EP1129560A1 - Servernetzwerkszugangsweiterleitungsvorrichtung - Google Patents

Servernetzwerkszugangsweiterleitungsvorrichtung

Info

Publication number
EP1129560A1
EP1129560A1 EP00960821A EP00960821A EP1129560A1 EP 1129560 A1 EP1129560 A1 EP 1129560A1 EP 00960821 A EP00960821 A EP 00960821A EP 00960821 A EP00960821 A EP 00960821A EP 1129560 A1 EP1129560 A1 EP 1129560A1
Authority
EP
European Patent Office
Prior art keywords
machine
network
application
server
address
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Withdrawn
Application number
EP00960821A
Other languages
English (en)
French (fr)
Inventor
Jean-Yves Dujonc
René Martin
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Bull SA
Original Assignee
Bull SA
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Bull SA filed Critical Bull SA
Publication of EP1129560A1 publication Critical patent/EP1129560A1/de
Withdrawn legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming

Definitions

  • Computer networks allow the execution of applications distributed on remote machines connected to the same network or connected to different networks interconnected by means of interconnection machines.
  • a transaction between remote machines is initiated by a client application which sends a request message to a server application in standby state.
  • the client application goes into a waiting state for a response message to its request message.
  • the server application prepares a response message which it sends to the client application.
  • a network layer makes it possible to convey each message in the form of a datagram, from the machine that hosts the sending application to the machine that hosts the receiving application.
  • a transport layer makes it possible to convey the message between the sending application and the network layer and then between the network layer and the receiving application, that is to say for example from a client application to a server application.
  • An application layer concerns the execution of the application in its own environment.
  • network layer routing protocols route the datagrams from the sending machine to an interconnection machine and from the interconnection machine to the receiving machine using protocol addresses. inter-networks such as for example IP addresses.
  • inter-networks such as for example IP addresses.
  • the datagrams remain at the network layer.
  • the network between the client machine and the interconnection machine is called the client network.
  • the network between the server machine and the interconnection machine is called the server network.
  • the technical field to which the invention relates more particularly relates to an interconnection machine for hosting a relay application (proxy in English).
  • a relay application is useful for processing messages exchanged between the client network and the server network.
  • datagrams intended for the final receiving machine are not naturally traced back to the application layer of the interconnection machine.
  • the sending application sends its messages to the relay application of the interconnection machine instead of sending them directly to the final receiving application and indicates in its messages to the relay application to which final application its messages are intended so that the relay application can redirect them there according to the processing it applies to them.
  • the object of the invention is to allow a client application to simply establish a connection to a server application as it would do without using the services of a relay application, so that the use of relay application services is transparent to the client application.
  • a first object of the invention is an interconnection machine connected to a client network by means of a first physical interface and connected to a server network by means of a second physical interface, characterized in that at least one address inter-network protocol of a server machine connected to the server network, is associated with the first physical interface, and in that it comprises a first relay application for receiving datagrams intended for the server machine from the client network and for transmitting on the server network of datagrams destined for the server machine.
  • the interconnection machine is recognized by its network layer as being the destination machine of the datagram.
  • the network layer of the interconnection machine then goes up the datagram to the application layer of the interconnection machine by simply respecting the established protocol. Receiving this datagram, the relay application can process it and then retransmit it or not retransmit it to the server machine. This is completely transparent to the client application.
  • a variant of the invention relates to an interconnection machine connected to a client network by means of a first physical interface and connected to a server network by means of a second physical interface, characterized in that at least one inter-network protocol address of a server machine connected to the server network, is associated with a third physical interface, distinct from the first physical interface and from the second physical interface and in that it comprises a first relay application for receiving datagrams intended for the server machine from the client network and for transmitting datagrams to the server machine on the server network.
  • the protocol of the network layer does not require that the destination address be assigned to the first physical interface which receives the datagram but to any physical interface of the interconnection machine, in order to be escalated to the application layer of the interconnection machine.
  • said server machine address is associated with the first physical interface as an address synonymous with the base address of the interconnection machine on the client network.
  • a second object of the invention is a method for processing, by means of a relay application executed in an interconnection machine between a client network and a server network, datagrams transmitted on the client network by a client application at destination. of a server machine having an address on the server network, characterized in that it comprises a first step which associates said address on the server network with a physical interface of the interconnection machine which is not connected to the server network , so that the relay application picks up said datagrams.
  • This has the advantage of not having to configure or inform said client application so that the relay application can process datagrams. Indeed, the client application continues to send its datagrams using the address of the server machine.
  • the network protocol causes the datagram to go up naturally towards the application layer of the interconnection machine, thus allowing the relay application to pick it up.
  • the method is characterized in that the first step is preceded by a second step to route the datagrams transmitted over the client network to the server machine, to the interconnection machine. This is for example the case when the interconnection machine between the client network and the server network is not unique.
  • FIG. 1 shows an example of an interconnection machine with two physical interfaces
  • 0 - Figure 2 shows an example of a datagram
  • FIG. 3 shows an example of an interconnection machine with three physical interfaces.
  • FIG. 1 In FIG. 1 are represented server machines 1, 2 and client machines 11, 12. 5
  • the machines 1, 2, 11, are connected to a server network 3 by means of respective physical interfaces 7, 8, 17.
  • a client machine 12 is connected to a client network 13 by means of a physical interface 18.
  • Networks 3 and 13 are physically distinct.
  • An interconnection machine 4 is connected to the server network 3 by means of a physical interface 14 and to the network 13 by means of a physical interface 19. 0
  • the machine 12 is recognized by means of an address @ C2 with a network field value which identifies the network 13 and a machine field value which identifies the machine 12 on the network 13.
  • the machine 4 is recognized by means of an address @ P1 with a network field value which identifies the network 13 and a machine field value which identifies the machine 4 on the network 13 and by means of an address @ P2 with a network field value which identifies the network 3 and a machine field value which identifies machine 4 on network 3.
  • FIG. 2 shows an example of a datagram.
  • This datagram consisting of a frame of successive bits, is structured essentially in three successive fields.
  • a first field marked DR is intended for the protocol of the network layer.
  • a second field marked DT is intended for the protocol of the transport layer which supervises the network layer.
  • a third field marked DA is intended for an application layer which supervises the transport layer.
  • the DR field contains the source and destination IP addresses
  • the DT field contains the source and destination TCP port numbers
  • the DA field contains HTTP data.
  • a client application 15 executed in the client machine 11, requests access to a file processed by a server application 5 located in the server machine 1, the application 5 transmits its request to the CT layer of the machine 11 which writes the request in the DA field and which writes in the DT field, a service port number for the application 15 and a service port number for the application 5.
  • the CT layer of the machine 11 transmits the fields DT and DA to the layer CR of the machine 11 which writes in the field DR, the address @ C1 of the machine 11 and the address @ S1 of the machine 1.
  • the layer CR then transmits the datagram thus constituted to the interface 17 which arrives on the interface 7 of the machine 1.
  • the CR layer of the machine 1 recognizes by the address @ S1 that the datagram is intended for the upper layers of the machine 1 and retransmits the fields DT and DA to the CT layer of machine 1. Using the service port number for application 5, the CT layer forwards the DA field to application 5 which processes the request.
  • an application 16 executed in the client machine 12 requests access to a file processed by the application 5 located in the server machine 1, the application 16 transmits its request to the CT layer of the machine 12 which 'written in the DA field and which writes in the DT field, a service port number for the application 16 and a service port number for the application 5.
  • the CT layer of the machine 12 transmits the DT fields and DA to the CR layer of the machine 12 which writes in the field DR, the address @ C2 of the machine 12 and the address @ S1 of the machine 1.
  • the CR layer then transmits the datagram thus formed to the interface 18 which arrives on the interface 19 of the machine 4, declared as a router between the networks 13 and 3.
  • the layer CR of the machine 4 recognizes that the datagram is not intended for the upper layers of the machine 4
  • the CR layer of the machine 4 searches in routing tables for a line containing a value identical to the network field of the address @ S1. The line thus found then indicates the interface 14 as being that of access to the network 3.
  • the CR layer of the machine 4 then retransmits the datagram on the network 3 by the interface 14 so that the datagram arrives on the interface 7 of machine 1.
  • the layer CR of machine 1 recognizes by the address @ S1 that the datagram is intended for the upper layers of machine 1 and retransmits the fields DT and DA to the layer CT of machine 1.
  • the CT layer retransmits the DA field to application 5 which processes the request.
  • the machine 4 comprises an application 22 which acts as a relay (proxy server in English) for requests from the network 13.
  • the application 22 has several advantages, for example it can perform a access control to machines 1, 2, 11 connected to the server network 3, it can save responses to previous requests in a cache memory (cache in English) to restore these responses to new requests without the need to route these new requests to the server machine 1, 2.
  • the application 22 includes an input port 9 with a number identical to the input port of the application 5 and an output port 10 to which it has the possibility of assigning a number to manage any request messages intended for application 5.
  • the machine 12 does not need to know that it establishes an intermediate connection with the machine 4. If an application 16 executed in the client machine 12, makes a request intended for the application 5 located in the server machine 1, the address @ S1 is now recognized on the network 13 as being that of the machine 4.
  • the application 16 sends a datagram Q on the network 13 which contains in the field CR, the addresses @ S1 and @ C2, in the field transport, the port numbers of the applications 5 and 16, in the CA field, the final information intended for application 5.
  • the network layer CR of the machine 4 recognizes the destination address @ S1 in the field DR as being its own address and therefore sends back the datagram towards the transport layer CT of the machine 4.
  • the transport layer CT recognizes the destination number in the field DT as being the port number 9 of the application 22 to which it then transmits the content of the datagram Q.
  • the application 22 then processes the content of the field DA of the datagram Q.
  • the processing of the datagram Q by the application 22 consists for example of verifying access rights, of verifying whether the machine 4 already contains a response to the request in its cache memory to decide whether to communicate or not to communicate the Q datagram to the server application 5.
  • the application 22 When to process the request message from the client application 16, the application 22 needs to send a request message to the application 5, the application 22 communicates the following data to the transport layer CT of the machine 4, the content of the request to be put in the field DA, the input port number of the application 5, an output port number of the application 22 to manage the response to the request, the inter-network protocol address @ S1 of the machine 1.
  • This data is transmitted to the network layer CR of the machine 4.
  • the network layer CR of the machine 4 searches in its routing tables on which network to send a datagram, according to the network field of the address @ S1.
  • the network field of the address @ S1 corresponding to the network 3 to which the machine 1 is connected the layer CR transmits to the physical interface 14, a datagram containing in the field DR, the address of destination @ S1 and the source address @ P2 associated with the physical interface 14.
  • the datagram conventionally reaches the machine 1 and the server application 5 in the machine 1.
  • the response received from the application 5 on the interface 14 is sent back to the application 22 by the network layer because the address @ P2 is an address of the machine 4, and by the transport layer CT because the port number for the response is that assigned on port 10 by the application 22.
  • the application 22 associates the response with the output port number received from the application 16.
  • the application 22 communicates the following data to the transport layer CT of the machine 4, the content of the response to be put in the field DA, the output port number of the application 16, the input port number of the application 22 which is identical to the input port number of the application 5 for managing the response to the request, the destination inter-network protocol address @ C2 of the machine 12 and the source internetwork protocol address @ S1 of the machine 1.
  • These data are transmitted to the network layer CR of the machine 4 by the transport layer.
  • the network layer CR of the machine 4 searches in its routing tables on which network to send a datagram, as a function of the network field of the address @ C2.
  • the network field of the address @ C2 corresponding to the network 13 to which the machine 12 is connected the layer CR transmits to the physical interface 19, a datagram containing in the field DR, the address of destination @ P2 and the source address @ S1 associated with the physical interface 19.
  • the datagram conventionally reaches the machine 12 and the client application 16 in the machine 1.
  • the application 16 in the machine 12 sees a response coming from the application 5 in the machine 1 without seeing its transit through the application 22 which was done transparently for the client application 16.
  • the address @ S1 is associated with a physical interface 20 different both from the interface 14 as before and from the interface 19 as here in particular.
  • the routing protocol of the network layer CR of the machine 4 picks it up on the interface 19 with which the address @ P1 is associated.
  • the address @ S1 associated with the physical interface 20 is an address of the machine 4
  • the datagram is raised to the application layer CA of the machine 4.
  • a relay application 21 processes the request message from the received datagram, in the same way as the previous relay application 22.
  • the relay application 22 has a specific pilot to a virtual network to which the physical interface 20 is connected.
  • IP address @ S1 is associated with the interface 19 is particularly advantageous for the ease of implementation of the invention.
  • application 16 performs a Telnet function as a client application
  • application 22 performs a telnetd function as a server application of application 16
  • a Telnet function as a client of application 5.
  • Application 5 performs a telnetd function as a server of application 22. Telnet and telnetd are known functions, using TCP / IP to connect to a client machine terminal where the Telnet function is executed , to a server machine where the telnetd function is executed.
  • the command: route add -host 192.90.249.124 129.182.51.21 defines that to reach the server machine 1 of address @ S1, the datagrams transmitted pass through the relay machine of address @ P1.
  • the command: route add -net 129.182.50 192.90.249.22 -netmask 255.255.254.0 defines that to reach any machine on network 13 with address @ R1, the datagrams transmitted pass through the address relay machine @ P2.
  • Telnet 192.90.249.124 activates the Telnet application to reach server machine 1 with address @ S1.
  • the only machine recognized by the IP address @ S1 is the server machine 1.
  • the IP layer of machine 4 routes the datagrams transmitted by the IP layer of machine 12, to the IP layer of server machine 1
  • the IP layer of machine 1 recognizing the address @ S1 goes up the datagram application field to the telnetd application of machine 1.
  • the telnetd application of machine 1 sends back to machine 12, the message:
  • the display of this message on the terminal of machine 12 shows that it is in the environment of the DNS system, that is to say that machine 1 is reached directly.
  • Relay machine 4 has not been crossing only to perform IP routing.
  • Telnet 129.182.51.21 activates the Telnet application to reach relay machine 4 with address @ P1.
  • the IP layer of machine 4 recognizing the address @ P1, goes up the datagram application field to the telnetd application of machine 4.
  • the telnetd application of machine 4 sends back to machine 12, the message:
  • interface 19 being named en1
  • the command: ifconfig enl 192.90.249.124 alias defines address @ S1 as an additional address associated with interface 19.
  • Machine 4 is not likely to be confused with machine 1 on network 13 via the IP layer, because the latter is physically distinct from network 3.
  • the command: ifconfig enl 192.90.249.125 alias would define the address @ S2 as an additional address associated with the interface 19.
  • Telnet 192.90.249.124 then activates the Telnet application with an effect different from that described above.
  • the message displayed on the terminal of machine 12 is: Trying ... Connected to 129.182.51.21.
  • the display of this message on the terminal of machine 12 shows that it is in the environment of the AIX system of machine 4.
  • the command has made a connection to the telnetd application on machine 4.
  • the IP layer of machine 4 recognizes the address @ S1 as a destination address specific to machine 4, regardless of routing to network 3.
  • the IP layer of machine 4 goes up the applicative field of datagrams received on interface 19, towards the telnetd application of machine 4.
  • the command: Telnet 192.90.249.124 activates the Telnet application to reach server machine 1 with address @ S1.
  • the only machine recognized by the IP address @ S1 from the interface 14, is the server machine 1.
  • the IP layer of the machine 1 recognizing the address @ S1 goes up the applicative field of the datagrams to the telnetd application of machine 1.
  • the telnetd application of machine 1 sends back to the Telnet application of machine 4, the message: Trying ...
  • This message is retransmitted by the telnetd application of machine 4 to the Telnet application of machine 12.
  • the display of this message on the terminal of machine 12 shows that it is in the environment of the DNS system. , that is to say that machine 1 is reached.
  • the application field of datagrams is raised to the application layer of the relay machine 4, in a manner transparent to machine 12.
  • the datagrams destined for machine 1, passing through the IP layer of machine 4, are reassembled in the application layer of machine 4 because the address @ S1 is associated with a physical interface of machine 4.
  • An example of particular processing by the application 22 described here has a particular advantage.
  • encryption keys are associated with the address @ S1 to encrypt the requests from and the responses to the machine 12, the decryption of the requests and the encryption of the responses can be ensured by the machine 4.
  • the data can flow decrypted on the server network 3 without risk. So the encryption and decryption resources can be centralized in machine 4, leaving a maximum of resources available to machine 1 for its server functions.
  • the application 22 is also responsible for re-encrypting the responses before sending them on the network 13.
EP00960821A 1999-09-16 2000-09-07 Servernetzwerkszugangsweiterleitungsvorrichtung Withdrawn EP1129560A1 (de)

Applications Claiming Priority (3)

Application Number Priority Date Filing Date Title
FR9911594 1999-09-16
FR9911594A FR2798795B1 (fr) 1999-09-16 1999-09-16 Relais d'acces a un reseau serveur, transparent sur un reseau client
PCT/FR2000/002469 WO2001020870A1 (fr) 1999-09-16 2000-09-07 Relais d'acces transparent a un reseau serveur

Publications (1)

Publication Number Publication Date
EP1129560A1 true EP1129560A1 (de) 2001-09-05

Family

ID=9549920

Family Applications (1)

Application Number Title Priority Date Filing Date
EP00960821A Withdrawn EP1129560A1 (de) 1999-09-16 2000-09-07 Servernetzwerkszugangsweiterleitungsvorrichtung

Country Status (4)

Country Link
EP (1) EP1129560A1 (de)
JP (1) JP2003509969A (de)
FR (1) FR2798795B1 (de)
WO (1) WO2001020870A1 (de)

Families Citing this family (1)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US7552239B2 (en) 2001-05-14 2009-06-23 Canon Information Systems, Inc. Network device mimic support

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US5623601A (en) * 1994-11-18 1997-04-22 Milkway Networks Corporation Apparatus and method for providing a secure gateway for communication and data exchanges between networks
US5898830A (en) * 1996-10-17 1999-04-27 Network Engineering Software Firewall providing enhanced network security and user transparency
JPH1051481A (ja) * 1996-08-05 1998-02-20 Mitsubishi Electric Corp 情報伝送装置
JPH118648A (ja) * 1997-06-17 1999-01-12 Ricoh Co Ltd ネットワーク接続装置
JPH11122301A (ja) * 1997-10-20 1999-04-30 Fujitsu Ltd アドレス変換接続装置
JPH11177629A (ja) * 1997-12-11 1999-07-02 Nippon Telegr & Teleph Corp <Ntt> セキュリティゲートウェイサーバおよび該サーバを用いたwwwサーバurl隠蔽方法とwwwサーバurl隠蔽プログラムを記録した記録媒体

Non-Patent Citations (2)

* Cited by examiner, † Cited by third party
Title
None *
See also references of WO0120870A1 *

Also Published As

Publication number Publication date
FR2798795B1 (fr) 2002-05-10
FR2798795A1 (fr) 2001-03-23
JP2003509969A (ja) 2003-03-11
WO2001020870A1 (fr) 2001-03-22

Similar Documents

Publication Publication Date Title
EP1507384B1 (de) Verfahren zum Ausblenden einer Weiterverarbeitung von einer Zugriffsanforderung zu einem Server und entsprechende Vorrichtung
EP1166527B1 (de) Mehranwendung-sicherheitsrelais
US7102996B1 (en) Method and system for scaling network traffic managers
EP1142256B1 (de) Gesichertes endgerät mit chipkartenleser zur kommunikation mit einem server über internet
EP1875675B1 (de) Verfahren zur Aufbau mehrerer Verbindungen zwischen einem lokalen Netzwerk und einem entfernten Netzwerk und entsprechender Mehrverbindungsmodem
JP2021506144A (ja) アプリケーションに関連付けられたリモートフォワードプロキシへのトラフィックのローカルな傍受
FR2923969A1 (fr) Procede de gestion de trames dans un reseau global de communication, produit programme d&#39;ordinateur, moyen de stockage et tete de tunnel correspondants
JP2000049867A (ja) インタ―ネットなどの公衆ネットワ―クに接続された装置とネットワ―クに接続された装置の間の通信を容易にするシステムおよび方法
FR2906909A1 (fr) Procede, appareil et systeme pour supporter la connexite de reseau ip entre des partitions dans un environnement virtualise
CN104160680A (zh) 用于透明代理缓存的欺骗技术
FR2869180A1 (fr) Systeme de communication et dispositif de passerelle
FR2984554A1 (fr) Bus logiciel
EP2294798B1 (de) Verfahren und entsprechende vorrichtung zum routen eines datenpackets in einem netzwerk
EP1357724A1 (de) Datenfilterungsverwaltungsvorrichtung
EP2807815B1 (de) System und verfahren zur steuerung einer dns-anfrage
FR2895621A1 (fr) Procede et passerelle de raccordement d&#39;entites de communication ip par l&#39;intermediaire d&#39;une passerelle residentielle
EP1129560A1 (de) Servernetzwerkszugangsweiterleitungsvorrichtung
WO2007031654A1 (fr) Procede, passerelle, systeme d&#39;exploitation et systeme de gestion d&#39;entree
EP3818442B1 (de) Verwaltung der anwendung einer richtlinie in einer sdn-umgebung eines kommunikationsnetzes
FR2787956A1 (fr) Procede d&#39;adressage dans un reseau numerique de telecommunications et serveur de noms et d&#39;adresses mettant en oeuvre un tel procede
FR2800224A1 (fr) Procede et systeme de mise en antememoire de donnees http transportees avec des donnees de socks dans des datagrammes ip
EP1432213B1 (de) Vermittlungsplattform und Nachrichtenübermittlungsnetzwerk
EP1279298B1 (de) System zur überwachung von terminals
EP1471713B1 (de) Verfahren und System zur Steuerung des Zugriffs auf Internet-Sites mittels eines Cache-Servers
CN113824808B (zh) 用于使用中间相遇代理的网络地址转换穿透的方法和系统

Legal Events

Date Code Title Description
PUAI Public reference made under article 153(3) epc to a published international application that has entered the european phase

Free format text: ORIGINAL CODE: 0009012

AK Designated contracting states

Kind code of ref document: A1

Designated state(s): AT BE CH CY DE DK ES FI FR GB GR IE IT LI LU MC NL PT SE

17P Request for examination filed

Effective date: 20010924

RBV Designated contracting states (corrected)

Designated state(s): DE FR GB IT

STAA Information on the status of an ep patent application or granted ep patent

Free format text: STATUS: THE APPLICATION HAS BEEN WITHDRAWN

17Q First examination report despatched

Effective date: 20061129

18W Application withdrawn

Effective date: 20061216