The present invention relates to communication over networks, and more particularly, to communication between two networks using gateways.
A gateway for a small network typically includes a firewall and a router. The firewall prevents unauthorized access to the small network (called a “local network” herein), thereby protecting the local network from outside intruders. The router translates incoming and outgoing traffic. For example, a network appliance in the local network will generally create outgoing packets that use a local address and local port for the network appliance. The local address and local port are not valid outside the local network, so the router will translate these to a global address and global port, which are valid in the external network. The gateway generally replaces the local address with its own global address and the local port with one of its own ports. The revised packet is then sent to its destination on the external network. Packets received by the router from the destination will have the global address and a global port of the router in the received packets. The router then replaces the global address and global port of the router with the local address and local port of the network appliance and forwards the packets to the local network.
Currently, the configuration of a gateway installed between local networks, such as home networks, and an external network, such as the Internet, is performed by the user. A problem with this is that the configuration of a gateway can at times be complex and cumbersome. For example, there are applications, especially applications handling multimedia, that use a number of real-time content streams. A typical multimedia application generally starts with a single, non-streaming connection for accessing a remote server on the external network. However, the multimedia application generally creates a number of connections with streams of multimedia data coming into the local network and/or a number of connections with streams of control information or multimedia data going out of the local network. The number of incoming connections (with associated local addresses and local ports) being used can create problems for a gateway, as both the firewall and the router have to handle all of these multimedia content streams while still blocking unwanted access to the local network and correctly routing the multimedia content streams to the proper network appliance(s) on the local network.
A need therefore exists for improved methods and apparatus for gateway management.
Generally, a system and method are disclosed that provide remotely located gateway management with security, which provides, for example, automatic configuration of gateways.
In an exemplary aspect of the invention, a system and method are disclosed for remotely controlled gateway management. The method and apparatus receive a request for content, the request comprising global addressing information of a gateway and corresponding to a network appliance on a local network accessible via the gateway. The method and apparatus determine gateway configuration information suitable for configuring the gateway to pass one or more content streams, each comprising portions of the content, to the network appliance. The method and apparatus communicate the gateway configuration information to the gateway.
In another exemplary aspect of the invention, a second method and apparatus are disclosed. The second method and apparatus send a request for content, where the request comprises global addressing information of a gateway and corresponds to a network appliance on a local network accessible via the gateway. The second method and apparatus receive gateway configuration information suitable for configuring the gateway to pass one or more content streams, each comprising portions of the content, to the network appliance. The second method and apparatus configure the gateway in accordance with the gateway configuration information.
A more complete understanding of the present invention, as well as further features and advantages of the present invention, will be obtained by reference to the following detailed description and drawings.
As described above, there are problems with certain applications, particularly multimedia applications, which use a number of incoming and outgoing content streams. These content streams in a local network typically pass through a gateway. A gateway is a device separating two or more networks. As previously described, a gateway generally provides address and port translation, and typically protects resources of the local network from users of an external network. The gateway has to route all of the incoming and outgoing content streams. Outgoing content streams typically are not problematic, as the application creating the outgoing content streams already includes external destination addresses. Incoming content streams, however, can be problematic.
For certain incoming content streams, a user has to access the gateway and configure it to allow the incoming content streams and corresponding local address/port information. For instance, NetMeeting, a communication application from Microsoft, requires certain ports for Transmission Control Protocol (TCP) and Real-Time Transfer Protocol (RTP) over User Datagram Protocol (UDP) connections. The user has to configure the gateway to allow NetMeeting to work correctly. This is even more difficult since the port numbers used may vary between invocations of the application. Similarly, a network appliance, such as a Philips Internet radio, can request audio streams from a radio server. This radio server will then stream the audio to the gateway. Typically some type of user intervention is required in order to configure the gateway to accept the content stream and route it to the correct network appliance on the local network.
One possible solution for these problems is an Application Level Gateway (ALG). An ALG can be provided in a gateway to examine outgoing and incoming packets and to correct any addresses or ports in the packets, and to update the configuration of the router and/or firewall as needed. This way, incoming multimedia content streams meant for a particular application running on a network appliance in a local network would be correctly sent to the network appliance. However, each application then requires an ALG specific to this application to support its particular protocol. So, an application designer must create a specific ALG for each relevant application and install the ALG on the gateway.
The present invention fixes these problems by providing remotely controlled gateway management with security. In an exemplary embodiment, a network appliance connects to a server to retrieve content, which is typically multimedia content requiring perhaps several incoming multimedia content streams. The network appliance could include its local address and/or port number(s) in a request to the server for the multimedia content. The server determines how to configure a gateway corresponding to the network appliance so that the gateway will pass the incoming multimedia content streams and direct these incoming content streams to the correct network appliance on the local network. Thus, this exemplary embodiment allows automatic configuration of gateways, which lessens work to be done by the user and reduces the number of ALGs that have to be provided.
Turning now to
Network appliance 105-1 comprises a processor 106 coupled to a memory 107. Memory 107 comprises an application 108, an operating system 109, a communication stack 110, a temporary storage 111, and a port 113. The temporary storage 111 comprises a reference 112 to multimedia content 164. Network appliance 105-2 is expected to be similar to network appliance 105-1, but details of network appliance 105-2 are omitted for space reasons. Gateway 135 comprises a processor 136 coupled to a memory 137. Memory 137 comprises a router 138, a firewall 140, a number of global ports 146, and a remote programming interface 147. Router 138 comprises gateway configuration information 139, which in this example is one or more tuples (server address, server port, global port, server global address, local address, and local port). Note that some of the elements of the above tuple may be absent or not used. Firewall 140 also comprises gateway configuration information 145, which is this example is a server address, server port, gateway global address, and a global port. Although not shown in
Remote server 155 comprises a processor 156 coupled to a memory 157. Memory 157 comprises a web page 158. Web page 158 comprises a link 159 to the multimedia content 164. Multimedia server 181 comprises a content server 162, multimedia content 164, and a number of ports 193 (called “multimedia” ports 193 for ease of reference). Configuration server 185 comprises a gateway configuration module 163 and a network appliance registration database 161.
Network appliances 105 are any electronic system suitable for connecting to a network. For example, network appliances 105 could be cellular phones, home computer systems, set-top boxes, or Personal Digital Assistants (PDAs).
As used herein, local addresses are addresses and local ports are ports valid in “local” network 165. Global addresses are addresses and global ports are ports valid in “external” network 160. It should be noted that the terms “local” and “external” are for expository purposes only. Generally, a local network 165 will be a home network or other small network, and external network 160 will be a large network such as the Internet. However, there is no requirement for this configuration and a network appliance 105 can connect to both small and large networks.
Typically, gateway 135 and remote server 155 will comprise operating systems (not shown). Remote server 155 will also generally comprise a communication stack (not shown). Gateway 135 might also comprise a communication stack (not shown).
A user generally interacts with remote server 155 and typically does not know of the existence of multimedia server 181 and configuration server 185. The user, using an application 108 such as a web browser, activates the reference 112 to multimedia content 164, where the reference 112 could be a hyperlink using HyperText Transfer Protocol (HTTP). The hyperlink is from web page 158 and is a version of link 159 to the multimedia content 164. Typically, there will be more than one reference 112 to more than one link 159 and, consequently, to more than one multimedia content 164. For simplicity, only one reference 112 and link 159 is shown. A user selects multimedia content 164 by activating the reference 112, such as “clicking” on a hyperlink. The initial request may also be, for example, a connection request performed by a communication application. The application 108 then creates information suitable for creating a payload 122-1 of packet 120-1.
Packet 120-1 comprises headers 121-1 and payload 122-1. The headers 121-1 comprise header address information 123-1, which comprises network appliance address 125-1, network appliance port 126-1, server address 127-1, and server port 128-1. The payload 122-1 comprises optional payload address information (e.g., comprising local address 129-1 and local port 130-1) and data 131-1 (e.g., comprising a unique network appliance identification). A packet 120-2 is shown after passing through gateway 135 for communication with remote server 155. A packet 120-3 is also shown that originates from configuration server 185 for communication with gateway 135.
The types of headers 121 used are determined by the protocols being used. For example, when using Transmission Control Protocol (TCP), a packet 120 will include, in headers 121, an IP header and a TCP header. As another example, when using the User Datagram Protocol (UDP), a packet 120 will include, in headers 121, an IP header and a UDP header. The IP header generally contains the source IP address and destination IP address. The TCP and UDP header contain the source port and destination port. As another example, in the case of IP security extensions (IPsec) encapsulating security protocol (ESP), the IP header is followed by an IPsec header. Thus, the exact configuration of the headers 121 can change depending on the protocol being used. For simplicity, it will be assumed herein that the header address information 123 is as shown in
The communication stack 110, which is typically a TCP-Internet Protocol (TCP-IP) stack, creates packet 120-1 including information supplied by, in this example, application 108. In this example, the local address 129-1, the local port 130-1 (generally optional), and network appliance identification (ID), also optional, are supplied by the application 108. The communication stack 110 adds this information to the payload 122-1. The communication stack 110 also adds network appliance address 125-1 (e.g., as a source address), network appliance port 126-1 (e.g., as a source port), server address 127-1 (e.g., as a destination address), and server port 128-1 (e.g., as a destination port). The network appliance address 125-1 is typically the local address 170-1 and the network appliance port 126-1 is typically a port 113. In this example, packet 120-1 is a packet generated as a request to the remote server 155 for multimedia content 164, and the packet could be included as part of one or more packets sent to the remote server 155 to indicate, for example, a selection of a hyperlink corresponding to the multimedia content 164 or as a separate packet.
The request, in this example packet 120-1, can be generated by application 108, which could be, for instance, a plugin for a web browser, a web browser, a communication application, or a multimedia application. Alternatively, generation of the request could be performed by a component of the operating system 109, such as communication stack 110. It should be understood that the request, embodied in this example as packet 120-1, is only exemplary. The request need not contain all of the information shown. For example, the local address 129-1 may in some cases not be necessary. Similarly, the local port 130-1 and network appliance ID 132-1 might not be needed in certain applications. Additionally a request might be embodied in multiple packets 120. Furthermore, there could be multiple local addresses 129-1 and local ports 130-1 included in a request.
The local address 129-1 is typically the local address 170-1 of the network appliance 105-1. This information is useful so that the remote server 155, when supplying gateway configuration information suitable for configuring gateway 135 for use with a content stream 190 created from multimedia content 164, can inform the gateway 135 as to which network appliance 105 the content stream 190 is to be passed. The local port 130-1 is typically a port 113 on the network appliance 105-1. Although only one port 113 is shown, multiple ports 113 can exist and the local port 130-1 is then one selected port 113 from the network appliance 105-1. The local port 130-1 may be the same port 113 as network appliance port 126-1 or, more likely, a different port 113.
The server address 127-1 is generally the global address 180-2 of the remote server 155, while the server port 128-1 is a port (not shown) on the remote server 155. The global address 180-2 is typically an IP address.
Packet 120-1 passes through gateway 135, which separates local network 165 and external network 160. Router 138 replaces the network appliance address 125-1 with a gateway address 125-2 and replaces the network appliance port 126-1 with a gateway port 126-2. The gateway address 125-2 is typically the global address 180-1, which is generally an IP address. The gateway port 126-2 is one of the global ports 146. Generally, the router 138 leaves the other information in packet 120-1 the same when modifying the packet 120-1 to create packet 120-2: the server address 127-2 is the server address 127-1; the server port 128-2 is the server port 128-1; the local address 129-2 is the local address 129-1; the local port 130-2 is the local port 130-1; the network appliance ID 132-2 is the network appliance ID 132-1; and the rest of the headers 121-2 and payload 122-2 is the same as the rest of the headers 121-1 and payload 122-1, respectively.
Gateway 135 places packet 120-2 on external network 160. After routing through external network 160, the remote server 155 will receive the packet. The remote server 155 will then determine that the network appliance 105 needs the multimedia content 164 and will also forward packet 120-2, or some of the information in that packet, to the configuration server 185.
The gateway configuration module 163 of configuration server 185 will use the local address 129-2 and/or local port 130-2 and/or other relevant information, when creating a packet 120-3, which contains a configuration command 133 suitable for configuring the gateway 135 to pass the content stream 190 (e.g., to be created from multimedia content 164 by multimedia server 181) over a suitable global port 146, and possibly through a local port (not shown) for the gateway, and to the network appliance 105-1. It should also be noted that the packet 120-3 could be considered to be a command suitable for configuring the gateway 135 to pass the content stream 190 to the network appliance 105-1. The configuration commands 133 can include multiple port opening requests, port mapping requests, other gateway configuration requests, or some combination thereof, depending on the type of multimedia content 164. For instance, the gateway configuration module 163 for movies might request that several global ports 146 be open for audio, video, and other data.
Illustratively, there will a period of communication between the gateway 135 and the configuration server 185 where the configuration server 185 uses the remote programming interface 147 to determine, for example, what global ports 146 are available on the gateway 135. The configuration server 185 can then create gateway configuration information 134, which is used by the gateway 135 when configuring the gateway 135.
In the example of
In an exemplary embodiment, the local address 129-2 is all that is needed to create a suitable command to configure gateway 135 for content stream 190. In another exemplary embodiment, configuration of the gateway 135 could also depend on the content type (e.g., the number of streams, sometimes the port numbers can be standardized) and not only on the local address 129-2 and/or network appliance ID 114 or 132-1. In yet another exemplary embodiment, the configuration server 185 uses a network appliance ID 114, 132-2 or 173, which is typically a unique ID for each network appliance 105, to determine what gateway (by gateway type 171, for example) is being used. For instance, during registration of the network appliance 105-1 on configuration server 185, the configuration server 185 can ask for the type 171 of gateway 135 being used. The type 171 of the gateway, along with communication information 172 (e.g., communication protocols or other information needed to interface with the remote programming interface 147 of the gateway) can be stored in network appliance registration database 161. The configuration commands 133 are then particular to the gateway 135 being used. It is expected that gateways 135 made from different manufacturers might have different remote programming interfaces 147, and the network appliance registration information 175 in network appliance registration database 161 is used to tailor the configuration commands 133 and gateway configuration information 134 for a particular gateway 135. Typically, multiple network appliance IDs 173 would be correlated with a single gateway type 171.
It should be noted that configuration commands 133 and gateway configuration information 134 can be combined. Additionally, multiple port openings can be requested by a gateway configuration module 163. Thus, configuration commands 133 and gateway configuration information 134 can include multiple global ports 180-1 along with multiple local addresses 196 and local ports 197.
Once the configuration server 185 has configured the gateway 135, the configuration server 185 contacts the remote server 155 to inform the remote server 155 that the gateway 135 is configured. The remote server 155 then will contact the multimedia server 181 so that the multimedia server 181 can begin sending the multimedia content 164 to the network appliance 105-1.
To send the multimedia content 164 to the network appliance 105-1, the content server 162 on the multimedia server 181 creates one or more content streams 190 from the multimedia content 164. Headers (not shown) for packets (not shown) for the content streams 190 could have appropriate global ports 146 and other information (e.g., destination addresses) so that the gateway 135 can determine where to route the content streams 190 and whether to accept the content streams 190.
The gateway configuration information 139, which in this example is one or more tuples (server address, server port, gateway global address, global port, local address, and local port), is used by the gateway 135 to direct the multimedia content stream 190 to the network appliance 105-1. Note that some elements of the above tuple may be absent or not used. The router 138 uses the gateway configuration information 139 during address and port translation for incoming packets. Firewall 140 also comprises gateway configuration information 145, which in this example is a server address, server port, gateway global address, and a global port. The gateway configuration information 145 may be used by the firewall 140 to accept packets having a source address of the server address (e.g., global address 180-3 of the multimedia server 181) and a destination port of the “global port,” which has been determined to be available by the configuration server 185 and is one of the global ports 146. Additionally, the server port (e.g., one of the multimedia ports 193 of the multimedia server 181) and a gateway global address (e.g., global address 180-1) can also be used when the firewall 140 accepts or rejects a content stream 190.
It should be noted that security also will typically be used in
Furthermore, while it is common to combine the firewall 140 and router 138 into gateway 135, firewall 140 and router 138 could be separate. In the latter case, the firewall 140 and router 138 would be configured either separately (e.g., gateway configuration module 163 configures two devices) or jointly (e.g., the two devices have a joint remote configuration interface, one of them gets configuration from gateway configuration module 163, uses it for its own operations and to instruct the other device). Likewise, although multimedia server 181, configuration server 185 and remote server 155 are shown as being separate, they may be combined also.
Additionally, for peer-to-peer multimedia applications like video conferencing, the multimedia content 164 can come from another home, which then houses the multimedia server 181 for sending content stream(s) 190. The network appliance 105 can send some gathered information from a call set up phase (e.g., global port number to be used) to the gateway configuration module 163 (which is typically not in the other home, but which is connected to the external network 160), which will then configure a gateway 135 between the network appliance 105 and the multimedia server 181.
The processors 106, 136, and 156 may be distributed or singular, and the memories 107, 137 or 157 may be distributed or singular. The present invention described herein may be implemented as an article of manufacture comprising a machine-readable medium, as part of memories 107, 137 or 157 for example, containing one or more programs that when executed implement embodiments of the present invention. For instance, the machine-readable medium may contain a program configured to perform steps of the methods shown in
Referring now to
Turning now to
In step 320, the gateway 135 receives one or more configuration commands. If the gateway 135 does support a configuration communication, then the configuration server 185 will have determined available global ports 146 suitable for use with the gateway 135. Alternatively, the configuration server 185 will simply send a command containing a global port 146 and the gateway 135 can send a rejection to the configuration server 185. Another option is for a command from the configuration server 185 to be a command that tells the gateway 135 to determine a global port 146 suitable for use with the multimedia content stream 190 and to report the global port 146 to the configuration server 185. The configuration commands 133 typically contain or are accompanied by gateway configuration information 134, including such items as a server address (e.g., a global address 180-3 of multimedia server 181), a server port (e.g., a multimedia port 193 for multimedia server 181), a gateway global address (e.g., global address 180-1 of gateway 135), a global port (e.g., one of the global ports 146 of the gateway 135), a local port (e.g., local port 130-2, which is a port 113 of network appliance 105-1), a local address (e.g., local address 129-2 of the network appliance 105-1, which is typically local address 170-1), and a stream type.
A stream type is an optional qualifier used to identify particular multimedia content streams, e.g., TCP, UDP, or RTP over UDP. The stream type can be used to further define the data types that will be communicated through to the gateway 135. Different data types could be rejected, for instance.
In step 330, the gateway 135 determines, from the command received in step 320 for instance, the global port 146 used for the multimedia content stream. In step 340, the gateway 135 configures the firewall 140 with gateway configuration information 145 such as a gateway global address (e.g., global address 180-1), global port (e.g., one of the global ports 146), a server address (e.g., global address 180-3 of the multimedia server 181), a server port (e.g., a multimedia port 193), and an optional stream type. It should be noted that if the content server 162 is joined with the configuration server 185, the server address will generally be a global address 180 used for the combination. In step 350, the gateway 135 configures the router with gateway configuration information 139, which in this example is a gateway global address (e.g., global address 180-1), global port (e.g., one of the global ports 146), a server address (e.g., global address 180-3 of multimedia server 181), a server port (e.g., a multimedia port 193 of multimedia server 181), an optional stream type, a local address (e.g., local address 129-2, which is typically local address 170-1 of the network appliance 105-1), and a local port (e.g., local port 130-2, which is typically one of the local ports 113 of the network appliance 105-1).
In step 360, an acknowledgement is sent to the configuration server 185. This step is optional but beneficial, as the configuration server 185 can then inform the remote server 155 (or the multimedia server 181 or both) to begin transmission of the multimedia content 164 via the multimedia content stream 190. In step 370, the gateway 135 waits for the multimedia content stream 190.
Referring now to
Method 400 begins in step 410 when the remote server 155 presents a list of multimedia contents 164 to the network appliance 105. Generally, this is performed through a web page but can be performed through any technique allowing selection of multimedia content 164. In step 420, a content selection is received. This content selection may also be a request for content 164, along with the local address 129-2, the local port 130-2, and the network appliance ID 132-2. In step 425, the remote server 155 communicates the request to the configuration server 185.
Steps 430-475 are typically performed by a gateway configuration module 163 of a configuration server 185. In step 430, the configuration server 185 determines gateway communication information. This step could involve determining the specific type of gateway, such as by using network appliance registration information 175 (e.g., from network appliance registration database 161) of a gateway type 171, communication information 172 for the specific gateway, a network appliance ID 173, or some combination thereof. Network appliance registration information 175 is typically gathered during a registration process, which occurs during initial, periodic, or every contact between the network appliance 105 and the remote server 155. The network appliance registration information 175 allows the configuration server 185 to determine specific protocols or instructions used to communicate with the remote programming interface 147 of the gateway 135. As another example, step 430 could entail using a number of known commands for a number of remote programming interfaces 147 until the gateway 135 begins communicating with the remote server 155.
In step 440, a configuration communication is typically entered by the configuration server 185 and the gateway 135. Although not required, step 440 allows a configuration server 185 to query the remote programming interface 147 as to which global ports 146 are available and suitable for use with a content stream 190 created from multimedia content 164.
In step 450, appropriate commands are created for the gateway 135 to configure the gateway 135 to pass one or more content streams 190 created from multimedia content 164. One or more commands, in step 460, are communicated to the gateway 135. These commands cause the gateway 135 to configure itself so that the gateway 135 will pass the one or more content streams 190 created from multimedia content 164 and sent from multimedia server 181 to the appropriate network appliance 105.
The configuration server 185 waits for an acknowledgement in step 470. In step 475, the configuration server 185 informs the remote server 155 that the gateway 135 has been configured for multimedia content 164.
In step 480, the remote server 155 informs the multimedia server 181 that there has been a request from a network appliance 105 for the multimedia content 164.
In step 485, the content server 162 of the multimedia server 181 sends the content stream 190 to the gateway 135 using the appropriate global port 146 and global address 180-1 for the gateway (and typically the global address 180-3 of the multimedia content server 181 and one of the multimedia ports 193 of the multimedia server 181). The content stream 190 can be any type of data, such as text, video, sound, and other information, and is typically carried through the use of one or more protocols, such as TCP or UDP. Generally, one multimedia content 164 will be split into multiple content streams 190, but this is not always the case.
In order to prevent outside users from being able to control the gateway 135, the gateway 135 will generally employ some type of security measures, particularly when the remote programming interface 147 is attempting to be accessed. There are a variety of security measures that can be employed. For example, each communication with remote programming interface 147 might have to be encrypted and authenticated. Public and private keys might be used. Further, passwords or other devices may be used in addition to or in place of the encryption. Thus, the remote server 155 might need to know a unique ID assigned to the gateway 135 or the network appliance ID assigned to the network appliance 105. Consequently, in step 430, the step of determining the gateway communication information can also determine appropriate security measures to be used with the gateway 135.
It should be noted that method 400 assumes that the remote server 155 is informed by the configuration server 185 that the gateway 135 has been configured. However, other options are possible, such as having the configuration server 185 inform the multimedia server 181 to begin sending the content stream 190 or for the gateway 135 to inform the multimedia server 181 to begin sending the content stream 190.
In steps 440 and 460 (and other steps, if desired), the security measures can be implemented in order to provide secure communication between the remote server 155 and the gateway 135.
There is also the possibility that the gateway configuration module 163 can determine gateway configuration information to configure gateway 135 and send the gateway configuration information (e.g., gateway commands 133, gateway configuration information 134) to the network appliance 105. The network appliance 105 then performs the configuration of the gateway through, for instance, use of the remote programming interface 147.
It is to be understood that the embodiments and variations shown and described herein are merely illustrative of the principles of this invention and that various modifications may be implemented by those skilled in the art without departing from the scope and spirit of the invention. For example, although multimedia content has been described herein, any content that is typically broken into smaller portions and sent to a network appliance may be used.
Filing Document | Filing Date | Country | Kind | 371c Date |
---|---|---|---|---|
PCT/IB05/50190 | 1/17/2005 | WO | 00 | 7/20/2006 |
Number | Date | Country | |
---|---|---|---|
60537809 | Jan 2004 | US |