Claims
- 1. A method for communicating, comprising the steps of:
communicating with a first client; and acting as an intermediary between said first client and members in a first virtual address realm so that said first client can communicate in said first virtual address realm, said first client is not configured to communicate in said first virtual address realm.
- 2. A method according to claim 1, wherein:
said steps of communicating and acting are performed by an agent.
- 3. A method according to claim 2, further comprising the steps of:
communicating with a second client, said step of communicating with a second client is performed by said agent; acting as an intermediary so that said second client can communicate in said first virtual address realm, said second client is not configured to communicate in said first virtual address realm; said agent, said first client and said second client reside in a first physical address realm; and at least one of said members in said first virtual address realm reside in a second physical address realm.
- 4. A method according to claim 2, wherein:
said agent and said first client reside in a first physical address realm; at least one of said members in said first virtual address realm reside in a second physical address realm; said first physical address realm includes a private route director; and said private route director is implemented with said agent.
- 5. A method according to claim 2, wherein said step of acting as an intermediary includes the steps of:
receiving data from a network route director, said network route director having a public address, said data originating from one of said members in said first virtual address realm; and forwarding said data to said first client.
- 6. A method according to claim 2, wherein:
said step of acting as an intermediary includes creating a security tunnel between said agent and one of said members on behalf of said first client.
- 7. A method according to claim 2, wherein:
said security tunnel is an IPsec tunnel.
- 8. A method according to claim 2, further comprising the steps of:
communicating with a second client; and acting as an intermediary between said second client and members in a second virtual address realm so that said second client can communicate in said second virtual address realm, said second client is not configured to communicate in said second virtual address realm, said step of acting as an intermediary between said first client and said step of acting as an intermediary between said second client are performed at least partially concurrently by said agent.
- 9. A method according to claim 1, wherein said step of acting includes the steps of:
receiving a data unit originally from a first member of said members, said data unit includes a virtual source address representing one of said members in said first virtual address realm and a virtual destination address representing said first client in said first virtual address realm; replacing said virtual destination address in said data unit with a first private address routable in a first physical address realm to said first client; replacing said virtual source address in said data unit with a second private address routable in said first physical address realm, said second private address represents said first member in said first physical address realm, said first member resides in a second physical address realm; and sending said data unit to said first client based on said first private address.
- 10. A method according to claim 9, further comprising the step of:
removing a security measure prior to said step of replacing said virtual destination address.
- 11. A method according to claim 1, wherein said step of acting includes the steps of:
receiving a data unit from said first client, said first client residing in a first physical address realm, said data unit destined for a first member of said members in said first virtual address realm, said data unit includes a source address and a destination address, said source address is an address for said first client in said first physical address realm, said destination address is an address representing said first member in said first physical address realm, said first member resides in a second physical address realm; replacing said address representing said first member in said first physical address realm with a virtual address representing said first member in said first virtual address realm; replacing said address for said first client in said first physical address realm with a virtual address representing said first client in said first virtual address realm; and sending said data unit to said first member.
- 12. A method according to claim 11, further comprising the step of:
subjecting said data unit to a security measure prior to sending said data unit.
- 13. A method according to claim 1, wherein said step of acting includes the steps of:
receiving a first DNS request from said first client, said first DNS request is for a first domain name pertaining to a first member in said first virtual address realm; sending a new DNS request for said first domain name and receiving a response to said new request, said response includes a first virtual address representing said first member in said first virtual address realm; mapping said first virtual address to a first private address routable in a first physical address realm, said first private address represents said first member in said first physical address realm, said first client resides in said first physical address realm, said first member resides in a second physical address realm; and returning said first private address to said first client.
- 14. A method according to claim 13, wherein said step of acting includes the steps of:
receiving a data unit from said first client, said data unit is destined for said first member, said data unit includes a source address and a destination address, said source address is a second private address routable in said first physical address realm, said second private address represents first client in said first physical address realm, said destination address is said first private address; replacing said first private address with a virtual address representing said first member in said first virtual address realm; replacing said second private address with a virtual address representing said first client in said first virtual address realm; and sending said data unit to said first member.
- 15. A method according to claim 1, further comprising the steps of
identifying a set of entities that are to be able to communicate with each other in said first virtual address realm using domain names, said set includes said members.
- 16. A method according to claim 1 wherein:
said step of acting includes acting as an intermediary between said first client and a first member of said members so that said first client and said first member can communicate in said first virtual address realm; said first client is in a first physical address realm; and said first member is in a second physical address realm, said first physical address overlaps said second physical address realm.
- 17. A method according to claim 1 wherein:
said first client is in a first physical address realm; a first member of said members in said first virtual address realm is initially in a second physical address realm; said first member switches from said second physical address realm to a third physical address realm; and said step of acting includes acting as an intermediary between said first client and said first member while said first members is in said second physical address realm and while said first member is in said third physical address realm.
- 18. A method according to claim 1 wherein:
said step of acting includes transmitting data from one of said members to said intermediary via two NAT devices.
- 19. A method according to claim 1 wherein:
said members and said first client each have a virtual address in said first virtual address realm; and virtual packets are sent to said members, said virtual packets use said virtual addresses.
- 20. A method according to claim 1 wherein:
said step of acting as an intermediary includes joining said first virtual address realm on behalf of said first client.
- 21. A method according to claim 20, wherein:
said step of acting as an intermediary further includes joining said first virtual address realm on behalf of a pseudo client prior to joining said first virtual address realm on behalf of said first client.
- 22. A method according to claim 20, wherein:
said step of acting is performed by an agent; said agent performs said step of joining by contacting a manager; and said manager manages multiple virtual address realms.
- 23. A method according to claim 22, wherein:
said manager identifies which entities can be members of said first virtual address realm by domain names.
- 24. One or more processor readable storage devices having processor readable code embodied on said processor readable storage devices, said processor readable code for programming one or more processors to perform a method for communicating in a virtual address realm, said method comprising the steps of:
communicating messages with a first client, said messages do not include addresses in said virtual address realm while communicating with said first client; communicating said messages with members in said virtual address realm on behalf of said first client; and transforming said messages so that said messages include virtual addresses when communicating with members in said virtual address realm and said messages do not include virtual addresses when communicating with said first client.
- 25. One or more processor readable storage devices according to claim 24, wherein:
said step communicating messages with members includes creating a security tunnel with at least one of said members on behalf of said first client.
- 26. One or more processor readable storage devices according to claim 24, wherein:
said step of communicating messages with members includes receiving a data unit originally from a first member, said data unit includes a virtual source address representing said first member in said first virtual address realm and a virtual destination address representing said first client in said first virtual address realm; said step of transforming includes the steps of: replacing said virtual destination address in said data unit with a first private address routable in a first physical address realm to said first client, said client resides in said first physical address realm, and replacing said virtual source address in said data unit with a second private address routable in said first physical address realm, said second private address represents said first member in said first physical address realm, said first member resides in a second physical address realm; and said step of communicating messages with a client includes sending said data unit to said first client based on said first private address.
- 27. One or more processor readable storage devices according to claim 26, wherein:
said step of transforming further includes removing a security measure prior to said step of replacing said virtual destination address.
- 28. One or more processor readable storage devices according to claim 24, wherein:
said step of communicating messages with a first client includes receiving a data unit from said first client, said first client residing in a first physical address realm, said data unit destined for a first member in said virtual address realm, said data unit includes a source address and a destination address, said source address is an address for said first client in said first physical address realm, said destination address is an address representing said first member in said first physical address realm, said first member resides in a second physical address realm; said step of transforming includes the steps of: replacing said address representing said first member in said first physical address realm with a virtual address representing said first member in said virtual address realm, and replacing said address for said first client in said first physical address realm with a virtual address representing said first client in said virtual address realm; and said step of communicating messages with members includes sending said data unit to said first member.
- 29. One or more processor readable storage devices according to claim 28, wherein:
said step of transforming further includes subjecting said data unit to a security measure prior to sending said data unit.
- 30. One or more processor readable storage devices according to claim 24, wherein said method further includes the steps of:
receiving a first DNS request from said first client, said first DNS request is for a first domain name pertaining to a first member in said virtual address realm; sending a new DNS request for said first domain name and receiving a response to said new request, said response includes a first virtual address representing said first member in said virtual address realm; mapping said first virtual address to a first private address routable in a first physical address realm, said first private address represents said first member in said first physical address realm, said first client resides in said first physical address realm, said first member resides in a second physical address realm; returning said first private address to said first client.
- 31. One or more processor readable storage devices according to claim 30, wherein:
said step of communicating messages with a first client includes receiving a data unit from said first client, said data unit is destined for said first member, said data unit includes a source address and a destination address, said source address is a second private address routable in said first physical address realm, said second private address represents said second client in said first physical address realm, said destination address is said first private address; said step of transforming includes the steps of: replacing said first private address with a virtual address representing said first member in said virtual address realm, and replacing said second private address with a virtual address representing said first client in said virtual address realm; and said step of communicating messages with members includes sending said data unit to said first member.
- 32. One or more processor readable storage devices according to claim 24, wherein:
said steps of communicating messages with a client and communicating messages with members includes acting as an intermediary between said first client and a first member so that said first client and said first member can communicate in said first virtual address realm; said first client is in a first physical address realm; and said first member is in a second physical address realm, said first physical address overlaps said second physical address realm.
- 33. One or more processor readable storage devices according to claim 24, wherein:
said first client is in a first physical address realm; a first member in said first virtual address realm is initially in a second physical address realm; said first member switches from said second physical address realm to a third physical address realm; and said steps of communicating messages with a first client and communicating messages with members includes acting as an intermediary between said first client and said first member while said first member is in said second physical address realm and while said first member is in said third physical address realm.
- 34. One or more processor readable storage devices according to claim 24, wherein:
said step of communicating messages with members includes receiving data from one of said members via two NAT devices.
- 35. One or more processor readable storage devices according to claim 24, further comprising the step of:
joining said first virtual address realm on behalf of said first client.
- 36. One or more processor readable storage devices according to claim 24, wherein:
said step of communicating messages with a client includes transmitting a first set of said messages to said client and receiving a second set of messages from said client.
- 37. An apparatus for allowing communication in a virtual address realm, comprising:
one or more communication interfaces; one or more storage devices; and one or more processing devices in communication with said one or more communication interfaces and said one or more storage devices, said one or more processing devices communicate messages with a client and with a member of said virtual address realm, messages received from said member are transformed by removing one or more virtual addresses of said virtual address realm and are sent to said client via one or more communication interfaces, messages received from said client are transformed by adding one or more virtual addresses of said virtual address realm and are sent to said member via said one or more communication interfaces.
- 38. An apparatus according to claim 37, wherein said one or more processing devices perform a method comprising the steps of:
receiving a first DNS request from said client, said first DNS request is for a first domain name pertaining to said member; sending a new DNS request for said first domain name and receiving a response to said new request, said response includes a first virtual address representing said member in said virtual address realm; mapping said first virtual address to a first private address routable in a first physical address realm, said first private address represents said member in said first physical address realm, said client resides in said first physical address realm, said member resides in a second physical address realm; and returning said first private address to said client.
- 39. An apparatus according to claim 37 wherein:
said client is in a first physical address realm; and said member is in a second physical address realm, said first physical address overlaps said second physical address realm.
- 40. A system for allowing communication, comprising:
a virtual network manager maintaining administrative information about a first virtual address realm including a set of members, said set of members includes a first member; and an agent capable of communicating with said first member and acting as a proxy for said first member for communicating in said first virtual address realm.
- 41. A system according to claim 40, further comprising:
a private route director in communication with said agent and implemented in a common device with said agent.
- 42. A system according to claim 40, wherein:
said virtual network manager maintains administrative information about a second virtual address realm; and said agent is capable of communicating with a second member and acting as a proxy for said second member to allow said second member to communicate in said second virtual address realm.
- 43. A system according to claim 40, wherein:
said agent is capable of acting as a proxy for said first member for communicating in said first virtual address realm with a different member of said first virtual address realm; said first member residing in a first physical address realm; and said different member residing in a second physical address realm that overlaps said first physical address realm.
- 44. A system according to claim 40, wherein:
said first member residing in a first physical address realm; a different member of said first virtual address realm capable of residing in a second physical address realm and a third physical address realm; and said agent capable of acting as a proxy for said first member for communicating in said first virtual address realm with said different member regardless of whether said different member is residing in a second physical address realm or said third physical address realm.
- 45. A method for communicating, comprising the steps of:
communicating with a first entity in a first physical address realm from within said first physical address realm; and communicating with a second entity in a second physical address realm including acting as a proxy for said first entity to communicate with said second entity, said first physical address realm overlaps with said second physical address realm.
- 46. A method according to claim 45, wherein:
said acting as a proxy includes utilizing a security tunnel to said second entity.
- 47. A method according to claim 45, further comprising the step of:
identifying a set of entities that are to be able to communicate with each other by indicating a set of domain names, said set of domain names includes a first domain name for said first entity and a second domain name for said second entity.
- 48. A method according to claim 45, wherein:
said step of communicating with a second entity includes communicating via two NAT devices.
- 49. A method according to claim 45, further comprising the step of:
communicating with said second entity while said second entity is in a third physical address realm, after said second entity moves to said third address realm, including acting as a proxy for said first entity to communicate with said second entity while said second entity is in said third physical address realm.
- 50. A method according to claim 45, wherein said step of communicating with a second entity includes the steps of:
receiving a data unit originally from said second entity, said data unit includes a source address that is not routable in said first physical address realm and a destination address that is not routable in said first physical address realm; replacing said destination address in said data unit with a first private address routable in said first physical address realm to said first entity; and replacing said source address in said data unit with a second private address routable in said first physical address realm, said second private address represents said second entity in said first physical address realm, said second entity does not reside in said first physical address realm.
- 51. A method according to claim 45, wherein said step of communicating with a second entity includes the steps of:
accessing a data unit received from said first entity, said data unit destined for said second entity, said data unit includes a source address and a destination address, said source address is an address for said first entity in said first physical address realm, said destination address is an address representing said second entity in said first physical address realm, said second entity does not reside in said first physical address realm; replacing said address for said first entity in said first physical address realm with a source address that is not routable in said first physical address realm; replacing said address representing said second entity in said first physical address realm with a destination address that is not routable in said first physical address realm; and sending said data unit to said second entity.
- 52. A method according to claim 45, wherein said step of communicating with a first entity includes the steps of:
receiving a first DNS request from said first entity, said first DNS request is for a first domain name pertaining to said second entity; sending a new DNS request for said first domain name and receiving a response to said new request, said response includes a first address representing said second entity, said first address is not routable in said first physical address realm; mapping said first address to a private address routable in said first physical address realm, said private address represents said second entity in said first physical address realm, said second entity does not reside in said first physical address realm; and returning said private address to said first entity.
- 53. One or more processor readable storage devices having processor readable code embodied on said processor readable storage devices, said processor readable code for programming one or more processor to implement a system for communicating, said system comprising:
a first entity in a first physical address realm; and an agent in said first physical address realm, said agent is in communication with said first entity, said agent is capable of communicating with a second entity in a second physical address realm, said first physical address realm overlaps with said second physical address realm, said agent capable of acting as a proxy for said first entity to communicate with said second entity.
- 54. One or more processor readable storage devices according to claim 53, wherein said system further comprises:
a manager, said manager identifies a set of entities that are to be able to communicate with each other by indicating a set of domain names, said set of domain names includes a first domain name for said first entity and a second domain name for said second entity.
- 55. One or more processor readable storage devices according to claim 53, wherein:
said agent is capable of communicating with said second entity via two NAT devices.
- 56. One or more processor readable storage devices according to claim 53, wherein:
said agent is capable of communicating with said second entity while said second entity is in a third physical address realm, after said second entity moves to said third address realm, including acting as a proxy for said first entity to communicate with said second entity while said second entity is in said third physical address realm.
- 57. One or more processor readable storage devices according to claim 53, wherein said agent performs a method comprising the steps of:
receiving a data unit originally from said second entity, said data unit includes a source address that is not routable in said first physical address realm and a destination address that is not routable in said first physical address realm; replacing said destination address in said data unit with a first private address routable in a first physical address realm to said first entity; and replacing said source address in said data unit with a second private address routable in said first physical address realm, said second private address represents said second entity in said first physical address realm, said second entity does not reside in said first physical address realm.
- 58. One or more processor readable storage devices according to claim 53, wherein said agent performs a method comprising the steps of:
accessing a data unit received from said first entity, said data unit destined for said second entity, said data unit includes a source address and a destination address, said source address is an address for said first entity in said first physical address realm, said destination address is an address representing said second entity in said first physical address realm, said second entity does not reside in said first physical address realm; replacing said address for said first entity in said first physical address realm with a source address that is not routable in said first physical address realm; replacing said address representing said second entity in said first physical address realm with a destination address that is not routable in said first physical address realm; and sending said data unit to said second entity.
- 59. One or more processor readable storage devices according to claim 53, wherein said agent performs a method comprising the steps of:
receiving a first DNS request from said first entity, said first DNS request is for a first domain name pertaining to said second entity; sending a new DNS request for said first domain name and receiving a response to said new request, said response includes a first address representing said second entity, said first address is not routable in said first physical address realm; mapping said first address to a private address routable in said first physical address realm, said private address represents said second entity in said first physical address realm, said second entity does not reside in said first physical address realm; and returning said private address to said first entity.
- 60. A method for communicating, comprising the steps of:
identifying a set of entities that are to be able to communicate with each other by indicating a set of domain names, said set of domain names includes a first domain name for a first entity in a first physical address realm and a second domain name for a second entity in a second physical address realm; communicating with said first entity from within said first physical address realm; and communicating with a second entity including acting as a proxy for said first entity to communicate with said second entity.
- 61. A method according to claim 60, wherein:
said acting as a proxy includes utilizing a security tunnel to said second entity.
- 62. A method according to claim 60, wherein:
said step of communicating with said second entity includes communicating via two NAT devices.
- 63. A method according to claim 60, further comprising the step of:
communicating with said second entity while said second entity is in a third physical address realm, after said second entity moves to said third address realm, including acting as a proxy for said first entity to communicate with said second entity while said second entity is in said third physical address realm.
- 64. A method according to claim 60, wherein said step of communicating with a second entity includes the steps of:
receiving a data unit originally from said second entity, said data unit includes a source address that is not routable in said first physical address realm and a destination address that is not routable in said first physical address realm; replacing said destination address in said data unit with a first private address routable in said first physical address realm to said first entity; and replacing said source address in said data unit with a second private address routable in said first physical address realm, said second private address represents said second entity in said first physical address realm, said second entity does not reside in said first physical address realm.
- 65. A method according to claim 60, wherein said step of communicating with a second entity includes the steps of:
accessing a data unit received from said first entity, said data unit is destined for said second entity, said data unit includes a source address and a destination address, said source address is an address for said first entity in said first physical address realm, said destination address is an address representing said second entity in said first physical address realm, said second entity does not reside in said first physical address realm; replacing said address for said first entity in said first physical address realm with a source address that is not routable in said first physical address realm; replacing said address representing said second entity in said first physical address realm with a destination address that is not routable in said first physical address realm; and sending said data unit to said second entity.
- 66. A method according to claim 60, wherein said step of communicating with a first entity includes the steps of:
receiving a first DNS request from said first entity, said first DNS request is for a first domain name associated with said second entity; sending a new DNS request for said first domain name and receiving a response to said new request, said response includes a first address representing said second entity, said first address is not routable in said first physical address realm; mapping said first address to a private address routable in said first physical address realm, said private address represents said second entity in said first physical address realm, said second entity does not reside in said first physical address realm; and returning said private address to said first entity.
CROSS-REFERENCE TO RELATED APPLICATIONS
[0001] This Application is related to the following Applications: U.S. patent application Ser. No. 10/233,289, “Accessing An Entity Inside a Private Network,” filed on Aug. 30, 2002; U.S. patent application Ser. No. 10/161,573, “Creating A Public Identity For An Entity On A Network,” filed on Jun. 3, 2002; U.S. patent application Ser. No. 10/233,288, “Communicating With An Entity Inside A Private Network Using An Existing Connection To Initiate Communication,” filed on Aug. 30, 2002; U.S. Patent Application “Secure Virtual Address Realm,” filed on Mar. 31, 2003, Atty. Docket TTCC-01020US0; and U.S. Patent Application “Secure Virtual Community Network System,” filed on Mar. 31, 2003, Atty. Docket TTCC-01021US0. All of these related applications are incorporated herein be reference in their entirety.