METHOD AND SYSTEM FOR FORWARDING INTERNET PROTOCOL (IP) DATA PACKETS AT A MULTIPLE WAN NETWORK GATEWAY

The present invention discloses methods and systems for forwarding Internet Protocol (IP) data packets at a first network gateway. The first network gateway comprises a plurality of wide area network (WAN) network interfaces and at least one local area network (LAN) network interface. A first WAN network interface of the plurality of WAN network interfaces is not assigned with an IP address. When first IP data packets are received through the first WAN network interface, the first network gateway inspects the first IP data packets. The first IP data packets are forwarded through one of the at least one LAN network interfaces when it is determined not to intercept the first IP data packets. When the first network gateway receives second IP data packets through one of the at least one LAN network interface, the first network gateway inspects the second IP packets. The first network gateway then forwards the second IP data packets through one of the plurality of WAN network interfaces when it is determined not to intercept the second IP data packets.

Skip to: Description  ·  Claims  · Patent History  ·  Patent History
Description
RELATED APPLICATIONS

The present application is a non-provisional continuation application which claims the benefits of and is based on application Ser. No. 14/125,952 titled “METHODS AND SYSTEMS FOR RECEIVING AND TRANSMITTING INTERNET PROTOCOL (IP) DATA PACKETS” filed on 13 Dec. 2013. The contents of the above-referenced application are herein incorporated by reference.

TECHNICAL FIELD

The present invention relates in general to the field of computer networks. More particularly, the present invention discloses methods and systems for forwarding Internet Protocol (IP) data packets at a multiple wan network gateway.

SUMMARY OF THE INVENTION

The present invention is directed to methods and systems for forwarding Internet Protocol (P) data packets at a first network gateway. The first network gateway comprises a plurality of wide area network (WAN) network interfaces and at least one local area network (LAN) network interface. A first WAN network interface of the plurality of WAN network interfaces is not assigned with an IP address. When first IP data packets are received by the first network gateway through the first WAN network interface, the first network gateway inspects the first IP data packets and determines whether or not to intercept the first IP data packets. The first IP data packets are forwarded through one of the at least one LAN network interfaces when it is determined not to intercept the first IP data packets. When the first network gateway receives second IP data packets through one of the at least one LAN network interface and the second IP data packets are reachable through the first network interface, the first network gateway inspects the second IP packets and determines whether to intercept the second IP data packets. The first network gateway then forwards the second IP data packets through one of the plurality of WAN network interfaces when it is determined not to intercept the second IP data packets.

According to one of the embodiments of the present invention, the first IP data packets and the second IP data packets are inspected by inspecting payloads of the first IP data packets and second IP data packets respectively. Alternatively, the first IP data packets and the second IP data packets are inspected by inspecting destination port of the first IP data packets and second IP data packets respectively.

According to one of the embodiments of the present invention, the first network gateway creates third data packets and transmits the third data packets through the first WAN network interface. The source address of the third data packets is an IP address reachable through one of the at least one LAN network interface. The third data packets may be responses to the first data packets, when the first data packets comprises management instructions.

According to one of the embodiments of the present invention, the first network gateway creates fourth data packets and transmits the fourth data packets through one of the at least one LAN network interface. The source address of the fourth data packets is an IP address reachable through the first WAN network interface. The third data packets may be responses to the second data packets, when the second data packets comprises management instructions. According to one of the embodiments of the present invention, the at least one LAN network interface is not assigned with an IP address.

BRIEF DESCRIPTION OF DRAWINGS

FIG. 1 is a network diagram illustrating the use of network devices via a plurality of logical network connections according to one of the embodiments of the present invention in a typical network environment.

FIG. 2 is a network diagram illustrating the use of network devices via a plurality of logical network connections according to one of the embodiments of the present invention in typical network environment.

FIG. 3 shows one of the embodiments of the present invention in a flow diagram providing details with respect to receiving a first IP data packet from a first network interface at a network gateway.

FIG. 4 shows a network gateway implementing one of the embodiments of the present invention.

FIG. 5 is a network diagram illustrating a network gateway implementing one of the embodiments of the present invention.

FIG. 6 shows one of the embodiments of the present invention of a flow diagram providing details with respect to receiving a data packet from a WAN interface.

FIG. 7 shows one of the embodiments of the present invention in a flow diagram providing details with respect to receiving a data packet from a LAN interface.

FIG. 8 illustrates one of the embodiments of present invention of a network node receiving and transmitting IP data packets in accordance with the present invention.

 BACKGROUND ART

When managing a network gateway through an IP network, the network gateway needs an IP address for communication. The IP address of the network gateway allows IP data packets be routed to the network gateway and allows the network gateway to transmit IP data packets.

However, in certain network environment, there are not enough IP addresses. As a result, there may not be any additional IP addresses available for the use of the network gateway. In such case, the network gateway may still be able to route and/or switch IP data packets, but it cannot transmit its own IP data packets or receive IP data packets destined to the network gateway.

FIG. 1 is a typical network environment where router 111 connects to firewall 150 via network interface 113 to connect to inter-connected networks 101 via network interface 112. Inter-connected networks 101 may be the Internet or another network. Firewall 150 connects to router 111 via network interface 151, connects to host 161 via network interface 152 and connects to network node 164 via network interface 153. IP enabled devices are connected to firewall 150, such as host 161 via network interface 162 and network node 164 via network interface 163. Each of network interfaces 112, 113, 151, 152, 153, 162 and 163 is assigned with one IP address. Therefore there are seven IP addresses needed. The internet service provider (ISP) may then assign seven IP addresses for router 111 to use. Host 161 and network node 164 are nodes which are capable of sending, receiving, or forwarding Internet Protocol (IP) data packets.

In FIG. 2, when network gateway 170 is added between router 111 and firewall 150, the problem is that there is no further IP address available to assign to network interfaces 171 and 172 of network gateway 170.

From discussion above, it should be apparent that there is a need for a network gateway to communicate with other nodes in an IP network in which the network gateway is not assigned with an IP address.

DISCLOSURE OF INVENTION

The ensuing description provides preferred exemplary embodiment(s) only, and is not intended to limit the scope, applicability or configuration of the invention. Rather, the ensuing description of the preferred exemplary embodiment(s) will provide those skilled in the art with an enabling description for implementing a preferred exemplary embodiment of the invention. It is understood that various changes may be made in the function and arrangement of elements without departing from the spirit and scope of the invention as set forth in the appended claims.

Also, it is noted that the embodiments may be described as a process which is depicted as a flowchart, a flow diagram, a data flow diagram, a structure diagram, or a block diagram. Although a flowchart may describe the operations as a sequential process, many of the operations can be performed in parallel or concurrently. In addition, the order of the operations may be re-arranged. A process is terminated when its operations are completed, but could have additional steps not included in the figure. A process may correspond to a method, a function, a procedure, a subroutine, a subprogram, etc. When a process corresponds to a function, its termination corresponds to a return of the function to the calling function or the main function.

Furthermore, embodiments may be implemented by hardware, software, firmware, middleware, microcode, hardware description languages, or any combination thereof. When implemented in software, firmware, middleware or microcode, the program code or code segments to perform the necessary tasks may be stored in a non-transitory machine readable medium such as non-transitory storage medium. A processing unit(s) may perform the necessary tasks. A code segment may represent a procedure, a function, a subprogram, a program, a routine, a subroutine, a module, a software package, a class, or any combination of instructions, data structures, or program statements. A code segment may be coupled to another code segment or a hardware circuit by passing and/or receiving information, data, arguments, parameters, or memory contents. Information, arguments, parameters, data, etc. may be passed, forwarded, or transmitted via any suitable means including memory sharing, message passing, token passing, network transmission, etc.

For readability, a network node describe herein is capable of sending, receiving, or forwarding Internet Protocol (IP) data packets, such as a host computer, a router, a switch, a virtual machine, an access point, a gateway, a communication device or a mobile phone.

FIG. 2 is a network environment where router 111 connects to network gateway 170 via network interface 113 to connect to inter-connected networks 101 via network interface 112. Inter-connected networks 101 may be the Internet or another network. Network gateway 170 connects to router 111 via network interface 171 and connects to firewall 150 via network interface 172. Firewall 150 connects to network gateway 170 via network interface 151, connects to host 161 via network interface 152 and connects to network node 164 via network interface 153. IP enabled devices are connected to firewall 150, such as host 161 via network interface 162 and network node 163 via network interface 164. Each of network interfaces 112, 113, 151, 152, 153, 162 and 163 is assigned with one IP address. However, network interfaces 171 and 172 are not assigned with any IP address.

Methods

Receiving an IP Data Packet

According to one of the embodiments of the present invention, in order to process IP data packets via a first network interface of a network gateway without an IP address, the network gateway inspects IP data packets passing through its network interfaces. If an IP data packet satisfies an interception policy, the network gateway determines that the IP data packet is intended for it and does not forward the IP data packet to nodes connecting to its network interfaces. Otherwise, when the IP data packet does not satisfy the interception policy, the network gateway determines that the IP data packet is not intended for it and forwards the IP data packet to the destination indicated in the destination address of the IP data packet via the corresponding network interfaces.

FIG. 3 shows one of the embodiments of the present invention in a flow diagram providing details with respect to receiving a first IP data packet from a first network interface at a network gateway. FIG. 3 should be viewed in conjunction with FIG. 2.

When network gateway 170 receives an IP data packet from router 111 via network interface 171 with a destination address reachable via network interface 172 at step 301, network gateway 170 inspects the IP data packet to check whether the IP data packet satisfies an interception policy at step 302. If the IP data packet satisfies the interception policy, network gateway 170 does not forward the IP data packet via network interface 172. If the IP data packet does not satisfy the interception policy, network gateway 170 forwards the IP data packet via network interface 172 according to the destination address of the IP data packet.

Similarly, when network gateway 170 receives an IP data packet from firewall 150 via network interface 172 with a destination address reachable via network interface 171 at step 301, network gateway 170 inspects the IP data packet to check whether the IP data packet satisfies the interception policy at step 302. If the IP data packet satisfies the interception policy, network gateway 170 does not forward the IP data packet via network interface 171. If the IP data packet does not satisfy the interception policy, network gateway 170 forwards the IP data packet via network interface 171.

For example, the IP addresses at network interfaces 112, 113, 151, 152, 153, 162 and 163 are 2.2.2.1, 2.2.2.2, 2.2.2.3, 2.2.2.4, 2.2.2.5, 2.2.2.6, and 2.2.1.7 respectively. Reachable addresses of network interface 172 are 2.2.2.3, 2.2.2.4, 2.2.2.5, 2.2.2.6, and 2.2.2.7. Reachable addresses of network interface 171 are 2.2.2.1, 2.2.2.2, and FP addresses belonging to inter-connected networks 101.

According to one of the embodiments of the present invention, when host 161 transmits an IP data packet with destination address 2.2.2.2, i.e. network interface 113 of router 111, and the IP data packet satisfies an interception policy, network gateway 170 therefore intercepts the IP data packet and does not forward the IP data packet to router 111. Network gateway 170 will process the intercepted IP data packet.

According to one of the embodiments of the present invention, after network gateway 170 receives the IP data packet, network gateway 170 responds to the IP data packet by transmitting a responding message through another one or more IP data packet via network interface 172 to host 161. The destination and source addresses of the one or more responding IP data packets are the source address of the IP data packet received, and an IP address reachable via one or more of the network interfaces, other than the network interface transmitting the one or more responding IP data packets, respectively.

According to one of the embodiments of the present invention the payload of IP data packets originating from a node and received by network gateway 170 contains a request to network gateway 170 for status reporting and/or management instructions to network gateway 170. After inspecting the payload of the IP data packets, network gateway 170 determines that the IP data packets are intended for itself and intercepts the IP data packets. To respond to the intercepted IP data packets, network gateway 170 creates responding IP data packets with payload to respond to the request for status reporting and/or management instructions. The destination address of the intercepted IP data packets belong to one of the IP address of nodes that are reachable through network interface 172. The source address of the responding IP data packets is the same as the destination address of the received IP data packets.

According to one of the embodiments of the present invention, the network gateway inspects the port number or the options field of the received IP data packet to determine whether an interception policy is satisfied. According to one of the embodiments of the present invention, the network gateway inspects the payload of the received IP data packet to determine whether an interception policy is satisfied.

According to one of the embodiments of the present invention, the payload of the received IP data packet is encrypted and is decryptable by the network gateway. According to one of the embodiments of the present invention, after the network gateway has determined that the received IP data packet satisfies an interception policy, the payload of the received IP data packet is decrypted. According to one of the embodiments of the present invention, the network gateway decrypts the payload of the received IP data packets satisfies a policy to determine whether the received IP data packet satisfies the interception policy. If the network gateway cannot decrypt the payload of the received IP data packets and if the interception decision is based on the contents of the payload, the network gateway will then conclude that the received IP data packets do not satisfy the interception policy.

Interception Policy

Network gateway, such as network gateway 170, determines to intercept an IP data packet if the IP data packet satisfies an interception policy. The interception policy is a set of conditions, constraints, and settings to determine whether an IP data packet should be intercepted.

According to one of the embodiments of the present invention, the interception policy is based on the port number of the received IP data packets. For example, if the interception policy is to intercept IP data packet with source port number 8000, then all received IP data packets with source port number 8000 are intercepted. In another example, if the interception policy is to intercept IP data packet with destination port number 8888, then all received IP data packets with destination port number 8888 are intercepted.

According to one of the embodiments of the present invention, the interception policy is to intercept received IP data packets if the content of the option field of the received IP data packets matches with a predefined value. For example, the predefined value can be one at the twentieth bit of the option field.

According to one of the embodiments of the present invention, the interception policy is based on the destination address of the received IP data packet. For example, the interception policy is to intercept IP data packets if the destination address of the IP data packets matches a pre-defined IP address.

According to one of the embodiments of the present invention, the interception policy is based on a plurality of contents in the header of the received IP data packet. For example, the interception policy is to intercept IP data packets if the destination address of the IP data packets belongs to a particular subnet and the destination port number is 65332.

According to one of the embodiments of the present invention, the interception policy is based on the contents of the payload in the received IP data packet. For example, the interception policy is to intercept IP data packets if the IP data packets contain a predefined word.

A Plurality of Network Interfaces

FIG. 4 shows a network gateway implementing one of the embodiments of the present invention. Network gateway 400 like network gateway 170, is placed between a router and a firewall. Network gateway 400 has four network interfaces 401, 402, 403 and 404. None of the four network interfaces 401, 402, 403 and 404 is assigned with an IP address. When network interface 401 receives an IP data packet with destination address reachable via one or more of network interfaces 402, 403 and 404, network gateway 400 does not forward the IP data packet via any of network interfaces 402, 403, and 404 if the IP data packet satisfies an interception policy. On the other hand, if the IP data packet does not satisfy the interception policy, network gateway 400 forwards the IP data packet via one or more of network interfaces 402, 403 and 404 according to the destination address of the IP data packet.

Similarly, when network interfaces 402, 403 and 404 receive IP data packets from computing device(s) or network node(s) with destination addresses reachable via network interface 401 at step 301, network gateway 400 inspects the IP data packets to check whether the IP data packets satisfy the interception policy at step 302. If the IP data packets satisfy the interception policy, network gateway 400 does not forward the IP data packets via network interface 401. If the IP data packets do not satisfy the interception policy, network gateway 400 forwards the IP data packet via network interface 401.

According to one of the embodiments of the present invention, an interception policy is satisfied if the destination address of the received IP data packet matches with a predefined IP address. According to one of the embodiments of the present invention, the predefined IP address is a fink-focal IP address. For example, in IPv4, the predefined IP address is in the block 169.254.0.0/16; in IPv6, the predefined IP address is in IP address in the block fe80::/10.

Transmitting an IP Data Packet

According to one of the embodiments of the present invention, when sending an IP data packet, it is possible to have the source address of the IP data packet to be any IP address. However, in order to allow the receiver of the IP data packet to respond, the source address of the IP data packet is not arbitrary. According to one of the embodiments of the present invention, as the network interface used to transmit the IP data packet is not assigned with an IP address, the source address of the IP data packet is set to an IP address which is reachable via one of network interfaces of the network gateway, excluding the network interface that is used to transmit the IP data packet, as the source address of the IP data packet. Therefore, the receiver of IP data packet may respond with one or more IP data packets that will arrive at the network gateway.

Again, for example, the IP addresses at network interfaces 112, 113, 151, 152, 153, 162 and 163 are 2.2.2.1, 2.2.2.2, 2.2.2.3, 2.2.2.4, 2.2.2.5, 2.2.2.6, and 2.2.2.7 respectively. When network gateway 170 transmits an IP data packet via network interface 171 and the IP data packet is originated from network gateway 170, the source address of the IP data packet is configured with an address reachable via network interface 172. Therefore, the source address of the IP data packet is configured with one of 2.2.2.3, 2.2.2.4, 2.2.2.5, 2.2.2.6, and 2.2.2.7. Similarly when network gateway 170 transmit an IP data packet via network interface 172 and the IP data packet is originated from network gateway 170, the source address of the IP data packet is configured with an address reachable via network interface 171. Therefore, the source address of the IP data packet is configured with one of 2.2.2.1, 2.2.2.2, and IP addresses belonging to inter-connected networks 101.

A Plurality of Network Interfaces

According to one of the embodiments of the present invention, if a network gateway has more than two network interfaces, the source address of the IP data packet originated from the network gateway is configured with an IP address reachable via one or more of the plurality of network interfaces, other than the network interface transmitting the IP data packet.

According to one of the embodiments of the present invention, when network gateway 400 transmits an IP data packet originated from itself via network interface 401, the source address of the IP data packet is an IP address reachable via one of network interfaces 402, 403 and 404. Similarly when network gateway 400 transmits an IP data packet originated from itself via one of network interfaces 402, 403 and 404, the source address of the IP data packet is an IP address reachable via network interface 401.

WAN and LAN Interfaces

According to one of the embodiments of the present invention, a network gateway has one wide area network (WAN) interface and one or more local area network (LAN) interfaces.

When the network gateway receives an IP data packet from the WAN interface, the network gateway inspects the IP data packet to check whether the IP data packet satisfies any of at least one interception policy. If the IP data packet satisfies at least one interception policy, the network gateway does not forward the IP data packet to any of the LAN interfaces. If the IP data packet does not satisfy any of the at least one policy, the network gateway forwards the IP data packet via one or more of the LAN interface according to the destination address of the IP data packet.

Similarly, when the network gateway receives an IP data packet from one of the LAN interfaces with a destination address reachable via the WAN interface, the network gateway inspects the IP data packet to check whether the IP data packet satisfies any of at least one policy. If the IP data packet satisfies at least one policy, the network gateway does not forward the IP data packet to the WAN interface. If the IP data packet does not satisfy any of the at least one policy, the network gateway forwards the IP data packet via the WAN interface according to the destination address of the IP data packet.

When the network gateway transmits an IP data packet that is originated by itself via the WAN interface, the source address of the IP data packet is configured with one of source addresses that is reachable via one or more of the LAN interfaces.

When the network gateway transmits an IP data packet that is originated by itself via one of the LAN interfaces, the source address of the IP data packet is configured with one of source addresses that is reachable via the WAN interface.

Multiple WAN Interfaces

FIG. 6 shows one of the embodiments of the present invention of a flow diagram providing details with respect to receiving a data packet from a WAN interface. FIG. 6 should be viewed in conjunction with FIG. 5.

FIG. 5, based on FIG. 2, shows a network gateway implementing one of the embodiments of the present invention. Network gateway 504 has two WAN interfaces 510 and 511 and two LAN interfaces 512 and 513. WAN interface 511 is assigned with an IP address. WAN interface 510 and LAN interfaces 512 and 513 are not assigned with IP address. Host 161 and network node 164 are connected directly with network gateway 504 via network interfaces 162 and 163 respectively. WAN interface 511 is connected to network interface 503 of router 501. Router 501 connects to interconnected networks 101 via network interface 502.

When network gateway 504 receives an IP data packet at step 601 from one of the WAN interfaces, network gateway 504 determines whether the IP data packet is received via WAN interface 510 or WAN interface 511 at step 602. If the IP data packet is received via WAN interface 511, at step 603 the destination address of the IP data packet is examined to determine whether the IP data packet is designated for network gateway 504. An IP data packet which is designated for network gateway 504 should have the IP address of WAN interface 511 as the destination address. If the IP data packet is not designated for network gateway 504, network gateway 504 forwards the IP data packet either to host 161 or network node 164 via LAN interface 512 or 513, respectively, according to the destination address of the IP data packet at step 605. If the IP data packet is designated for network gateway 504, network gateway 504 does not forward the IP data packet and network gateway 504 may process the IP data packet at step 606.

If the IP data packet is received via WAN interface 510, network gateway 504 inspects the IP data packet to check whether the IP data packet satisfies an interception policy at step 604. If the IP data packet satisfies the interception policy, network gateway 504 does not forward the IP data packet at step 606. If the IP data packet does not satisfy the interception policy, network gateway 504 forwards the IP data packet either to host 161 or network node 164 via LAN interface 512 or 513, respectively, according to the destination address of the IP data packet at step 605.

FIG. 7 shows one of the embodiments of the present invention in a flow diagram providing details with respect to receiving a data packet from a LAN interface. FIG. 7 should be viewed in conjunction with FIG. 5.

At step 701, network gateway 504 receives an IP data packet from host 161 or network node 164 via LAN interface 512 or 513, respectively. At step 702, network gateway 504 determines whether the destination address of the IP data packet is the IP address of WAN interface 511. If the destination address of the IP data packet is the IP address of WAN interface 511, network gateway 504 does not forward the IP data packet via WAN interface 510 or 511 at step 704 because the IP data packet is intended for network gateway 504.

If the destination address of the IP data packet is not the IP address of WAN interface 511, if the destination address is a reachable IP address via WAN interface 510 or 511 and if the IP data packet satisfies the interception policy at step 703, network gateway 504 also does not forward the IP data packet via WAN interface 510 or 511 at step 704.

If the destination address of the IP data packet is not the IP address of WAN interface 511, if the destination address is a reachable IP address via WAN interface 510 or 511 and if the IP data packet does not satisfy the interception at step 703, the IP data packet is forwarded via one of WAN interfaces 510 or 511 at step 705. If the IP address of IP data packet is only reachable via one of the WAN interfaces, the IP data packet is forwarded via the one of the WAN interface at step 705. If the IP address of IP data packet is reachable via more than one WAN interface, network gateway 504 determines which WAN interface is used to forward the IP data packet at step 705. It would be appreciated by those skilled in the arts that there are many known techniques to determine which WAN interface should be used to forward the IP data packet at step 705, including using route table and network performance data.

Systems

FIG. 8 illustrates one of the embodiments of present invention of a network node receiving and transmitting IP data packets in accordance with the present invention. Network gateway 801 can operate as one of the network gateways 170, 400 and 504. Network gateway 801 comprises a digital processor(s) 804, a primary storage 806, a secondary storage 805, and network interfaces 811, 812, 813 and 814. Network interfaces 811, 812, 813 and 814 are for use with other network apparatus such as Ethernet switches, IP routers and other packet network nodes, network management and provisioning systems, local PCs, etc. Network interfaces 811, 812, 813 and 814 are capable of operating as LAN interface(s) and/or WAN interface(s). Other components which may be utilized within network gateway 801 include amplifiers, board level electronic components, as well as media processors and other specialized SoC or ASIC devices. Support for various processing layers and protocols (e.g., 802.3, DOCSIS MAC, DHCP, SNMP, H.323/RTP/RTCP, VoIP, SIP, etc) may also be provided as required.

Network gateway 801 may take any number of physical forms, comprising for example one of a plurality of discrete modules or cards within a larger network edge or hub device of the type well known in the art and may also comprise firmware, either alone or in combination with other hardware/software components. Alternatively, network gateway 801 may be a stand-alone device or module disposed at other computing device or network node, and may even include its own radio frequency (RF) front end (e.g., modulators, encryptors, etc.) or optical interface so as to interface directly with other computing devices and network nodes. Numerous other configurations may be used. Network gateway 801 may also be integrated with other types of components (such as mobile base stations, satellite transceivers, video set-top box, encoders/decoders, etc.) and form factors if desired.

Digital processor(s) 804 and may be implemented by using one or more central processing units, network processors, microprocessors, micro-controllers. FPGAs, ASICs or any device capable of performing instructions to perform the basic arithmetical, logical, and input/output operations of the system.

Primary storage 806 and secondary storage 805 may be implemented by using at least one DRAM, SDRAM, SRAM, Flash RAM, optical memory, magnetic memory, hard disk, and, or any computer readable media that are able to provide storage capability. Preferably, primary storage 806 is implemented with DRAM, SDRAM and/or SRAM and is used as temporary storage or cache. Secondary storage 805 may be used to provide instructions to digital processor(s) 804, to provide storage to store identifiers, conditions, network performance statistics and other data to facilitate the operation of the network node. Secondary storage 805 is also used to store an interception policy(s) which is used by digital processor(s) 804.

Network interfaces 811, 812, 813 and 814 may be implemented using serial bus, universal serial bus (USB) parallel bus, a universal asynchronous receiver/transmitter (UART), Peripheral Component Interconnect (PCI), local bus, or other electronic components connecting technology to connect digital processor(s) 804 and an agent, which is used to be connected with optical fiber, cable, or antenna. In one variant, at least one network interface is in the digital processor(s) 804 and therefore the agent for connecting with optical fiber, cables or antenna may directly connect with the digital processor(s) 804. In one variant, at least one network interface may connect to an Ethernet port for Ethernet network connection. In one variant, at least one network interface may connect to a WiFi adapter for WiFi network connection. In one variant, at least one network interface may connect to a USB port and the USB port may connect to an external modem for wireless WAN connection, such as a USB 3G modern, USB LTE modem, USB WiMax Modern, USB WiFi Modem, or other modem for wireless communications. In one variant, all network interfaces connect a plurality of USB ports for external modern connections. In one variant, all network interfaces connect to circuitry inside network gateway 801. Myriad other combinations and permutations of the foregoing will be appreciated by those of ordinary skill given the present disclosure.

According to one of the embodiments of the present invention, network interface 811 and 812 are not assigned with an IP address. When network gateway 801 receives a data packet via network interface 811 with a destination address reachable via network interface 812, the IP data packet is sent to digital processor(s) 804 for examination through system bus 802. Digital processor(s) 804 examines the IP data packet to determine whether the IP data packet satisfies an interception policy stored at secondary storage 805. If the IP data packet satisfies the interception policy, digital processor(s) 804 does not forward the IP data packet. If the IP data packet does not satisfy the interception policy, digital processor(s) 804 forwards the IP data packet via network interface 812 according to the destination address of the IP data packet.

Similarly, when network gateway 801 receives an IP data packet via network interface 812 with a destination address reachable via network interface 811, the IP data packet is sent to digital processor(s) 804 for examination through system bus 802. Digital processor(s) 804 inspects the IP data packet to determine whether the IP data packet satisfies the interception policy. If the IP data packet satisfies the interception policy, digital processor(s) 804 does not forward the IP data packet. If the EP data packet does not satisfy the interception policy, digital processor(s) 804 forwards the IP data packet via network interface 811.

According to one of the embodiments of the present invention, after network gateway 801 receives an IP data packet via a receiving network interface, i.e. one of network interfaces 811, 812, 813 or 814, digital processor(s) 804 responds to the IP data packet by transmitting a responding message encapsulated in one or more IP data packets via the receiving network interface. The destination address of the one or more responding IP data packets is the source address of the received IP data packet. The source address of the one or more responding IP data packets is one of the IP addresses reachable via one of the plurality of network interfaces, other than the receiving network interface.

According to one of the embodiments of the present invention, the payload of the received IP data packets contains request of status from network gateway 801 and the payload of the responding IP data packets contains status information of the network gateway 801 generated by digital processor(s) 804.

According to one of the embodiments of the present invention, the payload of the received IP data packets contain instructions for digital processor(s) 804 to configure network gateway 801 and the payload of the responding IP data packets transmitted contain operation results of network gateway 801 generated by digital processor(s) 804.

According to one of the embodiments of the present invention, digital processor(s) 804 inspects the port number or the options field of the received IP data packet to determine whether a policy is satisfied. According to one of the embodiments of the present invention, digital processor(s) 804 inspects the payload of the received IP data packet to determine whether a policy is satisfied.

According to one of the embodiments of the present invention, digital processor(s) 804 is capable of encrypting payload encapsulated in IP data packets transmitted by network gateway 801 and is capable of decrypting payload encapsulated in IP data packets received by network gateway 801. According to one of the embodiments of the present invention, after digital processor(s) 804 has determined that the received IP data packet satisfies an interception policy, the payload of the received IP data packet is decrypted by digital processor(s) 804.

It is to be understood that the above described embodiments are merely illustrative of numerous and varied other embodiments which may constitute applications of the principles of the invention. Such other embodiments may be readily devised by those skilled in the art without departing from the spirit or scope of this invention and it is our intent they be deemed within the scope of our invention.

Claims

1. A method for forwarding Internet Protocol (IP) data packets at a first network gateway, wherein the first network gateway comprises a plurality of wide area network (WAN) network interfaces and at least one local area network (LAN) network interface, wherein a first WAN network interface of the plurality of WAN network interfaces is not assigned with an IP address; comprises:

(a) when received first IP data packets through the first WAN network interface: (i) inspecting the first IP data packets, (ii) determining whether to intercept the first IP data packets; (iii) forwarding the first IP data packets through one of the at least one LAN network interfaces when determined not to intercept the first IP data packets:
(b) when received second IP data packets through one of the at/east one LAN network interface and the second IP data packets are reachable through the first WAN network interface: (i) inspecting the second IP data packets; (ii) determining whether to intercept the second IP data packets; and (iii) forwarding the second IP data packets through one of the plurality of WAN network interfaces when determined not to intercept the second IP data packets.

2. The method of claim 1, wherein step (a)(i) is performed by inspecting payloads of the first IP data packets.

3. The method of claim 1, wherein step (b)(i) is performed by inspecting payloads of the second IP data packets.

4. The method of claim 1, wherein step (a)(i) is performed by inspecting destination port of the first IP data packets.

5. The method of claim 1, wherein step (b)(i) is performed by inspecting destination port of the second IP data packets.

6. The method of claim 1, further comprising:

(c) creating third data packets:
(d) transmitting third data packets through the first WAN network interface; and
wherein source address of the third data packets is an IP address reachable through one of the at least one LAN network interface.

7. The method of claim 6, wherein the third data packets are responses to the first data packets and wherein the first data packets comprises management instructions.

8. The method of claim 1, further comprising:

(c) creating fourth data packets;
(d) transmitting fourth data packets through one of the at least one LAN network interface; and
wherein source address of the fourth data packets is an IP address reachable through the first WAN network interface.

9. The method of claim 8, wherein the fourth data packets are responses to the second data packets and wherein the second data packets comprises management instructions.

10. The method of claim 8, wherein the at least one LAN network interface is not assigned with an IP address.

11. A first network gateway for forwarding Internet Protocol (IP) data packets, wherein the first network gateway comprises:

a plurality of wide area network (WAN) network interfaces; wherein a first WAN network interface of the plurality of WAN network interfaces is not assigned with an IP address;
at least one local area network (LAN) network interface;
at least one processing unit;
at least one non-Transitory storage medium storing program instructions executable by the at least one processing unit for:
(a) when received first IP data packets through the first WAN network interface: (i) inspecting the first IP data packets, (ii) determining whether to intercept the first IP data packets; (iii) forwarding the first IP data packets through one of the at least one LAN network interfaces when determined not to intercept the first IP data packets;
(b) when received second IP data packets through one of the at least one LAN network interface and the second IP data packets are reachable through the first WAN network interface: (i) inspecting the second IP data packets; (ii) determining whether to intercept the second IP data packets; and (iii) forwarding the second IP data packets through one of the plurality of WAN network interfaces when determined not to intercept the second IP data packets;

12. The first network gateway of claim 11, wherein step (a)(i) is performed by inspecting payloads of the first IP data packets.

13. The first network gateway of claim 11, wherein step (b)(i) is performed by inspecting payloads of the second IP data packets.

14. The first network gateway of claim 11, wherein step (a)(i) is performed by inspecting destination port of the first IP data packets.

15. The first network gateway of claim 11, wherein step (b)(i) is performed by inspecting destination port of the second IP data packets.

16. The first network gateway of claim 11, wherein the non-transitory storage medium further storing program instructions for:

(c) creating third data packets;
(d) transmitting third data packets through the first WAN network interface; and
wherein source address of the third data packets is an IP address reachable through one of the at least one LAN network interface.

17. The first network gateway of claim 16, wherein the third data packets are responses to the first data packets and wherein the first data packets comprises management instructions.

18. The first network gateway of claim 11, wherein the non-transitory storage medium further storing program instructions for:

(c) creating fourth data packets,
(d) transmitting fourth data packets through one of the at least one LAN network interface; and
wherein source address of the fourth data packets is an IP address reachable through the first WAN network interface.

19. The first network gateway of claim 18, wherein the fourth data packets are responses to the second data packets and wherein the second data packets comprises management instructions.

20. The first network gateway of claim 18, wherein the at least one LAN network interface is not assigned with an IP address.

Patent History
Publication number: 20170041226
Type: Application
Filed: Oct 17, 2016
Publication Date: Feb 9, 2017
Applicant: Pismo Labs Technology Limited (Hong Kong)
Inventors: Ho Ming CHAN (Hong Kong), Sze Hon CHAN (Hong Kong)
Application Number: 15/295,802
Classifications
International Classification: H04L 12/741 (20060101); H04L 29/08 (20060101); H04L 29/06 (20060101); H04L 12/947 (20060101);