The subject invention generally relates to the provision of network-based computing services and specifically to systems and methods to initiate or bootstrap network communications to access such services.
Computing devices, including personal computers, workstations, minicomputers, mainframes, and similar devices, peripherals such as printers and facsimile machines, as well as an increasing number of mobile computing devices such as personal data assistants, and cellular telephones, among others, are typically able to communicate with other computing devices using some type of network. A network usually includes both hardware and software components.
Network-connected components typically communicate using a common protocol. One of the most prevalent protocols is version four of the Internet Protocol (IPv4 or simply IP). Each communicating component typically has an associated IP address to which communications are routed. However, the IPv4 protocol is hampered by an address space that is relatively limited compared to the number of communicating devices that need addresses. Additionally, because IP addresses are public, there are associated security concerns.
Network Address Translation (NAT) and firewalls are two systems that were created to extend available address spaces and address security concerns. Although very useful, such devices also erect certain communication barriers between network-connected components. As a result, communicating devices often cannot locate other devices on the network without employing special services or components.
The following presents a simplified summary in order to provide a basic understanding. This summary is not an extensive overview. It is not intended to identify key/critical elements of the invention or to delineate the scope of the invention. Its sole purpose is to present some concepts of the invention in a simplified form as a prelude to the more detailed description later presented. Additionally, section headings used herein are provided merely for convenience and should not be taken as limiting in any way.
One aspect of the invention disclosed herein provides systems and methods for facilitating the provision of network-based services (such as web services) by components acting as service providers to components that receive or subscribe to those services, called events. In accordance with this aspect, a provider creates and sends a trigger signal in the form of a data packet and sends that trigger signal to the subscriber using an unreliable communication protocol such as uniform datagram protocol (UDP). The information in the data packet indicates to a subscriber that a desired event occurred and the associated data can be fetched via a reliable communication protocol and the network location at which a request for the service can be sent.
In accordance with another aspect of the invention, trigger signals assist in the provision of a network-based service by facilitating the opening of communication channels through firewalls that additionally may act as network address translators (NATs) or port mappers or both. Such facilitation is accomplished by using a communication address, port number, and protocol that will be allowed to traverse the firewall to reach the subscriber. The subscriber can then request that the firewall open a communication channel for the subscriber to access the service.
Still another aspect of the invention involves the use of a proxy to facilitate communications between providers and subscribers. The proxy may always act as an intermediary between the provider and the subscriber or may simply act as a central registry or repository for providers so that subscribers may request that the proxy assist it in contacting a provider of the desired service. Conversely, the proxy can also assist the provider in finding subscribers to which it may provide its service. When acting as a central registry or repository, once a pairing between a provider and a subscriber is made, service communications flow between the provider and the subscriber without further involvement from the proxy.
The provision of any network service includes some security risk. That risk may be mitigated in accordance with various aspects of the invention by using techniques such as encryption or digital signatures. Use of these techniques can assist to authenticate the identities of providers and subscribers, to help ensure that the contents of network communications have not been altered during transmission between the communicating components, and to protect the contents from being observed by third parties. The use of at least one of these techniques can significantly raise the security level of network communications.
To the accomplishment of the foregoing and related ends, the invention, comprises the features hereinafter fully described and particularly pointed out in the claims. The following description and the annexed drawings set forth in detail certain illustrative aspects of the invention. These aspects are indicative, however, of but a few of the various ways in which the principles of the invention may be employed and the subject invention is intended to include all such aspects and their equivalents. Other objects, advantages and novel features of the invention will become apparent from the following detailed description of the invention when considered in conjunction with the drawings.
The subject invention relates to systems and methods to facilitate the provision of network-based services, such as web services. As used in this application, terms “component,” “system,” and the like are intended to refer to a computer-related entity, either hardware, software (e.g., in execution), and/or firmware. For example, a component can be a process running on a processor, a processor, an object, an executable, a program, and/or a computer. For example, both an application running on a server and the server can be components. One or more components can reside within a process and a component can be localized on one computer and/or distributed between two or more computers.
The subject invention is described with reference to the drawings, wherein like reference numerals are used to refer to like elements throughout. In the following description, for purposes of explanation, numerous specific details are set forth in order to provide a thorough understanding of the subject invention. It may be evident, however, that the subject invention may be practiced without these specific details. In other instances, well-known structures and devices are shown in block diagram form in order to facilitate describing the subject invention. Additionally, although specific examples set forth may use terminology that is consistent with client/server architectures or may even be examples of client/server implementations, skilled artisans will appreciate that the roles of client and server may be reversed, that the subject invention is not limited to client/server architectures and may be readily adapted for use in other architectures, specifically including peer-to-peer (P2P) architectures, without departing from the spirit or scope of the invention.
The subscriber 110 is located on a network behind a firewall 130. The firewall 130 is interposed between the subscriber 110 and the provider 120 and serves as a protective barrier between the subscriber 110 and other computing devices outside the firewall 130. The firewall 130 commonly serves to prevent unauthorized access to the network of the subscriber 110 by components not on that network. The firewall 130 also may prevent unauthorized access by the subscriber 110 (or other components on the network of the subscriber 110) to components outside the firewall 130. This prevention is usually accomplished by blocking data communications in one or both directions through the firewall 130.
Data communications usually occur via communication channels called ports. Each communicating component, in addition to having an IP address, has a group of numbered communication ports that may or may not be open and that may or may not have associated service components active. Certain ports are designated as well-known in that those ports are always used in connection with various network services. For example, web browsing communications using HTTP typically use port 80.
Firewalls, such as the firewall 130, pose certain problems for the provision of network-based services. Specifically, by blocking data communications, the firewall 130 makes it impossible for subscribers such as the subscriber 110 to access network-based services. Therefore, the firewall 130 can be configured to allow certain data communications to pass through based upon such indicia as the port number to which the communication is directed or the type of protocol used by the data communication. Additionally, the firewall 130 may be configured to allow certain data communications to occur in only one direction or in both directions upon request from a trusted component, such as a component behind the firewall 130.
Firewalls, such as the firewall 130, may also provide network address translation (NAT) and port mapping services. In these instances, the firewall 130 can be configured to present a single (or possibly a group of) public IP address(es) to components outside the firewall. Components outside the firewall 130 usually cannot ascertain that there may be many components behind the firewall 130, all of which are sharing the same public IP address. Components within the firewall 130 each have at least one private IP address. The firewall 130 maintains a table that maps data communications between public and private IP addresses and adjusts source address information, comprising private source IP address and source port from inside the firewall to the corresponding public IP address and source port that is visible outside, in data packets accordingly.
Certain network-based services may operate using a “pull” paradigm. An example of this is web browsing. The web browser initiates a request for content from a web server using the GET method of the HTTP protocol. The server then sends an HTTP Response to the requestor. In this manner the browser “pulls” the content from the web server. Other services may operate on a “push” paradigm. In that system, when the service provider determines that it has to provide the service, it initiates connections with all components that are to receive the service and provides the service. In that manner, data is “pushed” to the service recipients.
Both the pure push and pull paradigms have drawbacks. Notable drawbacks of the pull paradigm include possibly excessive lag times between the time a service is available and the time it is accessed. In a push paradigm, the service provider may never know that its data communication was blocked by a firewall and therefore the subscriber never received the service. These drawbacks can result in troublesome situations if the service is something like a component notifying another component that it needs human attention, such as a laser printer running out of toner or a facsimile machine running out of paper.
One aspect of the invention uses a combination of certain features of the push and pull paradigms. Returning again to the example in
Upon receiving the trigger signal 140, the subscriber 110 will initiate a service request 150 using a reliable protocol. In this example, the service request is an HTTP GET request via TCP. The service request 150, because it originates from behind the firewall 130, will usually cause the firewall 130 to allow data communications originating outside the firewall 130 to pass through to the subscriber 110. When the provider 120 receives the service request 150, it will send a service response 160 to the subscriber 110.
Turning to
Referring to
The trigger packet 440 may be implemented as SOAP over UDP using the schema presented in
As a result of any NAT or port mapping (or simply as the product of UDP packet generation), the subscriber 430 can learn the public IP address and port of the provider 410. As in a previous example, the service request 450 may be an HTTP GET request over TCP. Also, both here and in the previous example, HTTP POST may be used if appropriate. As the connection is created from within the firewall/NAT, the service request is able to traverse the firewall.
In prior examples, an initiating communication such as a trigger packet used a first communication protocol that was unreliable, such as UDP. Service communications used a second protocol that was reliable, such as TCP. It should be appreciated that in this and other examples throughout this disclosure, the first and second protocols can be the same protocol, can be reliable or unreliable, can be a ubiquitous protocol like HTTP, FTP, SMTP, TCP, UDP, IP, or can be a private or proprietary protocol that may or may not have been designed specifically for the service provided. For example, when the provided service is the streaming of video and/or audio information, it is usually preferred that the trigger packet and the service packets both use an unreliable protocol such as UDP. In any event, communicating components should be configured to expect certain types of communications and to deal with those communications appropriately.
The proxy 625 may be a component that acts as a central registry for both providers and subscribers to match subscribers that desire to receive services with providers of those services. Additionally or alternately, the proxy 625 may be more akin to a traditional proxy server such as a web proxy server of the type commonly in use in some corporate networks to provide an insulating layer between components of the corporate network and components on other networks or the Internet.
When the provider 605 determines that it has a service to provide to a subscriber, the provider 605 creates and sends a trigger packet 630 to the subscriber via an unreliable protocol. The first firewall 610 receives the packet and performs NAT and port mapping services before forwarding the trigger packet 630 to the proxy 625. The proxy 625 then maps the originating provider to the intended subscriber and forwards the trigger packet 630 to the subscriber 615 by replacing the packet's destination IP address with the address found during the mapping. The proxy may also modify the content of the trigger packet so that it indicates the public IP address of other endpoint indicator of the provider 605 if the provider 605 did not provide that information itself. The second firewall 620 then intercepts the trigger packet 630, performs NAT and port mapping services, and forwards the trigger packet 630 to the subscriber 615.
In this example, a communication channel through the second firewall 620 was previously opened by the subscriber 615 when the subscriber 615 sent an activity or “alive” packet to the second firewall 640. The alive packet 640 may be implemented as a SOAP packet over UDP or simply as a UDP packet. Upon receiving the alive packet 640, the second firewall 620 will open a communication channel for a limited time, for example, for 30 to 60 seconds. The subscriber 615 can periodically send alive packets to the firewall 620 to open new channels or to keep previously opened channels from closing.
Upon receipt of the trigger packet 630, the subscriber 615 will request and receive network-based services via service communications 650 via a reliable protocol. Service communications 650 will occur between the provider 605 and the subscriber 615 and additionally will traverse both firewalls, but will not further use the proxy 625. However, service communications 650 may be routed through the proxy 625 if desired for various reasons that may be service- or implementation-dependent.
It will be appreciated by those of ordinary skill in the art that there is some amount of risk to the security of a computer system in any network communication activity. To attempt to mitigate this security risk, various measures may be employed with the systems and methods described above. Prevalent among available mitigation measures are those involving authentication schemes, data encryption (potentially using public, private, symmetric, or asymmetric keys, or other approaches such as quantum cryptography), or digital signatures. One possible approach is to use digital certificates from a trusted authority to sign trigger packets. That approach may be used as an alternative or addition to encrypting the portion of the trigger packet that identifies the location of the available service so that only the intended recipient of the trigger packet may readily access the contents of the trigger packet. The use of any one or combination of more than one of these techniques in this context is generally referred to as signing.
In order to provide additional context for implementing various aspects of the subject invention,
Moreover, those skilled in the art will appreciate that the inventive methods may be practiced with other computer system configurations, including single-processor or multi-processor computer systems, minicomputers, mainframe computers, as well as personal computers, hand-held computing devices, microprocessor-based and/or programmable consumer electronics, and the like, each of which may operatively communicate with one or more associated devices. The illustrated aspects of the invention may also be practiced in distributed computing environments where certain tasks are performed by remote processing devices that are linked through a communications network. However, some, if not all, aspects of the invention may be practiced on stand-alone computers. In a distributed computing environment, program modules may be located in local and/or remote memory storage devices.
One possible means of communication between a client 710 and a server 720 can be in the form of a data packet adapted to be transmitted between two or more computer processes. The system 700 includes a communication framework 740 that can be employed to facilitate communications between the client(s) 710 and the server(s) 720. The client(s) 710 are operably connected to one or more client data store(s) 750 that can be employed to store information local to the client(s) 710. Similarly, the server(s) 720 are operably connected to one or more server data store(s) 730 that can be employed to store information local to the servers 740.
With reference to
The system bus 818 can be any of several types of bus structure(s) including the memory bus or memory controller, a peripheral bus or external bus, and/or a local bus using any variety of available bus architectures including, but not limited to, Industrial Standard Architecture (ISA), Micro-Channel Architecture (MSA), Extended ISA (EISA), Intelligent Drive Electronics (IDE), VESA Local Bus (VLB), Peripheral Component Interconnect (PCI), Card Bus, Universal Serial Bus (USB), Advanced Graphics Port (AGP), Personal Computer Memory Card International Association bus (PCMCIA), Firewire (IEEE 1394), and Small Computer Systems Interface (SCSI).
The system memory 816 includes volatile memory 820 and nonvolatile memory 822. The basic input/output system (BIOS), containing the basic routines to transfer information between elements within the computer 812, such as during start-up, is stored in nonvolatile memory 822. By way of illustration, and not limitation, nonvolatile memory 822 can include read only memory (ROM), programmable ROM (PROM), electrically programmable ROM (EPROM), electrically erasable ROM (EEPROM), or flash memory. Volatile memory 820 includes random access memory (RAM), which acts as external cache memory. By way of illustration and not limitation, RAM is available in many forms such as synchronous RAM (SRAM), dynamic RAM (DRAM), synchronous DRAM (SDRAM), double data rate SDRAM (DDR SDRAM), enhanced SDRAM (ESDRAM), Synchlink DRAM (SLDRAM), and direct Rambus RAM (DRRAM).
Computer 812 also includes removable/non-removable, volatile/non-volatile computer storage media. For example,
It is to be appreciated that
A user enters commands or information into the computer 812 through input device(s) 836. The input devices 836 include, but are not limited to, a pointing device such as a mouse, trackball, stylus, touch pad, keyboard, microphone, joystick, game pad, satellite dish, scanner, TV tuner card, digital camera, digital video camera, web camera, and the like. These and other input devices connect to the processing unit 814 through the system bus 818 via interface port(s) 838. Interface port(s) 838 include, for example, a serial port, a parallel port, a game port, and a universal serial bus (USB). Output device(s) 840 use some of the same type of ports as input device(s) 836. Thus, for example, a USB port may be used to provide input to computer 812, and to output information from computer 812 to an output device 840. Output adapter 842 is provided to illustrate that there are some output devices 840 like monitors, speakers, and printers, among other output devices 840, which require special adapters. The output adapters 842 include, by way of illustration and not limitation, video and sound cards that provide a means of connection between the output device 840 and the system bus 818. It should be noted that other devices and/or systems of devices provide both input and output capabilities such as remote computer(s) 844.
Computer 812 can operate in a networked environment using logical connections to one or more remote computers, such as remote computer(s) 844. The remote computer(s) 844 can be a personal computer, a server, a router, a network PC, a workstation, a microprocessor based appliance, a peer device or other common network node and the like, and typically includes many or all of the elements described relative to computer 812. For purposes of brevity, only a memory storage device 846 is illustrated with remote computer(s) 844. Remote computer(s) 844 is logically connected to computer 812 through a network interface 848 and then physically connected via communication connection 850. Network interface 848 encompasses wire and/or wireless communication networks such as local-area networks (LAN) and wide-area networks (WAN). LAN technologies include Fiber Distributed Data Interface (FDDI), Copper Distributed Data Interface (CDDI), Ethernet, Token Ring and the like. WAN technologies include, but are not limited to, point-to-point links, circuit switching networks like Integrated Services Digital Networks (ISDN) and variations thereon, packet switching networks, and Digital Subscriber Lines (DSL).
Communication connection(s) 850 refers to the hardware/software employed to connect the network interface 848 to the bus 818. While communication connection 850 is shown for illustrative clarity inside computer 812, it can also be external to computer 812. The hardware/software necessary for connection to the network interface 848 includes, for exemplary purposes only, internal and external technologies such as, modems including regular telephone grade modems, cable modems and DSL modems, ISDN adapters, and Ethernet cards.
What has been described above includes examples of the subject invention. It is, of course, not possible to describe every conceivable combination of components or methodologies for purposes of describing the subject invention, but one of ordinary skill in the art may recognize that many further combinations and permutations of the subject invention are possible. Accordingly, the subject invention is intended to embrace all such alterations, modifications, and variations that fall within the spirit and scope of the appended claims.
In particular and in regard to the various functions performed by the above described components, devices, circuits, systems and the like, the terms (including a reference to a “means”) used to describe such components are intended to correspond, unless otherwise indicated, to any component which performs the specified function of the described component (e.g., a functional equivalent), even though not structurally equivalent to the disclosed structure, which performs the function in the herein illustrated exemplary aspects of the invention. In this regard, it will also be recognized that the invention includes a system as well as a computer-readable medium having computer-executable instructions for performing the acts and/or events of the various methods of the invention.
In addition, while a particular feature of the invention may have been disclosed with respect to only one of several implementations, such feature may be combined with one or more other features of the other implementations as may be desired and advantageous for any given or particular application. Furthermore, to the extent that the terms “includes,” and “including” and variants thereof are used in either the detailed description or the claims, these terms are intended to be inclusive in a manner similar to the term “comprising.”