CN1754161A - Apparatus, method, and computer program product for building virtual networks - Google Patents

Apparatus, method, and computer program product for building virtual networks Download PDF

Info

Publication number
CN1754161A
CN1754161A CN 200380103257 CN200380103257A CN1754161A CN 1754161 A CN1754161 A CN 1754161A CN 200380103257 CN200380103257 CN 200380103257 CN 200380103257 A CN200380103257 A CN 200380103257A CN 1754161 A CN1754161 A CN 1754161A
Authority
CN
China
Prior art keywords
network
virtual
computing system
virtual network
server
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Pending
Application number
CN 200380103257
Other languages
Chinese (zh)
Inventor
G·杨
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Collatus Corp
Original Assignee
Collatus Corp
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Collatus Corp filed Critical Collatus Corp
Publication of CN1754161A publication Critical patent/CN1754161A/en
Pending legal-status Critical Current

Links

Images

Abstract

Disclosed is a system, method and computer program product for building virtual networks for TCP/IP networking. The system includes a global area network coupled to one or more virtual network hosting servers; and a first computing system coupled to the one or more servers through a first firewall, wherein a virtual network including the first computing system is formed with a second computing system coupled to the one or more servers through a second firewall such that the computing systems communicate with each other through a direct logical connection. The method for forming a virtual network includes a) establishing a physical connection between a first computing system through a first firewall to a virtual network hosting server coupled to a global area network; b) communicating with a second computing system physically connected to the virtual network hosting server through a second firewall,and c) while communicating through a direct logical connection between the computing systems.

Description

Be used to set up equipment, the method and computer program product of virtual network
Technical field
The present invention relates generally to the communication on the computer network, and relate in particular to the system and method that is used on the global computer networks such as the internet, setting up virtual network.
Background technology
Along with the increase of interdependence between the affairs in the internet economy, enterprise depend on very much its with cause copartner, supplier and user between communicate by letter so that success and fast the commerce operations of managing.
Yet present most enterprise network is all being protected by one or more security features of fire wall that comprise.Fire wall helps the control of these enterprises' enhancings to basic data, and this can strengthen their secret of the trade.Use fire wall to cut off private widely and public network helps to solve the latent defect of IPv4 address.And the spinoff of fire wall to be divided into whole internet many be not the network islands that full bi-directional connects.Connectedness between the enterprise becomes on these isolated islands and is a problem very much.
Fig. 1 is the schematic block diagram that is divided into the network system 100 of a plurality of " network islands " 105i.Each isolated island 105i comprises fire wall 110i and a plurality of computing system (for example server 115i, desktop computer 120i and notebook computer 125i).Though each fire wall 110i is often different with other the configuration of fire wall 110i, they all limit full bidirectional traffic.As shown in fig. 1, another computing system that each computing system of fire wall 1102 back can not free access fire wall 1101 back is although these computing systems all are connected to public internet 130.
Except the filtration of fire wall 110/stop the characteristic, the main cause of the reachability problem between the computing system of different fire-proof 110i back is that they use different private address spaces.Fire wall 1101 is respectively isolated island 1051 separately and the different address space of 1052 definition with fire wall 1102.In fact, this has isolated different reserved areas in the public internet.By application network address translation (NAT), each computing system of isolated island 105i can both access internet 130, but will lose any IP connectivity to the computing system in the isolated island 105i, unless use special management to cooperate with fire wall 110i.
Need a way and solve this reachability problem, and especially need to provide and set up the virtual network that is used for the TCP/IP networking and allow the computing system interconnection of heterogeneous networks isolated island and the system and method for cooperation.In addition, be provided for existing application seamless based on TCP/IP expand to system and method on the different network islands, and this expansion dynamically is provided with the spanning network island boundaries.
Summary of the invention
Present disclosure is system, the method and computer program product that is used to set up the virtual network of TCP/IP networking.System comprises the overall net that is connected to one or more virtual network host servers; With first computing system that is connected to one or more servers via first fire wall, wherein, the virtual network that comprises first computing system uses second computing system that is connected to one or more servers via second fire wall to form, and makes computing system connect mutually via direct loic and intercoms.The method that forms virtual network comprises a) via first fire wall sets up physical connection at first computing system with being connected between the virtual network host server that the overall situation nets; B) communicate by letter to second computing system of virtual network host server with physical connection via second fire wall, wherein, communication steps comprises via the connection of the direct loic between computing system communication.Computer program has the computer-readable medium that carries the programmed instruction that is used to form virtual network, when being moved, it use two or more to be connected to the computing system of overall situation net respectively via fire wall, carried out a method by the programmed instruction that moved, this method comprises a) sets up first computing system via first fire wall and the physical connection that is connected between the virtual network host server that the overall situation nets; B) set up physical connection between second computing system and the virtual network host server via second fire wall; And c) setting up logic between computing system connects to form virtual network.
The invention provides the method handling and improve the reachability problem of prior art, and preferred embodiment provides system, the method and computer program product of setting up the virtual network that is used for the TCP/IP networking, so that the computing system of heterogeneous networks isolated island can interconnect and cooperate.In addition, preferred embodiment allows existing application based on TCP/IP seamlessly be expanded on the different network islands, and expansion dynamically is provided with to be used for the isolated island of various separate configurations by the spanning network island boundaries.
Description of drawings
Fig. 1 is the schematic block diagram that is divided into the network system of a plurality of " network islands ";
Fig. 2 is the schematic block diagram of the preferred embodiment of Virtual Networking System;
Fig. 3 is the synoptic diagram of the preferred embodiment of server communication application;
Fig. 4 is an explanation block diagram of crossing over the catenation sequence of fire wall between client and host server system that allows the TCP connection request;
Fig. 5 is an explanation block diagram of crossing over the catenation sequence of fire wall between client and host server system that does not allow the TCP connection request;
Fig. 6 is the FB(flow block) that is used to detect the applicable network environment of client computing system;
Fig. 7 is the explanation synoptic diagram of the communication software structure on the client computer system (for example desktop computer);
Fig. 8 is used for the process flow diagram that is modified arp process at physical address level difference virtual adapter;
Fig. 9 is the description of flow diagram that network ID is selected process, and the communication software on the client computer system uses it to determine the network ID of virtual network;
Figure 10 is the FB(flow block) based on the address translation process that connects of dividing into groups via the input TCP that virtual adapter transmits;
Figure 11 is the FB(flow block) that can be applicable to the output TCP packetization process of the grouping that transmits via virtual adapter; With
Figure 12 is the FB(flow block) that is used to handle the DNS domain name request process of the DNS domain name request that client computer system initiates.
Embodiment
The present invention relates to provide the system and method for setting up the virtual network that is used for the TCP/IP networking, thereby the computing system of heterogeneous networks isolated island can be interconnected and cooperate.In addition, the present invention is that existing application based on TCP/IP is provided for seamlessly expanding to the system and method on the heterogeneous networks isolated island, and expansion dynamically is provided with the spanning network island boundaries.The explanation that below provides makes those of ordinary skill in the field to understand and uses the present invention, and this explanation is according to the environment of present patent application and require to provide.For one of ordinary skill in the art, modification of the difference of preferred embodiment and General Principle described here and characteristic will be conspicuous.Thereby, the embodiment shown in the present invention does not plan to be subject to and with unanimity in the wide region that meets principle described here and characteristic.
The preferred embodiments of the present invention and their advantage are by can being understood best referring to accompanying drawing 2-12.
Fig. 2 is the schematic block diagram that is used for the preferred embodiment of Virtual Networking System 200.System 200 is included as the virtual network host server 205 that the invention provides server environment.Similarly, the computing system of each network islands 105i (for example computer system 120i) is provided for client environment of the present invention.Each computing system 120i is connected to server 205 via computer network 130 (for example internet).Because fire wall 110i, 130 just output connection of this connection connects such as any HTTP from the HTTP client to http server that is created from 120i to the network.In addition, the present invention has provided a method that is used for creating via standard ssl tunneling agreement the fire wall tunnel, the known HTTP method of attachment that is useful on connection.
Server 205 can be can accept between other server computer system and client computer system and the electronic installation of creating any kind that is connected, and it can also come swap data via the connection of being created.In the embodiment shown in Figure 2, virtual network host server 205 comprises processor (one or more), storer, memory disk, operating system software, application software and communication software.Processor can be any suitable processor a member such as intel pentium processor family.Storer can be the storer of any kind, such as DRAM, SRAM.Memory disk can be the device that any kind is designed to store numerical data, such as hard disk, floppy disk.Operating system software can be the appropriate operating system software of any kind, it can move on bottom hardware, such as Microsoft Windows (for example Windows NT, Windows2000, Windows XP), unix version (for example Sun Solaris or Redhat LINUX).Application software can be any software, such as the application program of Microsoft SQL Server, Apache WebServer, computer-aided design (CAD) application or any other type.Communication software can be the software of any kind, and it can carry out data communication between server computer system and client computer system, and these softwares comprise instruction, and instruction is used to carry out the function of server end to create the virtual network of appointment of the present invention.
Client computer system can be the electronic installation of any kind, and it can create connection between server computer system, can also come swap data via the connection of being created.In the embodiment shown in Figure 2, client computer system (for example desktop computer 120i) comprises processor (one or more), storer, memory disk, operating system software, application software and communication software.(one or more) processor can be any suitable processor, such as a member of intel pentium processor family.Storer can be the storer of any kind, such as DRAM, SRAM.Memory disk can be the device that any kind is designed to store numerical data, such as hard disk, floppy disk.Operating system software can be the appropriate operating system software of any kind, it can move on bottom hardware, such as Microsoft Windows (for example Windows NT, Windows 2000, Windows XP), unix version (for example Sun Solaris or RedhatLINUX).Application software can be any software, such as the application program of Microsoft Word, NetscapeNavigator, spreadsheet application or any other type.Communication software can be the software of any kind, and it makes and can carry out data communication between client computer system and client computer system, and these softwares comprise the instruction with the virtual network of creating appointment of the present invention of the function that is used to carry out client.
Global computer networks 130 can be the computer network of any kind, and it comprises the computing machine that can intercom mutually in a large number.In certain embodiments of the present invention, global computer networks is shown as the internet.
Fire wall such as fire wall 110i can be any hardware unit or software systems of carrying out access control between two networks, especially in certain embodiments of the present invention, these two networks relate to enterprise-specific net and the global computer networks such as internet 130.
System 200 also comprises it being the virtual network 210 of the network object that realizes of software, and it has and the identical feature of physical network such as Ethernet.It shows as another physical network interface in each client computer system, and shows as the software object of being managed by server communication software at server computer system.
To describe in detail below, the invention provides the system and method that is used on the global computer networks such as internet 130, setting up virtual network 210.
In order to form virtual network 210, the client computer system of each participation (for example desktop computer 120i) at first set up with will being connected as server computer system (for example the virtual network host server 205) of virtual network 210 main frames.Depend on that virtual network 210 that any special client computer system wants adds, server communication software is set up the connection from client computer system to its corresponding virtual network object, server communication also with on the managing virtual network between each independent client computer system data exchange activities that take place or that on whole virtual network, broadcast.
Fig. 3 is the synoptic diagram of the preferred embodiment of server communication application 300.Use 300 and comprise a plurality of virtual network objects (for example 305,310 and 315).In Fig. 3, by communicating by letter with the virtual network objects 305 that communication software 300 is created on server computer system 205, client computer system (for example desktop computer 1201) and another client computer system (for example desktop computer 1202) are added in the virtual network 200.Server 205 comes managing virtual network 210 via object 305.
Fig. 4 is an explanation block diagram of crossing over the catenation sequence of fire wall between client and host server system that allows the TCP connection request.Allow creating between client computer system (for example desktop computer 120i) and the server computer system (for example the virtual network host server 205) under the situation that directly output connects at fire wall (for example fire wall 110i), connect and set up according to sequence shown in Figure 4.
In Fig. 4, fire wall 1101 transmits output TCP connection request.Therefore, desktop computer 1201 is directly created in the sequence shown in this figure and being connected of virtual network host server 205.Direct TCP connects for this class, client computer system is directly sent the TCP connection request to server computer system, fire wall between client computer system and the server computer system is carried out the network address translation (nat) of request and is allowed TCP connect and passes through, similarly, therefore fire wall will allow response and further exchanges data.
Fig. 5 is an explanation block diagram of crossing over the catenation sequence of fire wall between client and host server system that does not allow the TCP connection request.Do not allow client computer system (for example desktop computer 1202) at random to be connected under the situation of server computer system (for example the virtual network host server 205) at fire wall (for example fire wall 1202), system 200 uses the ssl tunneling agreement to be used for passing fire wall 1102.In most of the cases, although fire wall 1102 does not allow output at random to connect,, fire wall 1102 is connected yet often allowing some to make output such as the SOCKS server intermediate server the same with http proxy server.Fig. 5 illustrates the catenation sequence that uses the ssl tunneling agreement.In this case, client computer system (desktop computer 1202) is not created and is connected with the direct TCP of server computer system (virtual network host server 205), but the http proxy server 5002 of the use ssl tunneling agreement by is as shown in Figure 5 transmitted request.Be different from direct-connected situation, client computer system (desktop computer 1202) is at first set up with the direct TCP of http proxy server 5002 and is connected.After the TCP connection to http proxy server 5002 was created, desktop computer 1202 began the ssl tunneling request via the HTTP method of attachment.The general grammer that is used for tunneled requests is followed:
CONNECT<host address 〉:<port〉HTTP/1.0
... http request header, back are nulls
In case http proxy server 5002 receives tunneled requests, it set up the most at last with destination server be connected and will be till requesting client and server be transmitted the data TCP that either party stops bottom in the three parts between the two and are connected.
Fig. 6 is the FB(flow block) that is used to detect the applicable network environment of client computing system.Because linker is based on the ad hoc network environmental difference of client computer system and inequality, ever so the communication software on the client computer system in office tries request if being detects network environment before being connected to server computer system.Fig. 6 illustrates the FB(flow block) of preferred detection/selection process 600.
In step 605, process 600 begins client communication on the software (for example on the desktop computer 120i) of test applicable network environment.In a preferred embodiment, this test determines whether http proxy server 500i is available.When server was unavailable, process 600 advanced to step 610 with the catenation sequence shown in the execution graph 4.If yet can use at the definite server of step 605 test, process 600 alternatively advances to step 615 with the catenation sequence shown in the execution graph 5.Process 600 is concluded after step 610 or step 615 have been performed.
As shown in Fig. 4 and Fig. 5, after physical connection is established, no matter it is that direct TCP connects or connects via the indirect TCP of http proxy server, and client computer system and server computer system can be carried out the negotiation of any needs or hope.This negotiation can comprise version checking, security protocol negotiation and connectivity verification.Negotiation can comprise that a plurality of of exchanges data that are used for both sides' signal exchange round off.
Fig. 7 is the explanation synoptic diagram that client computer system (for example desktop computer 120i) goes up the software configuration 700 of communication software.Structure 700 comprises two main software sections, (runtime) part 705 and Objunctive network adaptor part 710 during the operation of virtual network client.
Virtual network client when operation part 705 uses the network service that host operating system provided that moves on the client computer system to set up and being connected of server computer system (for example the virtual network host server 205), and participates in belonging to virtual network 200 and by the data exchange session of the processing of the communication software in the client-server computer system.
Finally, from the virtual network 200 that will be present in client computer system, 705 loaded when Objunctive network adaptor 710 will be moved by the virtual network client.Any web application 715 that moves on client computer will discover adapter 710 and attachable other the physical network of client computer system uses it as Shi Yonging.
Before using virtual network 200, Objunctive network adaptor 710 must be disposed rightly.Adapter 710 has the dynamic attribute that is used for physical address and logical address makes configuration become complicated.The method of the invention provides is handled with this two class and is handled the problem that interrelates.
Objunctive network adaptor 710 can be simulated any physical media type, and IEEE 802.3 Ethernets are used in a preferred embodiment.IEEE 802.3 ethernet addresss are 48 bit addresses, have 24 supplier ID and 24 interface serial numbers (being distributed by supplier), thereby each ethernet address all are unique in global context.The present invention dynamically creates virtual network, so each all is dynamically allocated its oneself physical adapter addresses by illustrative Objunctive network adaptor 710.Some system does not allow the dynamic translation to the adapter physical address.In order to address this problem, the present invention uses pseudo-physical address.Each virtual adapter 710 is all statically with in a preferred embodiment all the same pseudo-physical address of each adapter 710 being disposed.In order to distinguish virtual adapter 710 in level of physical addresses, the AARP that is modified (ARP) process is used.
Fig. 8 is the process flow diagram in oneself modification arp process 800 of physical address level difference virtual adapter 710.Each virtual adapter 710 is all disposed by identical pseudo-physical address, yet this pseudo-physical address has only this adapter oneself can see that other adapter will be seen the physical address of its dynamic assignment.
In step 805, process 800 checks that with the communication software in the client computer system packet details of each AARP (ARP) request is beginning.Communication software is collected and is used for further all essential information of action.
Next in step 810, process 800 detects the ARP request and whether is used for the example adapter physical address that dynamically distributed in client computer system.When answering when being, process 800 advances to step 815, otherwise process 800 is ignored this ARP and asked.
In step 815, process 800 checks whether the ARP request sends from localized computer system.When ARP request when localized computer system sends, the pseudo-physical address that process 800 usefulness are fixed responds, otherwise the physical address of process 800 usefulness dynamic assignment responds.
Dynamic physical address is distributed by the communication software in server computer system 205 operations, by producing in conjunction with dynamic assignment sequence number unique in supplier ID and the virtual network.
Similar with the physical address assignments that is used for the TCP/IP networking, TCP/IP is provided with and also is arranged to each Objunctive network adaptor 710.Communication software prevents address conflict in the computer system on virtual network and these networks in the cooperation of client computer system and server computer system.
The client computer system of virtual network can be crossed a plurality of enterprise network.The arbitration instrument that is present on the independent private is separated management and may be suitable for virtual network.Therefore, may there be the collision problem with some private in the IP address assignment of virtual network.The invention provides subnet localization method and handle this possibility.
The IP address comprises two parts, network ID part and host id part, and subnet localization method works is on the network ID part.Just select preferred network ID as long as created virtual network.In case client communication software has been managed to dispose the TCP/IP of virtual adapter and has been provided with, this preferred network ID just is used in the case of any possible.Fig. 9 is the description of flow diagram that network ID is selected process 900, and it is used for determining the network ID of virtual network by the communication software on the client computer system.Process 900 comprises that testing procedure 905 determines whether that selected preferred network ID and local system clash.When not occurring conflicting, can use preferred network ID.When having conflict, local system is selected another candidate's network ID, and returns the network ID that step 905 is tested the candidate.
When preferred network ID can not be selected for client computer system, this client computer system will have the localized view of virtual network.Localized view means when other client computer system is seen the virtual network of the network ID with preferred ID, and client computer system will be treated virtual network as having the network ID of selecting that is positioned.For allow this client computer system can with other system communication, a special process is executed on the client communication software.For each IP grouping of passing through client, client communication software is carried out based on the address translation process that connects.
Figure 10 is the FB(flow block) based on the address translation that connects that is used for via the input TCP grouping of virtual adapter transmission.Whether process 1000 is TCP SYN grouping from step 1005 beginning and test input grouping.When it is TCP SYN grouping, the step that process 1000 is carried out since 1010, otherwise process 1000 operations are from 1045 action of starting.
In step 1010, whether the network ID in the process 1000 test source IP addresss network ID of matching virtual adapter.When they did not match, the address translation as shown in step 1015 (change source ID) and step 1020 (upgrade verification with) was performed.In step 1025, process 1000 is created the mapping inlet to be used for address translation after a while based on source IP and source port in addition.Completing steps 1015 is after the step 1025 when negating when the test of step 1010, and maybe when testing for certainly the time after the completing steps 1010, process 1000 is carried out another test in step 1030.The whether network ID of matching virtual adapter of purpose network ID is determined in this test.In the time of coupling, finish process 1000.When it did not match, process 1000 is operating procedure 1035 (changing the network ID that objective network ID comes the matching virtual adapter) and step 1040 (upgrade verification with) before finishing.
For the TCP grouping that is not the SYN grouping, process 1000 is from the test run step 1045 of step 1005.When the mapping inlet of source IP address/source port existed, process 1000 was carried out test in step 1050, otherwise process 1000 finishes.
In step 1050, whether the network ID in the process 1000 test source IP addresss network ID of matching virtual adapter.When they did not match, the address translation as shown in step 1055 (change source ID) and step 1060 (upgrade verification with) was performed.Completing steps 1055 is after the step 1060 when negating when the test of step 1050, and maybe when testing for certainly the time after the completing steps 1050, process 1000 is carried out as mentioned above from the step of testing procedure 1030 beginnings.
Figure 11 is the FB(flow block) that can be applicable to the output TCP packetization process of the grouping that transmits via virtual adapter.Whether process 1100 exists the mapping inlet that has based on the information of destination address in the grouping and target port in step 1105 for each output TCP grouping test.When not finding the mapping inlet, process 1100 finishes.When finding the mapping inlet, process 1100 is carried out the action that originates in step 1110.
Step 1110 be used for determining source IP address network ID whether matched record in the test of the primitive network ID of mapping inlet.When the network ID of source IP address does not match when being recorded in primitive network ID in the mapping inlet, process 1100 is carried out the address translation of appointment in step 1115 (change source ID and mate the primary ID that displays in inlet) and step 1120 (upgrade verification with).
After step 1115 and step 1120, or after determine there is the test of coupling in step 1110, process 1100 is carried out the whether primitive network ID of matched record in mapping enters the mouth of another network ID of testing to determine target ip address in step 1125.When primitive network ID in the mapping inlet of the network ID matched record of target ip address, process 1100 finishes.
When the network ID of target ip address does not match when being recorded in primitive network ID in the mapping inlet, process 1100 is carried out the address translation in the middle appointment of step 1130 (change in the grouping target ip address to make it the original source network ID of matched record in inlet) and step 1135 (upgrade verification and).Shown in correspondence in step 1120 and the step 1135, for each change in the grouping, IP verification and with TCP check with recomputated and upgrade.
Except the distribution of IP address, the present invention also provides one to be used to carry out client-based domain name service (DNS) service method, so each connected client computer system can have the domain name relevant with the IP address of its dynamic assignment.Mapping between IP address and the associated dns name will be by carrying out at the communication software of client computer system operation.
In order to resolve the domain name in " non-virtual " territory, generally comprise two major parts in the DNS system: dns server and domain name mapping device (DNR).Preferred embodiment and the collaborative work of DNR part.For the operating system software of picture Windows operating system, DNR partly is designed an open architecture that allows to insert domain name service supplier.By this class domain name service supplier is provided, client communication software is posted its oneself domain name service on virtual network.
Figure 12 is the FB(flow block) that is used to handle the DNS domain name request process of initiating in client computer system.Be provided for the domain name service of virtual network by the process 1200 of communication software execution in client computer system.Process 1200 begins to determine from testing procedure 1205 whether the domain name of name space is defined is used for virtual network.
When the name request matches definition is used for the name space pattern of virtual network, step 1210 will be performed and client computer system is directly returned in the IP address of dynamic assignment, and need not be with any dns server contact.In other words, domain name mapping is finished at client device fully.
When domain name request does not match definition when being used for the name space pattern of virtual network, step 1215 will be performed, and request will be forwarded to the DNR of acquiescence.Therefore, an additional name space is established to replenish conventional DNS name space with this method.
Of the present invention one of them preferably realize it being a routine in the operating system, it is made of program step among the RAM that resides in computer system in computer operation or instruction.Programmed instruction can be stored in another computer-readable recording medium till computer system needs it, for example be stored in disc driver or movably in the storer, such as the CD that is used for the input of CD ROM computing machine or be used for the floppy disk of floppy disk computing machine input.In addition, programmed instruction can be stored in the storer of another computing machine before system of the present invention uses it, and can be issued on LAN or the WAN such as the internet when user of the present invention needs.One of ordinary skill in the art should be appreciated that control process of the present invention can be dispensed in the computer-readable medium of various ways.
The present invention is described with reference to its specific embodiments.Yet these embodiments of the invention only are illustratives rather than restrictive, and its scope is only determined by additional claim.

Claims (26)

1. network system comprises:
Be connected to the overall net of one or more virtual network host servers;
First computing system that is connected to described one or more servers via first fire wall; With
Be connected to second computing system of described one or more servers via second fire wall,
Wherein, the virtual network that comprises described these computing systems is formed like this: make described these computing systems connect intercommunication mutually via direct loic.
2. network system as claimed in claim 1, wherein, described virtual network uses the Physical layer between described one or more server and each computing system to connect.
3. network system as claimed in claim 2, wherein, described Physical layer is set up with the HTTP bind command.
4. network system as claimed in claim 1, wherein, described Physical layer connects and comprises be connected to the virtual network objects that forms in described server.
5. use has the communication system of the overall situation net of virtual network host server, comprising:
Be connected to a plurality of computing systems of virtual network host server with overall net; With
A plurality of fire walls that are respectively applied for each computing system are used to filter the network service between computing system and the overall situation net,
Wherein, the virtual network that comprises described these computing systems is formed like this: make described computing system connect intercommunication mutually via direct loic.
6. virtual network formation method, this method comprises:
A) via first fire wall at first computing system and be connected between the virtual network host server of overall situation net and set up physical connection;
B) between second computing system and described virtual network host server, set up physical connection via second fire wall; With
C) setting up logic between described these computing systems connects and forms virtual network.
7. method as claimed in claim 6, wherein, described establishment step a) and b) one of comprise:
D) send connection request to described server from the TCP of described computing system;
E) the described TCP connection request of response from described server to described computing system;
F) with the be connected handshake data of described server exchange from described computing system;
G) with the be connected handshake data of described computing system exchange from described server; With
H) swap data between described computing system and described server.
8. method as claimed in claim 6 also comprises the http proxy server of described first computing system that is connected to the described first fire wall front, and wherein, described establishment step a) comprising:
D) send the connection request of acting on behalf of to described acting server from described first computing system;
E) send connection request to described server from the TCP of described acting server;
F) the described TCP connection request of response from described server to described acting server;
H) the described TCP connection request of response from described acting server to described first computing system;
G) via described acting server and the be connected handshake data of described server exchange from described computing system;
G) via described acting server and the be connected handshake data of described computing system exchange from described server; With
H) via described acting server swap data between described computing system and described server.
9. computer program that comprises the computer-readable medium that carries programmed instruction, it uses two or more to form virtual network via the computing system that fire wall is connected to overall situation net when operation, the method of programmed instruction operation that is performed, this method comprises:
A) via first fire wall at first computing system and be connected between the virtual network host server of overall situation net and set up physical connection;
B) between second computing system and described virtual network host server, set up physical connection via second fire wall; With
C) setting up logic between described these computing systems connects and forms virtual network.
10. virtual network communication system that is used to be connected to first computer system of overall situation net comprises:
Processor with first computer system comes the network operating application program, and described web application is connected to network AP I;
Come the network operating interface card with described processor, be used for switched communication protocol signal between overall net and network subsystem, described network subsystem is connected to described network AP I;
During the virtual network client operation operated with the processor of described first computer system, be connected to described network AP I during described networking client operation; With
With the Objunctive network adaptor that described processor is operated, when it is connected to described operation and described network system.
11. virtual network communication system as claimed in claim 10, wherein, described Objunctive network adaptor is dynamically created in the operating process of first computer system.
12. virtual network communication system as claimed in claim 11, wherein, described Objunctive network adaptor has been assigned with its oneself physical adapter addresses.
13. virtual network communication system as claimed in claim 11, wherein, described Objunctive network adaptor disposes statically with pseudo-physical address.
14. virtual network communication system as claimed in claim 13, wherein, described Objunctive network adaptor has the address of the second Objunctive network adaptor address of coupling second computer system, and second computer system is connected to the Objunctive network adaptor of described first computer system in logic via the virtual network host server.
15. virtual network communication system as claimed in claim 14, wherein, first computer system comprises the AARP process of having revised.
16. virtual network communication system as claimed in claim 15, wherein, one in the physical address of described pseudo-physical address and dynamic assignment is returned in the source of AARP request of depending on the physical address request of first computer system, described modified address translation-protocol process.
17. the AARP request-reply process that the Objunctive network adaptor that provides in first computer system is provided, this method comprises:
A) when address translation-protocol request when first computer system is sent out, come the request of response address translation-protocol with the pseudo-physical address of Objunctive network adaptor; With
B) when address translation-protocol request be not when first computer system sends, come the request of response address translation-protocol with the physical address of the dynamic assignment of Objunctive network adaptor.
18. a network system comprises:
Be connected to the overall net of one or more virtual network host servers; With
Be connected to first computing system of described one or more servers via first fire wall;
Wherein, the virtual network that comprises described first computing system uses second computing system that is connected to described one or more servers via second fire wall to form, and therefore described computing system connects intercommunication mutually via direct loic.
19. a method that is used to form virtual network, this method comprises:
A) via first fire wall at first computing system and be connected between the virtual network host server of overall situation net and set up physical connection;
B) communicate by letter to second computing system of described virtual network host server with physical connection via second fire wall,
Wherein, described communication steps comprises connecting via the direct loic between the described computing system and communicates by letter.
20. a method that is used to form virtual network, this method comprises:
A) set up physical connection between each in the virtual network host server that is connected to overall situation net and a plurality of computing systems of separating by a plurality of fire walls and described overall net, the corresponding fire wall of each is associated in each of described a plurality of fire walls and the described a plurality of computing systems; With
B) communicate by letter using direct loic between them to connect between each computing system of described a plurality of computing systems, thereby form the virtual network of described a plurality of computing systems.
21. subnet localization method that is used for a plurality of each computing system of computing system, each computing system via fire wall by physical connection to the virtual network host server and have Objunctive network adaptor, the direct loic that the host server of a plurality of computing systems and virtual networks has between the computing system connects, and this method comprises:
A) for each the virtual adapter configuration TCP/IP except that the one or more virtual adapters with conflict is provided with, each virtual adapter all comprises the combination of common network ID and host id part;
B) have the one or more of conflict for each is described and comprise that the virtual adapter of replacing network ID and the combination of host id part disposes TCP/IP and is provided with; With
C) carry out the address translation of dividing into groups based on the IP that transmits via described virtual adapter that connects,
Wherein, all computing systems all are connected in the virtual network in logic together.
22. subnet localization method as claimed in claim 21 wherein, is used for the described address translation step c) that IP grouping enters one of them virtual adapter and comprises:
C1) whether the network ID in the test I P source of packets address portion mates the network ID of described virtual adapter; With
C2) as described testing procedure c1) be fictitious time, change the described network ID that described network ID in the described source address part mates described virtual adapter;
C3) as described testing procedure c1) be fictitious time, upgrade described IP grouping packet checks and; With
C4) as described testing procedure c1) be fictitious time, create the mapping inlet based on a source IP and a source port.
23. subnet localization method as claimed in claim 21 wherein, is used for the described address translation step c) that IP grouping enters one of described virtual adapter and comprises:
C1) network ID of matching virtual adapter whether of the network ID in the test I P grouping destination address part; With
C2) as described testing procedure c1) be fictitious time, change the described network ID that described network ID in the described destination address part mates described virtual adapter; With
C3) as described testing procedure c1) be fictitious time, upgrade the IP grouping packet checks and.
24. subnet localization method as claimed in claim 21 wherein, is used for the described address translation step c) that IP grouping sends from one of them virtual adapter and comprises:
C1) whether test exists the mapping inlet that is used for destination address and target port;
C2) work as c1) testing procedure be true time, whether the network ID in the test I P source of packets address portion mates the network ID of described virtual adapter;
C3) as described testing procedure c1) be true and described testing procedure c2) be fictitious time, change the network ID that described network ID in the described source address part mates described mapping inlet; With
C3) as described testing procedure c1) be true and described testing procedure c2) be fictitious time, upgrade the IP grouping packet checks and.
25. subnet localization method as claimed in claim 21 wherein, is used for the described address translation step c) that IP grouping sends from one of them virtual adapter and comprises:
C1) whether test exists the mapping inlet that is used for destination address and target port;
C2) work as c1) testing procedure be true time, test the network ID of the network ID matching virtual adapter in the IP grouping destination address part whether;
C3) as described testing procedure c1) be true and described testing procedure c2) be fictitious time, change the network ID that described network ID in the described destination address part mates described mapping inlet; With
C3) as described testing procedure c1) be true and described testing procedure c2) be fictitious time, upgrade the IP grouping packet checks and.
26. a domain name service disposal route that is used for the computer system of virtual network, computer system has virtual adapter, and this method comprises:
A) come the domain name request of the name space of testing computer system whether to be defined in computer system and be used for described virtual network;
B) when testing procedure be true time a), return a dynamic assignment IP address of described virtual adapter in response to described domain name request; With
C) when testing procedure be fictitious time a), described domain name request is forwarded to the default domain name analysis device that is used for computer system.
CN 200380103257 2002-10-18 2003-10-17 Apparatus, method, and computer program product for building virtual networks Pending CN1754161A (en)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
US41939402P 2002-10-18 2002-10-18
US60/419,394 2002-10-18
US10/653,638 2003-09-02

Publications (1)

Publication Number Publication Date
CN1754161A true CN1754161A (en) 2006-03-29

Family

ID=36680292

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 200380103257 Pending CN1754161A (en) 2002-10-18 2003-10-17 Apparatus, method, and computer program product for building virtual networks

Country Status (1)

Country Link
CN (1) CN1754161A (en)

Cited By (12)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN102857475A (en) * 2011-06-29 2013-01-02 上海地面通信息网络有限公司 Firewall virtualization processing system
CN103563333A (en) * 2011-06-01 2014-02-05 英特尔公司 Circuitry to maintain correlation between sets of addresses
WO2017028398A1 (en) * 2015-08-20 2017-02-23 北京百度网讯科技有限公司 Communication processing method and device
CN107873128A (en) * 2015-04-07 2018-04-03 安博科技有限公司 Multiple barrier fire wall beyond the clouds
CN109074288A (en) * 2016-03-15 2018-12-21 诺基亚通信公司 Conflict solving in network virtualization scene
CN112583744A (en) * 2015-06-11 2021-03-30 安博科技有限公司 System and method for network tapestry multiprotocol integration
CN112866074A (en) * 2019-11-28 2021-05-28 烽火通信科技股份有限公司 Virtual network connection method and virtual network system
US11240064B2 (en) 2015-01-28 2022-02-01 Umbra Technologies Ltd. System and method for a global virtual network
US11503105B2 (en) 2014-12-08 2022-11-15 Umbra Technologies Ltd. System and method for content retrieval from remote network regions
US11630811B2 (en) 2016-04-26 2023-04-18 Umbra Technologies Ltd. Network Slinghop via tapestry slingshot
US11681665B2 (en) 2015-12-11 2023-06-20 Umbra Technologies Ltd. System and method for information slingshot over a network tapestry and granularity of a tick
US11711346B2 (en) 2015-01-06 2023-07-25 Umbra Technologies Ltd. System and method for neutral application programming interface

Cited By (26)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103563333A (en) * 2011-06-01 2014-02-05 英特尔公司 Circuitry to maintain correlation between sets of addresses
CN102857475A (en) * 2011-06-29 2013-01-02 上海地面通信息网络有限公司 Firewall virtualization processing system
US11503105B2 (en) 2014-12-08 2022-11-15 Umbra Technologies Ltd. System and method for content retrieval from remote network regions
US11711346B2 (en) 2015-01-06 2023-07-25 Umbra Technologies Ltd. System and method for neutral application programming interface
US11881964B2 (en) 2015-01-28 2024-01-23 Umbra Technologies Ltd. System and method for a global virtual network
US11240064B2 (en) 2015-01-28 2022-02-01 Umbra Technologies Ltd. System and method for a global virtual network
CN107873128A (en) * 2015-04-07 2018-04-03 安博科技有限公司 Multiple barrier fire wall beyond the clouds
US11750419B2 (en) 2015-04-07 2023-09-05 Umbra Technologies Ltd. Systems and methods for providing a global virtual network (GVN)
CN107873128B (en) * 2015-04-07 2021-06-25 安博科技有限公司 Multi-boundary firewall at cloud
CN113381994A (en) * 2015-04-07 2021-09-10 安博科技有限公司 Multi-boundary firewall at cloud
US11799687B2 (en) 2015-04-07 2023-10-24 Umbra Technologies Ltd. System and method for virtual interfaces and advanced smart routing in a global virtual network
US11271778B2 (en) 2015-04-07 2022-03-08 Umbra Technologies Ltd. Multi-perimeter firewall in the cloud
CN113381994B (en) * 2015-04-07 2023-05-02 安博科技有限公司 Multi-boundary firewall in cloud
US11418366B2 (en) 2015-04-07 2022-08-16 Umbra Technologies Ltd. Systems and methods for providing a global virtual network (GVN)
CN112583744A (en) * 2015-06-11 2021-03-30 安博科技有限公司 System and method for network tapestry multiprotocol integration
US11558347B2 (en) 2015-06-11 2023-01-17 Umbra Technologies Ltd. System and method for network tapestry multiprotocol integration
US10574570B2 (en) 2015-08-20 2020-02-25 Beijing Baidu Netcom Science And Technology Co., Ltd. Communication processing method and apparatus
WO2017028398A1 (en) * 2015-08-20 2017-02-23 北京百度网讯科技有限公司 Communication processing method and device
US11681665B2 (en) 2015-12-11 2023-06-20 Umbra Technologies Ltd. System and method for information slingshot over a network tapestry and granularity of a tick
CN109074288B (en) * 2016-03-15 2022-04-26 诺基亚通信公司 Conflict resolution in network virtualization scenarios
CN109074288A (en) * 2016-03-15 2018-12-21 诺基亚通信公司 Conflict solving in network virtualization scene
US11630811B2 (en) 2016-04-26 2023-04-18 Umbra Technologies Ltd. Network Slinghop via tapestry slingshot
US11743332B2 (en) 2016-04-26 2023-08-29 Umbra Technologies Ltd. Systems and methods for routing data to a parallel file system
US11789910B2 (en) 2016-04-26 2023-10-17 Umbra Technologies Ltd. Data beacon pulser(s) powered by information slingshot
CN112866074B (en) * 2019-11-28 2022-04-29 烽火通信科技股份有限公司 Virtual network connection method and virtual network system
CN112866074A (en) * 2019-11-28 2021-05-28 烽火通信科技股份有限公司 Virtual network connection method and virtual network system

Similar Documents

Publication Publication Date Title
US10992641B2 (en) DNS-enabled communication between heterogeneous devices
US20040078471A1 (en) Apparatus, method, and computer program product for building virtual networks
CN110710168B (en) Intelligent thread management across isolated network stacks
CN100469022C (en) Method and system for detecting network types
JP4816572B2 (en) Virtual network connection system and apparatus
US20050188002A1 (en) Apparatus, method, and computer program product for building virtual networks
CN102170380B (en) Method and device for accessing outer network from inner network
CN1754161A (en) Apparatus, method, and computer program product for building virtual networks
US9705844B2 (en) Address management in a connectivity platform
JP2003134118A (en) Method for allocating plural ip addresses to one nic and device fitting the same
KR20120102626A (en) Employing overlays for securing connections across networks
US7002956B2 (en) Network addressing method and system for localizing access to network resources in a computer network
CN1692606A (en) Method of automatically registering an IP address and domain name in IP protocol version 6
CN101262447B (en) A method for system terminal to establish NAT channel penetration
US20030126617A1 (en) Method and system for video network discovery
US8112545B1 (en) Distributed network address translation control
US20070294690A1 (en) Enhancing or replacing host operating system functionality by leveraging guest operating system functionality
CN101360030B (en) Method for private network customer to access public network using public network address
NL1033102C2 (en) Method for setting up a peer-to-peer connection between two communication media.
US20070150699A1 (en) Firm partitioning in a system with a point-to-point interconnect
US20070294707A1 (en) Enhancing or replacing host operating system functionality by leveraging guest operating system functionality
JP4619943B2 (en) Packet communication method and packet communication system
CN114189492A (en) Network card pressure testing method and system based on network address translation technology
NL1007709C2 (en) Method and device for converting Internet Protocol addresses.
CN110838966B (en) Equipment connection control method and device

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C02 Deemed withdrawal of patent application after publication (patent law 2001)
WD01 Invention patent application deemed withdrawn after publication