EP1129560A1

EP1129560A1 - Transparent access relay to a server network

Info

Publication number: EP1129560A1
Application number: EP00960821A
Authority: EP
Inventors: Jean-Yves Dujonc; René Martin
Original assignee: Bull SA
Current assignee: Bull SA
Priority date: 1999-09-16
Filing date: 2000-09-07
Publication date: 2001-09-05
Also published as: FR2798795B1; WO2001020870A1; FR2798795A1; JP2003509969A

Abstract

The invention concerns an interconnection machine (4) connected to a client network (13) by a first physical interface (19) and connected to a server network (3) by a second physical interface (14). The interconnection machine (4) comprises a first relay application (22) for receiving datagrams addressed to the server machine (1, 2) from the network (13) and for transmitting on the network (3) datagrams addressed to the server machine (1, 2). An inter-network protocol address (@S1, @S2) of a server machine (1, 2) connected to the server network (3), is associated with the first physical interface (19) so that the datagrams routed to the applicative level in the interconnection machine are transparently available to the proxy on the client network (13).

Description

TRANSPARENT ACCESS RELAYS TO A SERVER NETWORK

The technical field to which the invention relates is that of computer networks. Computer networks allow the execution of applications distributed on remote machines connected to the same network or connected to different networks interconnected by means of interconnection machines.

A transaction between remote machines is initiated by a client application which sends a request message to a server application in standby state. The client application goes into a waiting state for a response message to its request message. On receipt of the request message, the server application prepares a response message which it sends to the client application. A network layer makes it possible to convey each message in the form of a datagram, from the machine that hosts the sending application to the machine that hosts the receiving application. A transport layer makes it possible to convey the message between the sending application and the network layer and then between the network layer and the receiving application, that is to say for example from a client application to a server application. An application layer concerns the execution of the application in its own environment.

When the machines are not physically linked to the same network, network layer routing protocols route the datagrams from the sending machine to an interconnection machine and from the interconnection machine to the receiving machine using protocol addresses. inter-networks such as for example IP addresses. When passing through the interconnection machine, the datagrams remain at the network layer. The network between the client machine and the interconnection machine is called the client network. The network between the server machine and the interconnection machine is called the server network.

The technical field to which the invention relates more particularly relates to an interconnection machine for hosting a relay application (proxy in English). A relay application is useful for processing messages exchanged between the client network and the server network. However, datagrams intended for the final receiving machine are not naturally traced back to the application layer of the interconnection machine. According to the known prior art, the sending application sends its messages to the relay application of the interconnection machine instead of sending them directly to the final receiving application and indicates in its messages to the relay application to which final application its messages are intended so that the relay application can redirect them there according to the processing it applies to them. This is what we find for example in an internet browser (browser in English) where it is possible to declare for a given client application, the address of the interconnection machine for the network layer and the port number of the relay application for the transport layer, so that the browser encapsulates the address of the server machine and the port number of the final destination application in a datagram addressed to the relay application. However, this requires knowing which relay application must pass messages in order to configure the client machine accordingly. The resulting lack of flexibility, while suitable for a limited number of applications, is not satisfactory for a large number of separate applications.

The document RFC1928 available on the internet at http://www.pmg.lcs.mit.edu/cgi- bin / rfc / view? 1928 describes the "SOCKS v5" protocol whose port number used by convention is 1080 In the same way as for the solution known as "TCP protocol Tunneling in Web Proxy Servers", it is necessary to establish a first connection to the relay application, followed by a second connection from the relay machine to the final machine.

To overcome the aforementioned drawbacks, the object of the invention is to allow a client application to simply establish a connection to a server application as it would do without using the services of a relay application, so that the use of relay application services is transparent to the client application.

A first object of the invention is an interconnection machine connected to a client network by means of a first physical interface and connected to a server network by means of a second physical interface, characterized in that at least one address inter-network protocol of a server machine connected to the server network, is associated with the first physical interface, and in that it comprises a first relay application for receiving datagrams intended for the server machine from the client network and for transmitting on the server network of datagrams destined for the server machine. Thus, when a datagram is presented on the first physical interface with the inter-network protocol address of the server machine as the destination address, the interconnection machine is recognized by its network layer as being the destination machine of the datagram. The network layer of the interconnection machine then goes up the datagram to the application layer of the interconnection machine by simply respecting the established protocol. Receiving this datagram, the relay application can process it and then retransmit it or not retransmit it to the server machine. This is completely transparent to the client application.

A variant of the invention relates to an interconnection machine connected to a client network by means of a first physical interface and connected to a server network by means of a second physical interface, characterized in that at least one inter-network protocol address of a server machine connected to the server network, is associated with a third physical interface, distinct from the first physical interface and from the second physical interface and in that it comprises a first relay application for receiving datagrams intended for the server machine from the client network and for transmitting datagrams to the server machine on the server network.

Here, the protocol of the network layer does not require that the destination address be assigned to the first physical interface which receives the datagram but to any physical interface of the interconnection machine, in order to be escalated to the application layer of the interconnection machine.

When the interconnection machine already has a base address on the client network, useful for example for routing protocols, said server machine address is associated with the first physical interface as an address synonymous with the base address of the interconnection machine on the client network.

A second object of the invention is a method for processing, by means of a relay application executed in an interconnection machine between a client network and a server network, datagrams transmitted on the client network by a client application at destination. of a server machine having an address on the server network, characterized in that it comprises a first step which associates said address on the server network with a physical interface of the interconnection machine which is not connected to the server network , so that the relay application picks up said datagrams. This has the advantage of not having to configure or inform said client application so that the relay application can process datagrams. Indeed, the client application continues to send its datagrams using the address of the server machine. When the datagram arrives on the first physical interface of the interconnection machine, the network protocol causes the datagram to go up naturally towards the application layer of the interconnection machine, thus allowing the relay application to pick it up.

In the case where it is necessary to route by the interconnection machine, the 10 datagrams transmitted from the client network to the server network, the method is characterized in that the first step is preceded by a second step to route the datagrams transmitted over the client network to the server machine, to the interconnection machine. This is for example the case when the interconnection machine between the client network and the server network is not unique.

15

Other advantages and details of implementation of the invention appear from the description which follows with reference to the figures in which:

- Figure 1 shows an example of an interconnection machine with two physical interfaces; 0 - Figure 2 shows an example of a datagram;

- Figure 3 shows an example of an interconnection machine with three physical interfaces.

In FIG. 1 are represented server machines 1, 2 and client machines 11, 12. 5 The machines 1, 2, 11, are connected to a server network 3 by means of respective physical interfaces 7, 8, 17. A client machine 12 is connected to a client network 13 by means of a physical interface 18. Networks 3 and 13 are physically distinct. An interconnection machine 4 is connected to the server network 3 by means of a physical interface 14 and to the network 13 by means of a physical interface 19. 0

Applications 5, 6, 15, 16, executed in machines 1, 2, 11, 12, communicate with each other by means of a CT transport layer according to a protocol in unconnected mode such as UDP or in connected mode such as TCP . The transport layer CT supervises a network layer CR according to a protocol such as IP. D In the network layer CR, the machine 1 is recognized by means of an address @ S1, the machine 2 is recognized by means of an address @ S2, the machine 11 is recognized by means of an address @ C1. In known manner, each of the addresses @ S1, @ S2 and @ C1 has a network field with a common value which identifies the network 3 and a machine field with a distinct value which identifies each machine linked to the network 3. The machine 12 is recognized by means of an address @ C2 with a network field value which identifies the network 13 and a machine field value which identifies the machine 12 on the network 13. The machine 4 is recognized by means of an address @ P1 with a network field value which identifies the network 13 and a machine field value which identifies the machine 4 on the network 13 and by means of an address @ P2 with a network field value which identifies the network 3 and a machine field value which identifies machine 4 on network 3.

The machines communicate with each other by means of messages which circulate on the networks in the form of datagrams. Figure 2 shows an example of a datagram. This datagram, consisting of a frame of successive bits, is structured essentially in three successive fields. A first field marked DR is intended for the protocol of the network layer. A second field marked DT is intended for the protocol of the transport layer which supervises the network layer. A third field marked DA is intended for an application layer which supervises the transport layer. In the case of a web request, for example, the DR field contains the source and destination IP addresses, the DT field contains the source and destination TCP port numbers, the DA field contains HTTP data.

For example, if a client application 15 executed in the client machine 11, requests access to a file processed by a server application 5 located in the server machine 1, the application 5 transmits its request to the CT layer of the machine 11 which writes the request in the DA field and which writes in the DT field, a service port number for the application 15 and a service port number for the application 5. The CT layer of the machine 11 transmits the fields DT and DA to the layer CR of the machine 11 which writes in the field DR, the address @ C1 of the machine 11 and the address @ S1 of the machine 1. The layer CR then transmits the datagram thus constituted to the interface 17 which arrives on the interface 7 of the machine 1. The CR layer of the machine 1 recognizes by the address @ S1 that the datagram is intended for the upper layers of the machine 1 and retransmits the fields DT and DA to the CT layer of machine 1. Using the service port number for application 5, the CT layer forwards the DA field to application 5 which processes the request.

If an application 16 executed in the client machine 12, requests access to a file processed by the application 5 located in the server machine 1, the application 16 transmits its request to the CT layer of the machine 12 which 'written in the DA field and which writes in the DT field, a service port number for the application 16 and a service port number for the application 5. The CT layer of the machine 12 transmits the DT fields and DA to the CR layer of the machine 12 which writes in the field DR, the address @ C2 of the machine 12 and the address @ S1 of the machine 1. The CR layer then transmits the datagram thus formed to the interface 18 which arrives on the interface 19 of the machine 4, declared as a router between the networks 13 and 3.

In the absence of a device according to the invention, the address @ S1 not being a destination address of the machine 4, the layer CR of the machine 4 recognizes that the datagram is not intended for the upper layers of the machine 4 The CR layer of the machine 4 then searches in routing tables for a line containing a value identical to the network field of the address @ S1. The line thus found then indicates the interface 14 as being that of access to the network 3. The CR layer of the machine 4 then retransmits the datagram on the network 3 by the interface 14 so that the datagram arrives on the interface 7 of machine 1. The layer CR of machine 1 recognizes by the address @ S1 that the datagram is intended for the upper layers of machine 1 and retransmits the fields DT and DA to the layer CT of machine 1. By means of the service port number for application 5, the CT layer retransmits the DA field to application 5 which processes the request.

With the device according to the invention, the machine 4 comprises an application 22 which acts as a relay (proxy server in English) for requests from the network 13. The application 22 has several advantages, for example it can perform a access control to machines 1, 2, 11 connected to the server network 3, it can save responses to previous requests in a cache memory (cache in English) to restore these responses to new requests without the need to route these new requests to the server machine 1, 2.

Several addresses of the CR layer are associated with the physical interface 19, on the one hand the usual address @ P1 and on the other hand the address @ S1 of the server machine 1 connected to the network 3. It is also possible to associate the address @ S2 of the server machine 2 with the physical interface 19. As appears from the following description, unlike the state of the art where it is the client network which determines the use of the services of the relay application 22, it is here the server network which determines this use for example access to the server 1 by associating the address @ S1 with the physical interface 19 .

The application 22 includes an input port 9 with a number identical to the input port of the application 5 and an output port 10 to which it has the possibility of assigning a number to manage any request messages intended for application 5.

Thanks to this particular device, the machine 12 does not need to know that it establishes an intermediate connection with the machine 4. If an application 16 executed in the client machine 12, makes a request intended for the application 5 located in the server machine 1, the address @ S1 is now recognized on the network 13 as being that of the machine 4.

To make a request intended for the application 5, the application 16 sends a datagram Q on the network 13 which contains in the field CR, the addresses @ S1 and @ C2, in the field transport, the port numbers of the applications 5 and 16, in the CA field, the final information intended for application 5.

When the datagram Q is received on the physical interface 19 of the machine 4, the network layer CR of the machine 4 recognizes the destination address @ S1 in the field DR as being its own address and therefore sends back the datagram towards the transport layer CT of the machine 4. The transport layer CT recognizes the destination number in the field DT as being the port number 9 of the application 22 to which it then transmits the content of the datagram Q.

The application 22 then processes the content of the field DA of the datagram Q. The processing of the datagram Q by the application 22 consists for example of verifying access rights, of verifying whether the machine 4 already contains a response to the request in its cache memory to decide whether to communicate or not to communicate the Q datagram to the server application 5.

When to process the request message from the client application 16, the application 22 needs to send a request message to the application 5, the application 22 communicates the following data to the transport layer CT of the machine 4, the content of the request to be put in the field DA, the input port number of the application 5, an output port number of the application 22 to manage the response to the request, the inter-network protocol address @ S1 of the machine 1. This data is transmitted to the network layer CR of the machine 4. On receipt of this data, the network layer CR of the machine 4 searches in its routing tables on which network to send a datagram, according to the network field of the address @ S1. In the example described here, the network field of the address @ S1 corresponding to the network 3 to which the machine 1 is connected, the layer CR transmits to the physical interface 14, a datagram containing in the field DR, the address of destination @ S1 and the source address @ P2 associated with the physical interface 14. On the server network 3, the datagram conventionally reaches the machine 1 and the server application 5 in the machine 1.

The response received from the application 5 on the interface 14 is sent back to the application 22 by the network layer because the address @ P2 is an address of the machine 4, and by the transport layer CT because the port number for the response is that assigned on port 10 by the application 22. By means of an internal mechanism for managing requests and responses, the application 22 associates the response with the output port number received from the application 16. To reissue the response to the application 16, the application 22 communicates the following data to the transport layer CT of the machine 4, the content of the response to be put in the field DA, the output port number of the application 16, the input port number of the application 22 which is identical to the input port number of the application 5 for managing the response to the request, the destination inter-network protocol address @ C2 of the machine 12 and the source internetwork protocol address @ S1 of the machine 1. These data are transmitted to the network layer CR of the machine 4 by the transport layer. On receipt of this data, the network layer CR of the machine 4 searches in its routing tables on which network to send a datagram, as a function of the network field of the address @ C2. In the example described here, the network field of the address @ C2 corresponding to the network 13 to which the machine 12 is connected, the layer CR transmits to the physical interface 19, a datagram containing in the field DR, the address of destination @ P2 and the source address @ S1 associated with the physical interface 19. On the client network 13, the datagram conventionally reaches the machine 12 and the client application 16 in the machine 1. Thus, the application 16 in the machine 12 sees a response coming from the application 5 in the machine 1 without seeing its transit through the application 22 which was done transparently for the client application 16.

With reference to FIG. 3, the address @ S1 is associated with a physical interface 20 different both from the interface 14 as before and from the interface 19 as here in particular.

When a datagram is sent on the network 13 with the address @ S1, the routing protocol of the network layer CR of the machine 4 picks it up on the interface 19 with which the address @ P1 is associated. As the address @ S1 associated with the physical interface 20, is an address of the machine 4, the datagram is raised to the application layer CA of the machine 4.

A relay application 21 processes the request message from the received datagram, in the same way as the previous relay application 22. To send the response message to the application 12, the relay application 22 has a specific pilot to a virtual network to which the physical interface 20 is connected.

The case where the IP address @ S1 is associated with the interface 19 is particularly advantageous for the ease of implementation of the invention. In the following simple example, application 16 performs a Telnet function as a client application, application 22 performs a telnetd function as a server application of application 16, and a Telnet function as a client of application 5. Application 5 performs a telnetd function as a server of application 22. Telnet and telnetd are known functions, using TCP / IP to connect to a client machine terminal where the Telnet function is executed , to a server machine where the telnetd function is executed.

In order to follow on which machine the commands are executed, each one runs on a different operating system. Client machine 12 runs on an AIX (registered trademark) version 4.1 system and has the IP address: @ C1 = 129,182.51.58. Relay machine 4 runs on an AIX version 4.2 system and has the following IP addresses: @ P1 = 129.182.51.21 and @ P2 = 192.90.249.22. The server machine 12 runs on a DNS-E system (proprietary) and has the IP address: @ S1 = 192.90.249.124. Network 13 is accessible in a known manner by an IP address: @ R1 = 129.182.50 with a mask @ M1 = 255.255.254.0. On the client machine 12, the command: route add -host 192.90.249.124 129.182.51.21 defines that to reach the server machine 1 of address @ S1, the datagrams transmitted pass through the relay machine of address @ P1.

On server machine 1, the command: route add -net 129.182.50 192.90.249.22 -netmask 255.255.254.0 defines that to reach any machine on network 13 with address @ R1, the datagrams transmitted pass through the address relay machine @ P2.

On client machine 12, the command:

Telnet 192.90.249.124 activates the Telnet application to reach server machine 1 with address @ S1. At this stage, the only machine recognized by the IP address @ S1 is the server machine 1. The IP layer of machine 4 routes the datagrams transmitted by the IP layer of machine 12, to the IP layer of server machine 1 The IP layer of machine 1 recognizing the address @ S1, goes up the datagram application field to the telnetd application of machine 1. The telnetd application of machine 1 sends back to machine 12, the message:

Trying ...

Connected to 192.90.249.124. Escape character is' ^Λ ] \

$$ 0000 * DNS-E V3U1.000 P1.001 P2.019 P3.010 * IMA: BX77SIM 1998/10/21 17: 23 *

The display of this message on the terminal of machine 12, shows that it is in the environment of the DNS system, that is to say that machine 1 is reached directly. Relay machine 4 has not been crossing only to perform IP routing.

On client machine 12, the command:

Telnet 129.182.51.21 activates the Telnet application to reach relay machine 4 with address @ P1. The IP layer of machine 4 recognizing the address @ P1, goes up the datagram application field to the telnetd application of machine 4. The telnetd application of machine 4 sends back to machine 12, the message:

Trying ... Connected to 129.182.51.21.

Escape character is ^{, Λ} ] '.

Telnet (thirteen)

Login: The display of this message on the terminal of machine 12, shows that it is in the environment of the AIX system, that is to say that machine 4 is reached. This allows commands to be generated from the terminal of the machine 12 which are executed in the machine 4.

On machine 4, interface 19 being named en1, the command: ifconfig enl 192.90.249.124 alias defines address @ S1 as an additional address associated with interface 19. Machine 4 is not likely to be confused with machine 1 on network 13 via the IP layer, because the latter is physically distinct from network 3. Similarly, the command: ifconfig enl 192.90.249.125 alias would define the address @ S2 as an additional address associated with the interface 19.

Returning to machine 12, the command:

Telnet 192.90.249.124 then activates the Telnet application with an effect different from that described above. The message displayed on the terminal of machine 12 is: Trying ... Connected to 129.182.51.21.

Escape character is' ^Λ ] \ Telnet (thirteen) AIX Version 4

The display of this message on the terminal of machine 12, shows that it is in the environment of the AIX system of machine 4. Although having requested a connection to the telnetd application of the server machine 1 at using the address @ S1, the command has made a connection to the telnetd application on machine 4. This is explained by the fact that the IP layer of machine 4 recognizes the address @ S1 as a destination address specific to machine 4, regardless of routing to network 3. Thus, the IP layer of machine 4 goes up the applicative field of datagrams received on interface 19, towards the telnetd application of machine 4.

Now on machine 4, the command: Telnet 192.90.249.124 activates the Telnet application to reach server machine 1 with address @ S1. At this stage, the only machine recognized by the IP address @ S1 from the interface 14, is the server machine 1. The IP layer of the machine 1 recognizing the address @ S1, goes up the applicative field of the datagrams to the telnetd application of machine 1. The telnetd application of machine 1 sends back to the Telnet application of machine 4, the message: Trying ...

Connected to 192.90.249.124. Escape character is' ^Λ ] \

$$ 0000 * DNS-E V3U1.000 P1.001 P2.019 P3.010 ^* IMA: BX77SIM 1998/10/21 17:23 ^*

This message is retransmitted by the telnetd application of machine 4 to the Telnet application of machine 12. The display of this message on the terminal of machine 12, shows that it is in the environment of the DNS system. , that is to say that machine 1 is reached. However, the application field of datagrams is raised to the application layer of the relay machine 4, in a manner transparent to machine 12.

The process which has just been explained by means of manual manipulation, can be carried out by means of a program executed by the application layer of the machine 4.

The datagrams destined for machine 1, passing through the IP layer of machine 4, are reassembled in the application layer of machine 4 because the address @ S1 is associated with a physical interface of machine 4. To avoid conflicts on network 3 with machine 1, it is preferable not to associate the address @ S1 with the interface 14. With reference to FIG. 3, it is possible to associate the address @ S1 with another physical interface than interface 19, for example to a physical interface 20.

An example of particular processing by the application 22 described here has a particular advantage. In the case where encryption keys are associated with the address @ S1 to encrypt the requests from and the responses to the machine 12, the decryption of the requests and the encryption of the responses can be ensured by the machine 4. The data can flow decrypted on the server network 3 without risk. So the encryption and decryption resources can be centralized in machine 4, leaving a maximum of resources available to machine 1 for its server functions. The application 22 is also responsible for re-encrypting the responses before sending them on the network 13.

Claims

CLAIMS:

1. Interconnection machine (4) connected to a client network (13) by means of a first physical interface (19) and connected to a server network (3) by means of a second physical interface (14), characterized in that at least one inter-network protocol address (@ S1, @ S2) of a server machine (1, 2) connected to the server network (3), distinct from the interconnection machine (4), is associated to the first physical interface (19), and in that it comprises a first relay application (22) for receiving datagrams intended for the server machine (1, 2) from the client network (13) and for transmitting on the network server (3) datagrams to the server machine (1,2).

2. Interconnection machine (4) connected to a client network (13) by means of a first physical interface (19) and connected to a server network (3) by means of a second physical interface (14), characterized in that at least one inter-network protocol address (@ S1, @ S2) of a server machine (1, 2) connected to the server network (3), distinct from the interconnection machine (4), is associated to a third physical interface (20), distinct from the first physical interface (1) and the second physical interface (14) and in that it comprises a first relay application (22) for receiving datagrams intended for the server machine (1, 2) from the client network (13) and for transmitting datagrams to the server machine (1, 2) on the server network (3).

3. Interconnection machine (4) according to claim 1, characterized in that said address (@ S1, @ S2) is associated with the first physical interface (19) as an address synonymous with a base address ( @ P1) of the machine (4) on the network (13).

4. Method for processing by means of a relay application (22) executed in an interconnection machine (4) between a client network (13) and a server network (3), datagrams transmitted on the client network ( 13) by a client application (16) intended for a server machine (1) of address (@ S1) on the server network (3), distinct from the interconnection machine (4), characterized in that it comprises a first step which associates said address (@ S1) with a physical interface (19, 20) of the interconnection machine (4) which is not connected to the server network (3), so that the application relay (22) captures the said datagrams without the need to configure or inform said client application (16) for this purpose.

5. Method according to claim 4, characterized in that the first step is preceded by a second step for routing the datagrams transmitted on the client network (13) to the server machine (1), to the interconnection machine (4).

6. Interconnection machine (4) according to claim 1 or 2, characterized in that the application (22) has encryption keys so as to transmit decrypted on the network 3, encrypted messages from the network 13.

7. Interconnection machine (4) according to claim 1 or 2, characterized in that the application (22) has encryption keys so as to transmit encrypted messages on the network 13, unencrypted messages from the network 3 .