S200, and step S220. 0 If the data packet does not fit any record in the NAT mapping table, in the implementation of the conventional network address translation device, the data packet will be discarded and will not be processed; in the present invention, The check procedure of the reverse NAT mapping table (RNATTable) is added: firstly, it is confirmed whether it is in the foregoing second stage reverse mapping waiting state, that is, it is checked whether there is any record of the reverse 1^ octagonal mapping table present (step S230) ), if not, the data packet will be discarded (step S27〇), if there is an external 1p address in the packet, the source positive address and the first phase reverse network bit == JKRNAT) Recording the comparison (step S24〇), if not, discarding the data packet (step)', if the result meets the two parameters of the source address, the destination address, and the first network address in the packet The record of the map is tied to the second Segment reverse network address translation: Γ·25〇), after the completion of the two phases, the reverse network address translation mapping table will be converted to the network address and converted to the network address and deleted. (Step Magic (10), then the packet is TCP (return to step S190) or UDP (return to step S2I〇), the data packet r is changed to the pre-conversion source 1p, and the destination address is replaced by the pre-conversion source. Address...Step 51210), and recalculate the check code (CRC) and send it to the internal network (steps to sneak 2), and finally the network address translation and transfer to the internal network, because NAT records, Therefore, in the foregoing second stage reverse network address conversion mapping table 16 1291295 in the foregoing dual-IP IP sharing device usage decision flow chart of the present invention, the related knowledge is positive and the present invention The relationship between the reverse network address translation mapping table (RNATTable) and its data structure, described in Figure 1, Figure 3, Figure 4 and the main shirt 6; The two-way Π> / the internal network address conversion and the reverse network address conversion Fill in the person and ride the face flap; the detailed implementation process is as follows: The forward-looking network address conversion mapping table is generated by the internal loop transmission to the outer packet, and the domain meaning translation is translated. Electricity = p will be generated internally - the pen includes the conversion (4), the source after conversion ^, the destination = the location of the source, the address, the source address after the conversion, the destination address, the address of the six information network address Conversion record, save the fine road Wei-Lin Lin _; Tabl Ming, through the Shansi record, the other party's response packet can be converted back to the correct network header information, complete the packet transmission and reception complete Action, when the record is not referenced for a certain period of time, the record is deleted from the network address conversion table to save memory space and search space; when the network address translation device receives the purpose of the return When data is encapsulated, and according to the conventional comparison and reverse replacement logic: when the received data packet is encapsulated, the destination JP and other fine-grained address conversion pairs, the converted source IP and source IP in the table are equal to the purpose! P. The destination address is equal to the source address after conversion, the source address is equal to the destination address, and the four conditions are valid. The network address translation device will encapsulate the data (10). The replacement is the source before the conversion, the destination address is replaced by the source address before the conversion, and the verification code is recalculated (the CRC is sent to the internal network. The generation of the reverse network address translation mapping table is received. The connection trigger message (first phase) sent by the domain name server of the present invention includes internal purpose jp, external destination ιρ, source IP information, and the first packet sent by the connection requester. The header content (the second phase), including the source 埠 address, destination 埠 address information, after the completion of the two phases, the reverse network address translation mapping table will be converted to the forward network The address conversion mapping table is deleted and the conversion copy implementation method is as follows: the internal destination JP of the reverse network address conversion mapping table is copied to the source IP of the conversion of the forward network address conversion mapping table, External purpose JP replication After the conversion, the source IP' source IP is copied to the destination IP, and the destination address is copied to the pre-conversion source 埠 address and the converted source 埠 address 'source 槔 address is copied to the destination 埠 address, note that it is reversed The NAT mapping table is copied to the forward NAT mapping table, so the source and purpose of the replication action are reversed. When the reverse network address translation mapping table converts the conversion to the forward network address translation mapping After the table 1 1291295, the first packet sent by the connection requester can successfully refer to the record, and after the network address conversion action, it is forwarded to the server computer of the internal network, and later to the destination server. Any response packet sent by the computer to the connection requester can also effectively refer to the same record of the network address conversion mapping table. After the network address conversion action, the original connection requester is transferred to the external network. The terminal computer completes the complete connection negotiation establishment procedure and exchanges the data packets (messages) of both parties. 1291295 [Simplified Schematic] FIG. 1 is a diagram showing the network connection architecture of the present invention, the remote user network) Domain name queries trigger action of two-way sharing JP Ministry of network, exchange program with the private system (iv) JP bit like a thief turn his material |. Through the anti-Xiao NAT to ^ 2 map to describe the conventional one-way sharing device network connection architecture ^ over IP sharing device calendar conversion program and external network (may be H channel ^ server connected to the third picture description In the overall operation procedure of the invention, the remote user triggers the two-way positive sharing device by the action of the query field, and the internal area network feeder connection through the i-direction =< 'test private ρ address The program description: please refer to the example table, please refer to the example table of the package exchange and processing program, which is intended to apply the example to describe the purpose of FIG. 3, which is the display client, the domain name server of the present invention, and the two-way sharing of the present invention. Between the device and the server, the data packet header is processed from the external network via the connection between the present invention and the target device on the internal network. The fifth figure describes the improved network of the present invention. The flow chart of the domain name server usage decision is used to process the DNS query packet processing and the notification of the two-way jp sharing device sent from the query client. The sixth figure describes the bidirectional jp of the present invention. Minute A flow chart of device usage decisions for handling connection trigger messages sent from the aforementioned domain name server and data packets sent by external (internet) users to the internal network of the device. Figure 7 provides For reference to FIG. 1 , FIG. 3 , FIG. 4 , and mainly FIG. 6 ; the forward network address translation (NAT) and reverse network address translation in the bidirectional IP sharing device of the present invention ( The description of the RNAT) mapping table, including the filling of data and the conversion action between them; the generation of the reverse network address conversion mapping table, which is triggered by the connection received by the domain name server of the present invention. Message (Phase 1), and the header content of the first packet sent by the connection requester (Phase 2). After the two phases are completed, the reverse network address translation mapping table will be converted and copied. Convert to the forward network address in the mapping table and delete it. 19
Claims (1)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW92125442A TWI291295B (en) | 2003-09-16 | 2003-09-16 | Bilateral IP sharing method and device |
Applications Claiming Priority (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
TW92125442A TWI291295B (en) | 2003-09-16 | 2003-09-16 | Bilateral IP sharing method and device |
Publications (2)
Publication Number | Publication Date |
---|---|
TW200513077A TW200513077A (en) | 2005-04-01 |
TWI291295B true TWI291295B (en) | 2007-12-11 |
Family
ID=39460491
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
TW92125442A TWI291295B (en) | 2003-09-16 | 2003-09-16 | Bilateral IP sharing method and device |
Country Status (1)
Country | Link |
---|---|
TW (1) | TWI291295B (en) |
Cited By (1)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
TWI565258B (en) * | 2015-08-19 | 2017-01-01 | 鴻海精密工業股份有限公司 | System, method and device for filtering https network packet |
-
2003
- 2003-09-16 TW TW92125442A patent/TWI291295B/en not_active IP Right Cessation
Cited By (2)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
TWI565258B (en) * | 2015-08-19 | 2017-01-01 | 鴻海精密工業股份有限公司 | System, method and device for filtering https network packet |
US9648021B2 (en) | 2015-08-19 | 2017-05-09 | Hon Hai Precision Industry Co., Ltd. | HTTPS content filtering method and device |
Also Published As
Publication number | Publication date |
---|---|
TW200513077A (en) | 2005-04-01 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
TWI234969B (en) | Dynamic network address translation system and method of transparent private network device | |
CN100512165C (en) | Method, device and system for facilitating peer-to-peer application communication | |
US8908685B2 (en) | Routing using global address pairs | |
US7779158B2 (en) | Network device | |
US20040044778A1 (en) | Accessing an entity inside a private network | |
WO2008122230A1 (en) | A method, device for storing domain name system records and a domain name parsing method and device | |
TW200924462A (en) | System and method for connection of hosts behind NATs | |
US8612557B2 (en) | Method for establishing connection between user-network of other technology and domain name system proxy server for controlling the same | |
JP3666654B2 (en) | Internet communication method {MethodforanInternetCommunication} | |
JP2002141953A (en) | Communication relay device, communication relay method, and communication terminal, and program storage medium | |
AU2023203289A1 (en) | Systems and methods for providing a ReNAT communications environment | |
Grosse et al. | Network processors applied to IPv4/IPv6 transition | |
US7908481B1 (en) | Routing data to one or more entities in a network | |
TWI291295B (en) | Bilateral IP sharing method and device | |
US7788407B1 (en) | Apparatus and methods for providing an application level gateway for use in networks | |
US20060031514A1 (en) | Initiating communication sessions from a first computer network to a second computer network | |
CN104427013B (en) | Working level address-translating device and its processing method to station address mapping relations | |
JP4003634B2 (en) | Information processing device | |
JP4191180B2 (en) | Communication support device, system, communication method, and computer program | |
Kannan et al. | Supporting legacy applications over i3 | |
JP2007189752A (en) | Communication method | |
JP2004080703A (en) | Inter-network communication method, and gate apparatus and terminal to be used therefor | |
KR20030075237A (en) | Method and system for communicating with host having applications using heterogeneous internet protocols and target platform | |
CN112565305B (en) | Method, system and storage medium for accessing local area network equipment by using domain name | |
JP2008206081A (en) | Data relaying apparatus and data relaying method used for multi-homing communication system |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
MM4A | Annulment or lapse of patent due to non-payment of fees |