WO2023117046A1 - Network address translation - Google Patents

Network address translation Download PDF

Info

Publication number
WO2023117046A1
WO2023117046A1 PCT/EP2021/086894 EP2021086894W WO2023117046A1 WO 2023117046 A1 WO2023117046 A1 WO 2023117046A1 EP 2021086894 W EP2021086894 W EP 2021086894W WO 2023117046 A1 WO2023117046 A1 WO 2023117046A1
Authority
WO
WIPO (PCT)
Prior art keywords
nat
endpoint
network layer
token
address
Prior art date
Application number
PCT/EP2021/086894
Other languages
French (fr)
Inventor
Jaime JIMÉNEZ
Patrik Salmela
Original Assignee
Telefonaktiebolaget Lm Ericsson (Publ)
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Telefonaktiebolaget Lm Ericsson (Publ) filed Critical Telefonaktiebolaget Lm Ericsson (Publ)
Priority to PCT/EP2021/086894 priority Critical patent/WO2023117046A1/en
Publication of WO2023117046A1 publication Critical patent/WO2023117046A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2517Translation of Internet protocol [IP] addresses using port numbers
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/2514Translation of Internet protocol [IP] addresses between local and global IP addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/256NAT traversal
    • H04L61/2567NAT traversal for reachability, e.g. inquiring the address of a correspondent behind a NAT server
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/25Mapping addresses of the same type
    • H04L61/2503Translation of Internet protocol [IP] addresses
    • H04L61/256NAT traversal
    • H04L61/2582NAT traversal through control of the NAT server, e.g. using universal plug and play [UPnP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L69/00Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
    • H04L69/22Parsing or analysis of headers

Definitions

  • Network Address Translation is a process that enables a first endpoint (or “first endpoint” for short) that does not have a public Internet Protocol (IP) address to communicate with a second endpoint connected to the Internet.
  • IP Internet Protocol
  • Basic NAT is described in Internet Engineering Task Force (IETF) Request for Comments (RFC) 3022.
  • the NAT process typically involves a network address translator (NAT) (often a router, gateway, software defined networking (SDN) controller, firewall, etc.) allocating (a.k.a., “binding”) a public address (and possibly also a transport layer port number) to the first endpoint for a limited amount of time.
  • NAT network address translator
  • SDN software defined networking
  • the NAT modifies the data packet by, for example, replacing the source IP address with the public IP address allocated to the first endpoint (the NAT may also replace the source port number with a port number allocated by the NAT to the first endpoint) and then forwards the modified data packet towards the second endpoint.
  • the NAT when the NAT receives a data packet transmitted by the second endpoint and destined for the first endpoint, the NAT modifies the data packet by, for example, replacing the destination IP address with the private IP for the first endpoint (the NAT may also replace the destination port number with a port number selected by first endpoint) and then forwards the modified data packet towards the first endpoint.
  • network address translation allows the NAT to act as an intermediary or agent between a private network to which the first endpoint is connected and the Internet.
  • NAT main purpose is to conserve the number of public IP addresses in use, for both security and economic goals.
  • CoAP is designed to be used over the User Datagram Protocol (UDP) (see RFC 768) over an Internet Protocol (IP) network, such as the Internet.
  • UDP User Datagram Protocol
  • IP Internet Protocol
  • LWM2M Lightweight Machine-to-Machine
  • CoAP as well as other protocols
  • LWM2M informally palliates this issue by sending continuous keep-alive messages that keep the NAT binding open.
  • TCP Transmission Control Protocol
  • a Network Token is a set of information (usually a small piece of data) inserted by an endpoint into a packet (e.g., an IP packet).
  • a Network Token enables the endpoint to coordinate with a network device about how the endpoint’s traffic is treated.
  • Network Tokens are described in an Internet-Draft authored by Y. Yiakoumis (available at datatracker(dot)ietf(dot)org/doc/html/draft-yiakoumis-network-tokens-02).
  • An endpoint can add a Network Token (or “Token” for short) to an existing protocol header (e.g., a Token can be carried by an IPv6 Hop-by-hop option, or as an IPv4 option) and the Token may be signed or encrypted to meet security and privacy requirements.
  • Tokens provide a means for network operators to expose data path services (such as a zero-rating service, a user-driven Quality-of-Service (QoS) service, or a firewall whitelist), and for end users and application providers to access such services.
  • Tokens can be seen as network cookies that allow personalizing network functionality, allowing users to tailor these services by expressing their preferences.
  • a Network Token contains the following three fields: (1) Reflect Type (4-bits) (this field indicates reflection properties for the Token); (2) Token Descriptor ID (28-bits) (this is an ID that helps the network decide whether and how to interpret Tokens); and (3) a payload (depending on the application, the Token payload might be a set of type-length-value (TLV) encoded values or it might have its own custom format.
  • Reflect Type 4-bits
  • Token Descriptor ID 28-bits
  • payload depending on the application, the Token payload might be a set of type-length-value (TLV) encoded values or it might have its own custom format.
  • Router Alerts are defined in RFC 2113.
  • a Router Alert is an IP option type. By placing a Router Alert in an IP header, an endpoint is able to alert a router that receives the IP packet that the router should examine the IP packet.
  • a Router Alert as defined in RFC 2113, consists of 4 octets: the first octet encodes a type value, the second octet encodes a length value (which is set to 2), and the last two octets are the payload of the Router Alert. When the payload is set to a value of 0, this signals to a router that receives the packet containing the router alert that the router should examine the packet more closely. Payload values 1- 65535 are currently reserved.
  • the first endpoint situated behind the NAT wants to act as a server (e.g., if it wants to accept incoming connection requests)
  • the NAT needs to allocate at least a public IP address to the first endpoint so that the first endpoint (acting as server) can be reached by the second endpoint.
  • the first endpoint is allocated the private IP address 10.0.0.2 and wants to serve on port 5683 (i.e., the first endpoint is listening for incoming packets on port 5683, which may be a UDP port or a TCP port); in this scenario the NAT needs to perform address translation (e.g., allocate a public IP address for the first endpoint and optionally also allocate a port number (e.g. 1234) for the first endpoint) to enable the second endpoint to initiate communication with the first endpoint.
  • address translation e.g., allocate a public IP address for the first endpoint and optionally also allocate a port number (e.g. 1234) for the first endpoint
  • the NAT would have to be configured with a NAT rule indicating that, when the NAT receives a data packet wherein the destination IP address is a public IP address allocated by the NAT to the first endpoint and the destination port is 1234, the NAT should modify the data packet to replace the destination IP address with 10.0.0.2 (i.e., the address of the first endpoint behind the NAT) and replace the destination port with 5683 (i.e., the port number on which the first endpoint is listening for incoming data packets), and then transmit the modified data packet toward the first endpoint.
  • 10.0.0.2 i.e., the address of the first endpoint behind the NAT
  • 5683 i.e., the port number on which the first endpoint is listening for incoming data packets
  • a first endpoint that is configured to generate a network layer protocol data unit (PDU), comprising: i) a header comprising a destination address field containing a destination address for a second endpoint apparatus and a source address field containing a source address for the first endpoint apparatus.
  • the network layer PDU comprises a network address translator, NAT, token indicating that the first endpoint apparatus is requesting an address translation feature (e.g., request allocation of a public IP address and/or a port for port forwarding).
  • the first endpoint is further configured to transmit the network layer PDU towards the second endpoint apparatus.
  • a NAT configured to: receive a network layer PDU transmitted by a first endpoint apparatus, the network layer PDU comprising a header comprising a destination address field containing a destination address for a second endpoint apparatus and a source address field containing a source address for the first endpoint apparatus.
  • the NAT is further configured to determine whether the network layer PDU comprises a NAT token indicating that the first endpoint apparatus is requesting an address translation feature.
  • the NAT is further configured to, after determining that the network layer PDU comprises the NAT token, allocate at least a public network layer address for the first endpoint apparatus.
  • the NAT is further configured to generate a modified version of the received network layer PDU. And the NAT is further configured to forward towards the second endpoint apparatus the modified version of the received network layer PDU.
  • a server that is configured to receive a network layer PDU transmitted by a NAT, the network layer PDU comprising: i) a header comprising a destination address field containing a destination address for the server apparatus and a source address field containing a public source address allocated to at least a first endpoint apparatus.
  • the server is further configured to determine whether the network layer PDU comprises a NAT token indicating that the first endpoint apparatus is requesting an address translation feature.
  • the server is further configured to store mapping information mapping an identity of the first endpoint apparatus to the public source address.
  • a computer program comprising instructions which when executed by processing circuitry of a network node causes the network node to perform any of the methods disclosed herein.
  • a carrier containing the computer program wherein the carrier is one of an electronic signal, an optical signal, a radio signal, and a computer readable storage medium.
  • An advantage of the embodiments disclosed herein is that they enable an endpoint (e.g., a constrained device or other communication device) that is located behind a NAT to easily request and be assigned a public IP address and/or a port for port forwarding. Also, embodiments enable the endpoint’s “public point-of-presence” (e.g., assigned public IP address and port) to be made available to other endpoints located on the other side of the NAT.
  • an endpoint e.g., a constrained device or other communication device
  • FIG. 1 illustrates a communication system according to some embodiments.
  • FIG. 2 is a message flow diagram illustrating a process according to some embodiments.
  • FIG. 3 is a flowchart illustrating a process according to some embodiments.
  • FIG. 4 is a flowchart illustrating a process according to some embodiments.
  • FIG. 5 is a flowchart illustrating a process according to some embodiments.
  • FIG. 6 is a block diagram of a network node according to some embodiments.
  • FIG. 1 illustrates a communication system 100 according to an embodiment.
  • Communication system 100 includes: a NAT apparatus 104 (or “NAT 104” for short); a first endpoint apparatus 101 (or “endpoint 101” for short) located “behind” the NAT; and a second endpoint 102.
  • NAT 104 and endpoint 102 are connected (directly or indirectly) to a network 110 (e.g., the Internet).
  • FIG. 2 is a message flow diagram illustrating a process according to an embodiment.
  • endpoint 101 is an Internet-of-Things (loT) device (e.g. a cellular loT (CIoT) device)
  • endpoint 102 is a LwM2M server
  • the endpoints 101, 102 communicate using the CoAP protocol.
  • LoT Internet-of-Things
  • CRIT cellular loT
  • FIG. 2 illustrates the procedure by which endpoint 101 registers with the LwM2M server.
  • the process begins with endpoint 101 running an application that listens on a particular port number for incoming data packets.
  • the port number is 5683 because the application is functioning as a CoAP server. If the application where to function as an HTTP server, then the port number may be 80.
  • endpoint 101 creates a NAT token comprising information for informing NAT 104 that endpoint 101 is requesting an address translation feature (e.g., is requesting NAT 104 to bind (allocate) at least a public IP address to endpoint 101).
  • the NAT token or information included therein is signed by endpoint 101 (e.g., the NAT token further comprises a message integrity code (MIC) generated using a private key belonging to endpoint 101 and the NAT information) thus providing integrity protection and verification about who created the token.
  • MIC message integrity code
  • the NAT token is contained with the payload of a Network Token.
  • Table 1 illustrates the NAT token.
  • TABLE 1 - Network Token Payload includes a NAT token _
  • the first field of the NAT token contains the value “NAT,” which indicates a request for an address translation feature (e.g., port forwarding).
  • the other fields are optional. These other optional fields include: i) a “sip” field that contains the private address of endpoint 101, ii) a “sport” field that contains the port number on which the application is listening (which in this example is 5683); iii) an “exp” field that identifies an expiration time (this instructs NAT 104 that it should allocate the public address to endpoint 101 for at least the amount of time indicated by the exp field); and iv) the “MIC” field contains a message integrity code (a.k.a., digital signature) generated by endpoint 101 using its private key and one or more fields of the NAT token (this enables a receiver of the NAT token to verify that the NAT token was generated by endpoint 101).
  • the sip field is mainly of interest to the NAT 104,
  • endpoint 101 After generating the NAT token, endpoint 101 generates a data packet that includes the NAT token, where the data packet is addressed to endpoint 102 (i.e., the LwM2M server in this example).
  • the data packet may be an IPv4 PDU where the NAT token is included in the options portion of the header of the IPv4 PDU.
  • the data packet may be a IPv6 PDU where the NAT token is inserted as a Hop-by-Hop Extension header, as defined in Section 4 of RFC 8200.
  • the data packet may contain a payload portion containing a transport layer PDU (e.g., a TCP PDU or UDP PDU).
  • the UDP PDU may include a payload portion containing a LwM2M registration message.
  • the SYN flag in the header of the TCP PDU may be set to 1 to indicate that endpoint 101 is initiating the establishment of a TCP connection.
  • endpoint 101 After generating the data packet, endpoint 101 transmits the data packet towards the LwM2M server.
  • the LwM2M server is connected to, or itself provides, a lookup service (Resource Directory (RD)).
  • RD Resource Directory
  • the use of a lookup service is used to discover the address mapping later when other endpoints (e.g., endpoint 201) want to initiate a session with endpoint 101.
  • NAT 104 When the data packet reaches NAT 104, NAT 104 reads the NAT token, and, because the NAT token includes the NAT information (e.g., “srv:NAT”), NAT 104 understands that an address translation feature (e.g., port forwarding) is requested. Assuming the address translation is allowed (e.g., based on local policy), NAT 104 would allocate to endpoint 101 a “public point-of-presence” - - i.e., NAT 104 allocates a public IP address and optionally a port number (e.g., 1234).
  • an address translation feature e.g., port forwarding
  • NAT 104 would then install a NAT rule that maps the allocated public point-of-presence to endpoint 101 ’s private-point-of presence, i.e., endpoint 101 ’s private IP address and optionally a port number (e.g., 5683).
  • the NAT rule is a “static” rule, i.e., the rule does not expire unless NAT 104 receives an express request to expire the rule, the rule remains in effect for at least a predetermined period of time, or the rule remains in effect until a point in time indicated by the exp field of the token).
  • NAT 104 obtains endpoint 101 ’s private point-of-presence from:
  • source address information contained in the data packet e.g., NAT 104 obtains endpoint 101 ’s private IP address from the source address field of the IP header of the data packet and NAT 104 obtains the port number from the source port field of the header of the transport layer PDU included in the payload field of the data packet;
  • the NAT token e.g., NAT 104 obtains endpoint 101’s private IP address from the sip field of the NAT token and NAT 104 obtains the port number from the sport field of the NAT token
  • a combination of (i) and (ii) e.g., e.g., NAT 104 obtains endpoint 101 ’s private IP address from the source address field of the IP header of the data packet and NAT 104 obtains the port number from the sport field of the NAT token.
  • a Network Token including the NAT token is visible to all middleboxes that receive the data packet, but because the Network Token is tagged for service “NAT,” non-NAT middleboxes can know to ignore the Network Token.
  • NAT 104 modifies the data packet by replacing the private point-of-presence with the public point-of-presence. That is, NAT 104 modifies the source address field of the IP header so that the source address field contains the public IP address that NAT 104 allocated to endpoint 101. Additionally, NAT 104 may modify the source port field of the transport layer header so that the source port field contains the port number allocated by NAT 104 to endpoint 101. After modifying the data packet, NAT 104 transmits the modified data packet towards the LwM2M server.
  • the LwM2M server When the LwM2M server receives the data packet, the LwM2M server will check to see if the data packet includes a NAT token (e.g., the LwM2M server will check to see if the data packet includes a Network Token having a “srv” field that contains the value “NAT”).
  • a NAT token e.g., the LwM2M server will check to see if the data packet includes a Network Token having a “srv” field that contains the value “NAT”.
  • the LwM2M server initiates a process for updating service location reachability information for the endpoint 101.
  • the process includes the LwM2M obtaining an identity of endpoint 101 (e.g., endpoint 101’s private IP address, endpoint 101’s public key, a hash of endpoint 101’s public key, etc.), and then after obtaining the identity of endpoint 101 the LwM2M server creates a data record that maps the identity of endpoint 101 to endpoint 101’s public point-of-presence (i.e., the public IP address included in the source address field of the IP header and optionally the public port number included in the source port field of the transport layer header).
  • an identity of endpoint 101 e.g., endpoint 101’s private IP address, endpoint 101’s public key, a hash of endpoint 101’s public key, etc.
  • the LwM2M server creates a data record that maps the identity of endpoint 101 to endpoint 101’s public point-of-presence (i.e.
  • the data record may have the following form: ⁇ (endpoint identity, [private port number]); (public IP address, [public port number]) ⁇ .
  • the LwM2M server can obtain the identity of endpoint 101 (“endpoint identity”) and private port number directly from the NAT token.
  • the LwM2M server obtains the identity of endpoint 101 only after performing an authentication procedure and successfully authenticating endpoint 101.
  • the LwM2M server may itself store the data record or provide the data record to a RD for storage.
  • endpoint 201 may submit a query 290 to the LwM2M server to discover endpoint 101’s public point-of-presence. For example, query
  • the LwM2M server uses the query parameter(s) to retrieve the data record(s) matching the query parameter(s), and then the LwM2M server obtains the public IP address (and optionally the public port number) from the matching data record(s) and transmits to endpoint 201 a response
  • LwM2M server service only provides to endpoint 201 the single public point- of-presence to which the tuple (endpoint identity; private port number) is mapped (e.g., pub ip: 1234) (this requires that the private port number was included in the NAT token so that LwM2M server could learn it), otherwise, the LwM2M server provides all known IP/port - service pairs (e.g. pub_ip: 1234; pub_ip:6654, etc.) it knows for endpoint 101.
  • An example query/response is shown in the table below:
  • the LwM2M server provides reachability info of endpoint 101 to endpoint 201.
  • the embodiments described herein could also be used in nested NAT scenarios.
  • the first NAT i.e., the NAT closest to endpoint 101
  • the subsequent NATs learn the IP address and port to use for port forwarding from the IP packet carrying the NAT token. For example, if the NAT token carries the original port the client wants to provide service on, and the NAT notices that the received data packet has a source port not matching the sport number in the NAT Token, it is an indication that there has already earlier been a NAT on the path.
  • the current NAT uses the source IP and port information of the received data packet to generate the port forwarding rule, i.e. its port forwarding rule will forward packets towards endpoint 101 using the source IP and port of the received data packet carrying the NAT token instead of the information found in the NAT token.
  • a Router Alert can be used to signal intermediary middle-boxes that a data packet containing the RA contains relevant information.
  • Endpoint 101 may use a specific RA value to indicate that there is a need for port-forwarding. That is, by defining a new RA value, the new RA value can be used to indicate to the NAT 104 that port forwarding is requested.
  • the NAT token is implemented using an RA.
  • FIG. 3 is a flowchart illustrating a process 300, according to an embodiment, that is performed by endpoint 101 (a.k.a., endpoint apparatus 101).
  • Process 300 may begin in step s302.
  • Step s302 comprises generating a network layer (e.g., IP layer) PDU comprising a header comprising a destination address field containing a destination address for endpoint 102 and a source address field containing a source address for endpoint 101 (e.g. 10.0.0.2).
  • the network layer PDU comprises a NAT token indicating that endpoint 101 is requesting an address translation feature.
  • Step s304 comprises transmitting the network layer PDU towards endpoint 102.
  • FIG. 4 is a flowchart illustrating a process 400, according to an embodiment, that is performed by NAT 104 (a.k.a., NAT apparatus 104).
  • Process 400 may begin in step s402.
  • Step s402 comprises receiving a network layer PDU transmitted by endpoint 101, the network layer PDU comprising a header comprising a destination address field containing a destination address for endpoint 102 (e.g., LwM2M server) and a source address field containing a source address for endpoint 101 (e.g. 10.0.0.2).
  • Step s404 comprises determining whether the network layer PDU comprises a NAT token indicating that endpoint 101 is requesting an address translation feature.
  • Step s406 comprises, after determining that the network layer PDU comprises the NAT token, allocating at least a public network layer address for endpoint 101.
  • Step s408 comprises generating a modified version of the received network layer PDU.
  • Step s410 comprises forwarding towards endpoint 102 the modified version of the received network layer PDU.
  • the NAT token comprises the source address for endpoint 101.
  • the network layer PDU comprises a transport layer PDU comprising a header comprising a source port field containing a source port number (e.g., 5683), and the NAT token comprises the source port number.
  • a source port number e.g., 5683
  • the modified version of the received network layer PDU comprises a header comprising a destination address field containing the destination address for the server apparatus and a source address field containing the public network layer address allocated to the first endpoint apparatus.
  • process 400 also includes, after determining that the received network layer PDU comprises the NAT token, allocating a source port number for endpoint 101, wherein the modified version of the received network layer PDU comprises a transport layer PDU that comprises a transport layer header, and the transport layer header comprises a source port field containing the source port number allocated for the endpoint 101.
  • FIG. 5 is a flowchart illustrating a process 500, according to an embodiment, that is performed by a server apparatus (e.g., the LwM2M server). Process 500 may begin in step s502.
  • a server apparatus e.g., the LwM2M server.
  • Process 500 may begin in step s502.
  • Step s502 comprises receiving a network layer PDU transmitted by NAT 104, the network layer PDU comprising a header comprising a destination address field containing a destination address for the server apparatus and a source address field containing a public source address allocated to endpoint 101.
  • Step s504 comprises determining whether the network layer PDU comprises a NAT token indicating that endpoint 101 is requesting an address translation feature.
  • Step s506 comprises storing mapping information mapping an identity of endpoint 101 to the public source address allocated to endpoint 101.
  • the identity is a public key belonging to the first endpoint or is an identity generated using the public key (e.g., a hash of the public key).
  • the NAT token comprises a non-public network layer address for the first endpoint apparatus, and the identity is the non-public network layer address.
  • the NAT token comprises a port number identifying a port to which the first endpoint apparatus is listening, and the mapping information maps the identity of endpoint 101 to the public source address by mapping to the public source address a tuple comprising the identity of endpoint 101 and the port number.
  • the received network layer PDU comprises a transport layer PDU comprising a header comprising a source port field containing a source port number selected by the NAT apparatus, and the mapping information maps the tuple comprising the identity of the first endpoint apparatus and the port number to both the public source address allocated to the first endpoint apparatus and the source port number selected by the NAT apparatus.
  • the network layer PDU comprises a hop-by-hop extension header and the NAT token is contained within the hop-by-hop extension header.
  • the NAT token is contained within the header of the network layer PDU.
  • the header of the network layer PDU comprises an options field and the NAT token is contained with the options field of the header.
  • the options field comprises an option type value of 148 (i.e., Router Alert).
  • the NAT token is a 1 -bit flag.
  • the NAT token is a Network Token or contained within a payload of a Network Token.
  • the network layer PDU further comprises a payload
  • the payload comprises a Transmission Control Protocol, TCP, PDU having a SYN flag, and the SYN flag is set to 1.
  • FIG. 6 is a block diagram of network node 600, according to some embodiments, that can implement any one or more of the network nodes described herein (e.g., endpoint 101, endpoint 102, NAT 104). That is, network node 600 can perform any one or more of the above described methods. As shown in FIG.
  • network node 600 may comprise: processing circuitry (PC) 602, which may include one or more processors (P) 655 (e.g., a general purpose microprocessor and/or one or more other processors, such as an application specific integrated circuit (ASIC), field-programmable gate arrays (FPGAs), and the like), which processors may be co-located in a single housing or in a single data center or may be geographically distributed (i.e., network node 600 may be a distributed computing apparatus); at least one network interface 648 comprising a transmitter (Tx) 645 and a receiver (Rx) 647 for enabling network node 600 to transmit data to and receive data from other nodes connected to a network 110 (e.g., an Internet Protocol (IP) network) to which network interface 648 is connected (directly or indirectly) (e.g., network interface 648 may be wirelessly connected to the network 110, in which case network interface 648 is connected to an antenna arrangement); and a storage unit (a.k.a., “data storage system
  • a computer readable medium (CRM) 642 may be provided.
  • CRM 642 stores a computer program (CP) 643 comprising computer readable instructions (CRI) 644.
  • CRM 642 may be a non- transitory CRM, such as, magnetic media (e.g., a hard disk), optical media, memory devices (e.g., random access memory, flash memory), and the like.
  • the CRI 644 of computer program 643 is configured such that when executed by PC 602, the CRI causes network node 600 to perform steps described herein (e.g., steps described herein with reference to the flow charts).
  • network node 600 may be configured to perform steps described herein without the need for code. That is, for example, PC 602 may consist merely of one or more ASICs. Hence, the features of the embodiments described herein may be implemented in hardware and/or software.

Abstract

A method (300) performed by a first endpoint apparatus (101). The method includes generating (s302) a network layer (e.g., IP layer) protocol data unit, PDU, comprising: i) a header comprising a destination address field containing a destination address for a second endpoint apparatus (102) and a source address field containing a source address for the first endpoint apparatus (e.g. 10.0.0.2). The method also includes transmitting (s304) the network layer PDU towards the second endpoint apparatus. The network layer PDU comprises a network address translator, NAT, token indicating that the first endpoint apparatus is requesting an address translation feature.

Description

NETWORK ADDRESS TRANSLATION
TECHNICAL FIELD
[001] Disclosed are embodiments related to network address translation.
BACKGROUND
[002] Network Address Translation
[003] Network Address Translation is a process that enables a first endpoint (or “first endpoint” for short) that does not have a public Internet Protocol (IP) address to communicate with a second endpoint connected to the Internet. Basic NAT is described in Internet Engineering Task Force (IETF) Request for Comments (RFC) 3022.
[004] The NAT process typically involves a network address translator (NAT) (often a router, gateway, software defined networking (SDN) controller, firewall, etc.) allocating (a.k.a., “binding”) a public address (and possibly also a transport layer port number) to the first endpoint for a limited amount of time. When the NAT receives a data packet transmitted by the first endpoint, the NAT modifies the data packet by, for example, replacing the source IP address with the public IP address allocated to the first endpoint (the NAT may also replace the source port number with a port number allocated by the NAT to the first endpoint) and then forwards the modified data packet towards the second endpoint. Similarly, when the NAT receives a data packet transmitted by the second endpoint and destined for the first endpoint, the NAT modifies the data packet by, for example, replacing the destination IP address with the private IP for the first endpoint (the NAT may also replace the destination port number with a port number selected by first endpoint) and then forwards the modified data packet towards the first endpoint. In this way, network address translation allows the NAT to act as an intermediary or agent between a private network to which the first endpoint is connected and the Internet. NAT’s main purpose is to conserve the number of public IP addresses in use, for both security and economic goals.
[005] Protocols for Constrained Devices [006] The Constrained Application Protocol (CoAP) is a generic Representational State
Transfer (REST) application protocol for constrained devices, and is described in the Internet Engineering Task Force (IETF) Request for Comment (RFC) 7252. CoAP is designed to be used over the User Datagram Protocol (UDP) (see RFC 768) over an Internet Protocol (IP) network, such as the Internet.
[007] The Lightweight Machine-to-Machine (LWM2M) protocol is a device management framework that use CoAP (as well as other protocols) as a transfer protocol. In some deployments of LWM2M it has been found that several factors impair the traffic to/from the constrained devices. According to a publication by K. Edeline, et. al., (available at arxiv(dot)org/pdf/1612.07816), complete blocking of UDP happens in between about 2% and 4% of terrestrial access networks, and in most of these networks the mean NAT binding for UDP sessions lasts for 2 or 3 minutes. This presents connectivity problems in real deployments.
[008] LWM2M informally palliates this issue by sending continuous keep-alive messages that keep the NAT binding open. Another alternative has been to use CoAP over the Transmission Control Protocol (TCP) because NAT gateways keep longer bindings for TCP traffic.
[009] Network Tokens
[0010] A Network Token is a set of information (usually a small piece of data) inserted by an endpoint into a packet (e.g., an IP packet). Among other things, a Network Token enables the endpoint to coordinate with a network device about how the endpoint’s traffic is treated. Network Tokens are described in an Internet-Draft authored by Y. Yiakoumis (available at datatracker(dot)ietf(dot)org/doc/html/draft-yiakoumis-network-tokens-02).
[0011] An endpoint can add a Network Token (or “Token” for short) to an existing protocol header (e.g., a Token can be carried by an IPv6 Hop-by-hop option, or as an IPv4 option) and the Token may be signed or encrypted to meet security and privacy requirements. Tokens provide a means for network operators to expose data path services (such as a zero-rating service, a user-driven Quality-of-Service (QoS) service, or a firewall whitelist), and for end users and application providers to access such services. Tokens can be seen as network cookies that allow personalizing network functionality, allowing users to tailor these services by expressing their preferences.
[0012] As defined in the Internet-Draft, a Network Token contains the following three fields: (1) Reflect Type (4-bits) (this field indicates reflection properties for the Token); (2) Token Descriptor ID (28-bits) (this is an ID that helps the network decide whether and how to interpret Tokens); and (3) a payload (depending on the application, the Token payload might be a set of type-length-value (TLV) encoded values or it might have its own custom format.
[0013] Router Alerts
[0014] Router Alerts are defined in RFC 2113. A Router Alert is an IP option type. By placing a Router Alert in an IP header, an endpoint is able to alert a router that receives the IP packet that the router should examine the IP packet. A Router Alert, as defined in RFC 2113, consists of 4 octets: the first octet encodes a type value, the second octet encodes a length value (which is set to 2), and the last two octets are the payload of the Router Alert. When the payload is set to a value of 0, this signals to a router that receives the packet containing the router alert that the router should examine the packet more closely. Payload values 1- 65535 are currently reserved.
SUMMARY
[0015] Certain challenges presently exist. For example, many networks, including mobile networks, employ NAT on their external facing interfaces such that a first endpoint located behind the NAT does not have its own public IP address, and this has been a well-known problem because it impedes a second endpoint located on the other side of the NAT from initiating a connection with the first endpoint that is situated behind the NAT (e.g., firewall or router). In such scenarios, if the first endpoint situated behind the NAT wants to act as a server (e.g., if it wants to accept incoming connection requests), the NAT needs to allocate at least a public IP address to the first endpoint so that the first endpoint (acting as server) can be reached by the second endpoint. [0016] For example, assume that the first endpoint is allocated the private IP address 10.0.0.2 and wants to serve on port 5683 (i.e., the first endpoint is listening for incoming packets on port 5683, which may be a UDP port or a TCP port); in this scenario the NAT needs to perform address translation (e.g., allocate a public IP address for the first endpoint and optionally also allocate a port number (e.g. 1234) for the first endpoint) to enable the second endpoint to initiate communication with the first endpoint. In this example (assuming that both a public IP address and port number are allocated to the first endpoint), the NAT would have to be configured with a NAT rule indicating that, when the NAT receives a data packet wherein the destination IP address is a public IP address allocated by the NAT to the first endpoint and the destination port is 1234, the NAT should modify the data packet to replace the destination IP address with 10.0.0.2 (i.e., the address of the first endpoint behind the NAT) and replace the destination port with 5683 (i.e., the port number on which the first endpoint is listening for incoming data packets), and then transmit the modified data packet toward the first endpoint. Hence, it would be beneficial to provide the first endpoint with a mechanism to inform the NAT that address translation is required.
[0017] Accordingly, there is provided a first endpoint that is configured to generate a network layer protocol data unit (PDU), comprising: i) a header comprising a destination address field containing a destination address for a second endpoint apparatus and a source address field containing a source address for the first endpoint apparatus. The network layer PDU comprises a network address translator, NAT, token indicating that the first endpoint apparatus is requesting an address translation feature (e.g., request allocation of a public IP address and/or a port for port forwarding). The first endpoint is further configured to transmit the network layer PDU towards the second endpoint apparatus.
[0018] There is also provided a NAT that is configured to: receive a network layer PDU transmitted by a first endpoint apparatus, the network layer PDU comprising a header comprising a destination address field containing a destination address for a second endpoint apparatus and a source address field containing a source address for the first endpoint apparatus. The NAT is further configured to determine whether the network layer PDU comprises a NAT token indicating that the first endpoint apparatus is requesting an address translation feature. The NAT is further configured to, after determining that the network layer PDU comprises the NAT token, allocate at least a public network layer address for the first endpoint apparatus. The NAT is further configured to generate a modified version of the received network layer PDU. And the NAT is further configured to forward towards the second endpoint apparatus the modified version of the received network layer PDU.
[0019] There is also provided a server that is configured to receive a network layer PDU transmitted by a NAT, the network layer PDU comprising: i) a header comprising a destination address field containing a destination address for the server apparatus and a source address field containing a public source address allocated to at least a first endpoint apparatus. The server is further configured to determine whether the network layer PDU comprises a NAT token indicating that the first endpoint apparatus is requesting an address translation feature. The server is further configured to store mapping information mapping an identity of the first endpoint apparatus to the public source address.
[0020] There is also provided a computer program comprising instructions which when executed by processing circuitry of a network node causes the network node to perform any of the methods disclosed herein. In one embodiment, there is provided a carrier containing the computer program wherein the carrier is one of an electronic signal, an optical signal, a radio signal, and a computer readable storage medium.
[0021] An advantage of the embodiments disclosed herein is that they enable an endpoint (e.g., a constrained device or other communication device) that is located behind a NAT to easily request and be assigned a public IP address and/or a port for port forwarding. Also, embodiments enable the endpoint’s “public point-of-presence” (e.g., assigned public IP address and port) to be made available to other endpoints located on the other side of the NAT.
BRIEF DESCRIPTION OF THE DRAWINGS
[0022] The accompanying drawings, which are incorporated herein and form part of the specification, illustrate various embodiments.
[0023] FIG. 1 illustrates a communication system according to some embodiments.
[0024] FIG. 2 is a message flow diagram illustrating a process according to some embodiments. [0025] FIG. 3 is a flowchart illustrating a process according to some embodiments.
[0026] FIG. 4 is a flowchart illustrating a process according to some embodiments.
[0027] FIG. 5 is a flowchart illustrating a process according to some embodiments.
[0028] FIG. 6 is a block diagram of a network node according to some embodiments.
DETAILED DESCRIPTION
[0029] FIG. 1 illustrates a communication system 100 according to an embodiment. Communication system 100 includes: a NAT apparatus 104 (or “NAT 104” for short); a first endpoint apparatus 101 (or “endpoint 101” for short) located “behind” the NAT; and a second endpoint 102. In the embodiment of FIG. 1 , both NAT 104 and endpoint 102 are connected (directly or indirectly) to a network 110 (e.g., the Internet).
[0030] FIG. 2 is a message flow diagram illustrating a process according to an embodiment. In this embodiment, endpoint 101 is an Internet-of-Things (loT) device (e.g. a cellular loT (CIoT) device), endpoint 102 is a LwM2M server, and the endpoints 101, 102 communicate using the CoAP protocol. This is just for illustration and does not limit the scope of this disclosure. That is, the methods described herein can work with other protocols, such as the Message Queuing Telemetry Transport (MQTT) protocol, the Hypertext Transfer Protocol (HTTP), etc. Additionally, FIG. 2 illustrates the procedure by which endpoint 101 registers with the LwM2M server.
[0031] The process begins with endpoint 101 running an application that listens on a particular port number for incoming data packets. In this example, the port number is 5683 because the application is functioning as a CoAP server. If the application where to function as an HTTP server, then the port number may be 80.
[0032] Next, endpoint 101 creates a NAT token comprising information for informing NAT 104 that endpoint 101 is requesting an address translation feature (e.g., is requesting NAT 104 to bind (allocate) at least a public IP address to endpoint 101). In one embodiment, the NAT token or information included therein is signed by endpoint 101 (e.g., the NAT token further comprises a message integrity code (MIC) generated using a private key belonging to endpoint 101 and the NAT information) thus providing integrity protection and verification about who created the token.
[0033] In this example, the NAT token is contained with the payload of a Network Token. Table 1 below illustrates the NAT token.
TABLE 1 - Network Token Payload includes a NAT token
Figure imgf000009_0001
_
[0034] The first field of the NAT token (i.e., “srv”) contains the value “NAT,” which indicates a request for an address translation feature (e.g., port forwarding). In this example, the other fields are optional. These other optional fields include: i) a “sip” field that contains the private address of endpoint 101, ii) a “sport” field that contains the port number on which the application is listening (which in this example is 5683); iii) an “exp” field that identifies an expiration time (this instructs NAT 104 that it should allocate the public address to endpoint 101 for at least the amount of time indicated by the exp field); and iv) the “MIC” field contains a message integrity code (a.k.a., digital signature) generated by endpoint 101 using its private key and one or more fields of the NAT token (this enables a receiver of the NAT token to verify that the NAT token was generated by endpoint 101). The sip field is mainly of interest to the NAT 104, while the sport field could be relevant to the LwM2M server or clients connecting to the loT Endpoint later.
[0035] After generating the NAT token, endpoint 101 generates a data packet that includes the NAT token, where the data packet is addressed to endpoint 102 (i.e., the LwM2M server in this example). The data packet may be an IPv4 PDU where the NAT token is included in the options portion of the header of the IPv4 PDU. As another example, the data packet may be a IPv6 PDU where the NAT token is inserted as a Hop-by-Hop Extension header, as defined in Section 4 of RFC 8200. [0036] The data packet may contain a payload portion containing a transport layer PDU (e.g., a TCP PDU or UDP PDU). In some embodiments where the data packet contains a UDP PDU, the UDP PDU may include a payload portion containing a LwM2M registration message. In some embodiments where the data packet contains a TCP PDU, the SYN flag in the header of the TCP PDU may be set to 1 to indicate that endpoint 101 is initiating the establishment of a TCP connection.
[0037] After generating the data packet, endpoint 101 transmits the data packet towards the LwM2M server. The LwM2M server is connected to, or itself provides, a lookup service (Resource Directory (RD)). The use of a lookup service is used to discover the address mapping later when other endpoints (e.g., endpoint 201) want to initiate a session with endpoint 101.
[0038] When the data packet reaches NAT 104, NAT 104 reads the NAT token, and, because the NAT token includes the NAT information (e.g., “srv:NAT”), NAT 104 understands that an address translation feature (e.g., port forwarding) is requested. Assuming the address translation is allowed (e.g., based on local policy), NAT 104 would allocate to endpoint 101 a “public point-of-presence” - - i.e., NAT 104 allocates a public IP address and optionally a port number (e.g., 1234). NAT 104 would then install a NAT rule that maps the allocated public point-of-presence to endpoint 101 ’s private-point-of presence, i.e., endpoint 101 ’s private IP address and optionally a port number (e.g., 5683). In some embodiments, the NAT rule is a “static” rule, i.e., the rule does not expire unless NAT 104 receives an express request to expire the rule, the rule remains in effect for at least a predetermined period of time, or the rule remains in effect until a point in time indicated by the exp field of the token).
[0039] NAT 104 obtains endpoint 101 ’s private point-of-presence from:
[0040] (i) source address information contained in the data packet (e.g., NAT 104 obtains endpoint 101 ’s private IP address from the source address field of the IP header of the data packet and NAT 104 obtains the port number from the source port field of the header of the transport layer PDU included in the payload field of the data packet);
[0041] (ii) the NAT token (e.g., NAT 104 obtains endpoint 101’s private IP address from the sip field of the NAT token and NAT 104 obtains the port number from the sport field of the NAT token); or [0042] (iii) a combination of (i) and (ii) (e.g., e.g., NAT 104 obtains endpoint 101 ’s private IP address from the source address field of the IP header of the data packet and NAT 104 obtains the port number from the sport field of the NAT token).
[0043] It is noted that a Network Token including the NAT token is visible to all middleboxes that receive the data packet, but because the Network Token is tagged for service “NAT,” non-NAT middleboxes can know to ignore the Network Token.
[0044] After receiving the data packet, NAT 104 modifies the data packet by replacing the private point-of-presence with the public point-of-presence. That is, NAT 104 modifies the source address field of the IP header so that the source address field contains the public IP address that NAT 104 allocated to endpoint 101. Additionally, NAT 104 may modify the source port field of the transport layer header so that the source port field contains the port number allocated by NAT 104 to endpoint 101. After modifying the data packet, NAT 104 transmits the modified data packet towards the LwM2M server.
[0045] When the LwM2M server receives the data packet, the LwM2M server will check to see if the data packet includes a NAT token (e.g., the LwM2M server will check to see if the data packet includes a Network Token having a “srv” field that contains the value “NAT”).
[0046] In one embodiment, as a result of determining that the data packet includes the NAT token, the LwM2M server initiates a process for updating service location reachability information for the endpoint 101. For example, the process includes the LwM2M obtaining an identity of endpoint 101 (e.g., endpoint 101’s private IP address, endpoint 101’s public key, a hash of endpoint 101’s public key, etc.), and then after obtaining the identity of endpoint 101 the LwM2M server creates a data record that maps the identity of endpoint 101 to endpoint 101’s public point-of-presence (i.e., the public IP address included in the source address field of the IP header and optionally the public port number included in the source port field of the transport layer header). The data record may have the following form: {(endpoint identity, [private port number]); (public IP address, [public port number])}. In some embodiments, the LwM2M server can obtain the identity of endpoint 101 (“endpoint identity”) and private port number directly from the NAT token. In other embodiments, the LwM2M server obtains the identity of endpoint 101 only after performing an authentication procedure and successfully authenticating endpoint 101. The LwM2M server may itself store the data record or provide the data record to a RD for storage.
[0047] The above process can be repeated one or more times to enable endpoint 101 to register multiple services with the LwM2M server. Accordingly, the following N number of data records can be created:
1. {(endpoint identity, 5683); (pub_IP, 1234)}
2. {(endpoint identity, 80); (pub_IP, 6654)}
N. {(endpoint_identity, 23); (pub_IP, 8765)}.
[0048] After the data record(s) is/are created, endpoint 201 may submit a query 290 to the LwM2M server to discover endpoint 101’s public point-of-presence. For example, query
290 includes the endpoint identity for endpoint 101 as one query parameter (the query may also include the private port number as another query parameter). Upon receiving query 290, the LwM2M server uses the query parameter(s) to retrieve the data record(s) matching the query parameter(s), and then the LwM2M server obtains the public IP address (and optionally the public port number) from the matching data record(s) and transmits to endpoint 201 a response
291 that contains the obtained information.
[0049] If the query includes as a query parameter a specific private port number (e.g. 5683), then LwM2M server service only provides to endpoint 201 the single public point- of-presence to which the tuple (endpoint identity; private port number) is mapped (e.g., pub ip: 1234) (this requires that the private port number was included in the NAT token so that LwM2M server could learn it), otherwise, the LwM2M server provides all known IP/port - service pairs (e.g. pub_ip: 1234; pub_ip:6654, etc.) it knows for endpoint 101. An example query/response is shown in the table below:
TABLE 2
Figure imgf000012_0001
_ [0050] In this way, the LwM2M server provides reachability info of endpoint 101 to endpoint 201.
[0051] Nested NATs
[0052] The embodiments described herein could also be used in nested NAT scenarios. The first NAT (i.e., the NAT closest to endpoint 101) would operate just as explained above. The subsequent NATs learn the IP address and port to use for port forwarding from the IP packet carrying the NAT token. For example, if the NAT token carries the original port the client wants to provide service on, and the NAT notices that the received data packet has a source port not matching the sport number in the NAT Token, it is an indication that there has already earlier been a NAT on the path. In this case, the current NAT uses the source IP and port information of the received data packet to generate the port forwarding rule, i.e. its port forwarding rule will forward packets towards endpoint 101 using the source IP and port of the received data packet carrying the NAT token instead of the information found in the NAT token.
[0053] With respect to Router Alerts, a Router Alert (RA) can be used to signal intermediary middle-boxes that a data packet containing the RA contains relevant information. Endpoint 101 may use a specific RA value to indicate that there is a need for port-forwarding. That is, by defining a new RA value, the new RA value can be used to indicate to the NAT 104 that port forwarding is requested. Thus, in some embodiments, the NAT token is implemented using an RA.
[0054] FIG. 3 is a flowchart illustrating a process 300, according to an embodiment, that is performed by endpoint 101 (a.k.a., endpoint apparatus 101). Process 300 may begin in step s302. Step s302 comprises generating a network layer (e.g., IP layer) PDU comprising a header comprising a destination address field containing a destination address for endpoint 102 and a source address field containing a source address for endpoint 101 (e.g. 10.0.0.2). The network layer PDU comprises a NAT token indicating that endpoint 101 is requesting an address translation feature. Step s304 comprises transmitting the network layer PDU towards endpoint 102.
[0055] FIG. 4 is a flowchart illustrating a process 400, according to an embodiment, that is performed by NAT 104 (a.k.a., NAT apparatus 104). Process 400 may begin in step s402. [0056] Step s402 comprises receiving a network layer PDU transmitted by endpoint 101, the network layer PDU comprising a header comprising a destination address field containing a destination address for endpoint 102 (e.g., LwM2M server) and a source address field containing a source address for endpoint 101 (e.g. 10.0.0.2).
[0057] Step s404 comprises determining whether the network layer PDU comprises a NAT token indicating that endpoint 101 is requesting an address translation feature.
[0058] Step s406 comprises, after determining that the network layer PDU comprises the NAT token, allocating at least a public network layer address for endpoint 101.
[0059] Step s408 comprises generating a modified version of the received network layer PDU.
[0060] Step s410 comprises forwarding towards endpoint 102 the modified version of the received network layer PDU.
[0061] In some embodiments, the NAT token comprises the source address for endpoint 101.
[0062] In some embodiments, the network layer PDU comprises a transport layer PDU comprising a header comprising a source port field containing a source port number (e.g., 5683), and the NAT token comprises the source port number.
[0063] In some embodiments, the modified version of the received network layer PDU comprises a header comprising a destination address field containing the destination address for the server apparatus and a source address field containing the public network layer address allocated to the first endpoint apparatus.
[0064] In some embodiments, process 400 also includes, after determining that the received network layer PDU comprises the NAT token, allocating a source port number for endpoint 101, wherein the modified version of the received network layer PDU comprises a transport layer PDU that comprises a transport layer header, and the transport layer header comprises a source port field containing the source port number allocated for the endpoint 101.
[0065] In some embodiments, the process also includes creating a port forwarding rule using the allocated source port number. [0066] FIG. 5 is a flowchart illustrating a process 500, according to an embodiment, that is performed by a server apparatus (e.g., the LwM2M server). Process 500 may begin in step s502.
[0067] Step s502 comprises receiving a network layer PDU transmitted by NAT 104, the network layer PDU comprising a header comprising a destination address field containing a destination address for the server apparatus and a source address field containing a public source address allocated to endpoint 101.
[0068] Step s504 comprises determining whether the network layer PDU comprises a NAT token indicating that endpoint 101 is requesting an address translation feature.
[0069] Step s506 comprises storing mapping information mapping an identity of endpoint 101 to the public source address allocated to endpoint 101. In some embodiments, the identity is a public key belonging to the first endpoint or is an identity generated using the public key (e.g., a hash of the public key).
[0070] In some embodiments, the NAT token comprises a non-public network layer address for the first endpoint apparatus, and the identity is the non-public network layer address.
[0071] In some embodiments, the NAT token comprises a port number identifying a port to which the first endpoint apparatus is listening, and the mapping information maps the identity of endpoint 101 to the public source address by mapping to the public source address a tuple comprising the identity of endpoint 101 and the port number.
[0072] In some embodiments, the received network layer PDU comprises a transport layer PDU comprising a header comprising a source port field containing a source port number selected by the NAT apparatus, and the mapping information maps the tuple comprising the identity of the first endpoint apparatus and the port number to both the public source address allocated to the first endpoint apparatus and the source port number selected by the NAT apparatus.
[0073] In some embodiments, the network layer PDU comprises a hop-by-hop extension header and the NAT token is contained within the hop-by-hop extension header. [0074] In some embodiments, the NAT token is contained within the header of the network layer PDU. In some embodiments, the header of the network layer PDU comprises an options field and the NAT token is contained with the options field of the header. In some embodiments, the options field comprises an option type value of 148 (i.e., Router Alert). In some embodiments, the NAT token is a 1 -bit flag. In some embodiments, the NAT token is a Network Token or contained within a payload of a Network Token.
[0075] In some embodiments, the network layer PDU further comprises a payload, the payload comprises a Transmission Control Protocol, TCP, PDU having a SYN flag, and the SYN flag is set to 1.
[0076] FIG. 6 is a block diagram of network node 600, according to some embodiments, that can implement any one or more of the network nodes described herein (e.g., endpoint 101, endpoint 102, NAT 104). That is, network node 600 can perform any one or more of the above described methods. As shown in FIG. 6, network node 600 may comprise: processing circuitry (PC) 602, which may include one or more processors (P) 655 (e.g., a general purpose microprocessor and/or one or more other processors, such as an application specific integrated circuit (ASIC), field-programmable gate arrays (FPGAs), and the like), which processors may be co-located in a single housing or in a single data center or may be geographically distributed (i.e., network node 600 may be a distributed computing apparatus); at least one network interface 648 comprising a transmitter (Tx) 645 and a receiver (Rx) 647 for enabling network node 600 to transmit data to and receive data from other nodes connected to a network 110 (e.g., an Internet Protocol (IP) network) to which network interface 648 is connected (directly or indirectly) (e.g., network interface 648 may be wirelessly connected to the network 110, in which case network interface 648 is connected to an antenna arrangement); and a storage unit (a.k.a., “data storage system”) 608, which may include one or more non-volatile storage devices and/or one or more volatile storage devices. In embodiments where PC 602 includes a programmable processor, a computer readable medium (CRM) 642 may be provided. CRM 642 stores a computer program (CP) 643 comprising computer readable instructions (CRI) 644. CRM 642 may be a non- transitory CRM, such as, magnetic media (e.g., a hard disk), optical media, memory devices (e.g., random access memory, flash memory), and the like. In some embodiments, the CRI 644 of computer program 643 is configured such that when executed by PC 602, the CRI causes network node 600 to perform steps described herein (e.g., steps described herein with reference to the flow charts). In other embodiments, network node 600 may be configured to perform steps described herein without the need for code. That is, for example, PC 602 may consist merely of one or more ASICs. Hence, the features of the embodiments described herein may be implemented in hardware and/or software.
[0077] While various embodiments are described herein, it should be understood that they have been presented by way of example only, and not limitation. Thus, the breadth and scope of this disclosure should not be limited by any of the above-described exemplary embodiments. Moreover, any combination of the above-described elements in all possible variations thereof is encompassed by the disclosure unless otherwise indicated herein or otherwise clearly contradicted by context.
[0078] Additionally, while the processes described above and illustrated in the drawings are shown as a sequence of steps, this was done solely for the sake of illustration. Accordingly, it is contemplated that some steps may be added, some steps may be omitted, the order of the steps may be re-arranged, and some steps may be performed in parallel.

Claims

CLAIMS:
1. A first endpoint apparatus (101), the first endpoint apparatus being configured to: generate a network layer protocol data unit, PDU, comprising: i) a header comprising a destination address field containing a destination address for a second endpoint apparatus (102) and a source address field containing a source address for the first endpoint apparatus; and transmit the network layer PDU towards the second endpoint apparatus, wherein the network layer PDU comprises a network address translator, NAT, token indicating that the first endpoint apparatus is requesting an address translation feature.
2. A network address translator, NAT, apparatus (104), the NAT apparatus being configured to: receive a network layer protocol data unit, PDU, transmitted by a first endpoint apparatus (101), the network layer PDU comprising a header comprising a destination address field containing a destination address for a second endpoint apparatus (102) and a source address field containing a source address for the first endpoint apparatus; determine whether the network layer PDU comprises a NAT token indicating that the first endpoint apparatus is requesting an address translation feature; after determining that the network layer PDU comprises the NAT token, allocate at least a public network layer address for the first endpoint apparatus; generate a modified version of the received network layer PDU; and forward towards the second endpoint apparatus the modified version of the received network layer PDU.
3. A server apparatus (102), the server apparatus being configured to: receive a network layer protocol data unit, PDU, transmitted by a network address translator, NAT, apparatus (104), the network layer PDU comprising: i) a header comprising a destination address field containing a destination address for the server apparatus and a source address field containing a public source address allocated to at least a first endpoint apparatus (101); determine whether the network layer PDU comprises a NAT token indicating that the first endpoint apparatus is requesting an address translation feature; and store mapping information mapping an identity of the first endpoint apparatus to the public source address.
4. The apparatus of any one of claims 1-3, wherein the network layer PDU comprises a hop-by-hop extension header and the NAT token is contained within the hop-by-hop extension header.
5. The apparatus of any one of claims 1-3, wherein the NAT token is contained within the header of the network layer PDU.
6. The apparatus of claim 5, wherein the header of the network layer PDU comprises an options field and the NAT token is contained with the options field of the header.
7. The apparatus of claim 6, wherein the options field comprises an option type value of 148 (i.e., Router Alert).
8. The apparatus of claim 6, wherein the NAT token is a Network Token or contained within a pay load of a Network Token.
9. The apparatus of any one of claims 1-8, wherein the NAT token is a 1 -bit flag.
10. The apparatus of clam 1 or 2, wherein the NAT token comprises the source address.
11. The apparatus of claim 1 or 2, wherein the network layer PDU comprises a transport layer PDU comprising a header comprising a source port field containing a source port number, and the NAT token comprises the source port number. 18
12. The apparatus of claim 11, wherein the NAT token further comprises the source address.
13. The NAT apparatus of claim 2, wherein the modified version of the received network layer PDU comprises a header comprising a destination address field containing the destination address for the server apparatus and a source address field containing the public network layer address allocated to the first endpoint apparatus.
14. The NAT apparatus of claim 13, wherein the NAT apparatus is further configured such that, after determining that the received network layer PDU comprises the NAT token, the NAT apparatus further allocates a source port number for the first endpoint apparatus, the modified version of the received network layer PDU comprises a transport layer PDU that comprises a transport layer header, and the transport layer header comprises a source port field containing the source port number allocated for the first endpoint apparatus.
15. The NAT apparatus of claim 14, wherein the NAT apparatus is further configured to create a port forwarding rule using the allocated source port number.
16. The server apparatus of claim 3, wherein the NAT token comprises a non-public network layer address for the first endpoint apparatus.
17. The server apparatus of claim 3 or 16, wherein the NAT token comprises a port number identifying a port to which the first endpoint apparatus is listening, and the mapping information maps the identity of the first endpoint apparatus to the public source address by mapping to the public source address a tuple comprising the identity of the first endpoint apparatus and the port number. 19
18. The server apparatus of claim 17, wherein the received network layer PDU comprises a transport layer PDU comprising a header comprising a source port field containing a source port number selected by the NAT apparatus, and the mapping information maps the tuple comprising the identity of the first endpoint apparatus and the port number to both the public source address allocated to the first endpoint apparatus and the source port number selected by the NAT apparatus.
19. The server apparatus of claim 3, wherein the identity is a public key belonging to the first endpoint or is an identity generated using the public key.
20. The apparatus of any one of claims 1-19, wherein the network layer PDU further comprises a payload, the payload comprises a Transmission Control Protocol, TCP, PDU having a SYN flag, and the SYN flag is set to 1.
21. A method (300) performed by a first endpoint apparatus (101), the method comprising: generating (s302) a network layer protocol data unit, PDU, comprising: i) a header comprising a destination address field containing a destination address for a second endpoint apparatus (102) and a source address field containing a source address for the first endpoint apparatus; and transmitting (s304) the network layer PDU towards the second endpoint apparatus, wherein the network layer PDU comprises a network address translator, NAT, token indicating that the first endpoint apparatus is requesting an address translation feature.
22. A method (400) performed by a network address translator, NAT, apparatus (104), the method comprising: 20 receiving (s402) a network layer protocol data unit, PDU, transmitted by a first endpoint apparatus (101), the network layer PDU comprising a header comprising a destination address field containing a destination address for a second endpoint apparatus (102) and a source address field containing a source address for the first endpoint apparatus; determining (s404) whether the network layer PDU comprises a NAT token indicating that the first endpoint apparatus is requesting an address translation feature; after determining that the network layer PDU comprises the NAT token, allocating (s406) at least a public network layer address for the first endpoint apparatus; generating (s408) a modified version of the received network layer PDU; and forwarding (s410) towards the second endpoint apparatus the modified version of the received network layer PDU.
23. A method (500) performed by a server apparatus (102), the method comprising: receiving (s502) a network layer protocol data unit, PDU, transmitted by a network address translator, NAT, apparatus (104), the network layer PDU comprising: i) a header comprising a destination address field containing a destination address for the server apparatus and a source address field containing a public source address allocated to at least a first endpoint apparatus (101); determining (s504) whether the network layer PDU comprises a NAT token indicating that the first endpoint apparatus is requesting an address translation feature; and storing (s506) mapping information mapping an identity of the first endpoint apparatus to the public source address.
24. The method of any one of claims 21-23, wherein the network layer PDU comprises a hop-by-hop extension header and the NAT token is contained within the hop-by-hop extension header.
25. The method of any one of claims 21-23, wherein the NAT token is contained within the header of the network layer PDU. 21
26. The method of claim 25, wherein the header of the network layer PDU comprises an options field and the NAT token is contained with the options field of the header.
27. The method of claim 26, wherein the options field comprises an option type value of 148.
28. The method of claim 26, wherein the NAT token is a Network Token or contained within a pay load of a Network Token.
29. The method of any one of claims 1-8, wherein the NAT token is a 1 -bit flag.
30. The method of clam 21 or 22, wherein the NAT token comprises the source address.
31. The method of claim 21 or 22, wherein the network layer PDU comprises a transport layer PDU comprising a header comprising a source port field containing a source port number, and the NAT token comprises the source port number.
32. The method of claim 31, wherein the NAT token further comprises the source address.
33. The method of claim 22, wherein the modified version of the received network layer PDU comprises a header comprising a destination address field containing the destination address for the server apparatus and a source address field containing the public network layer address allocated to the first endpoint apparatus.
34. The method of claim 33, wherein the method further comprises, after determining that the received network layer PDU comprises the NAT token, allocating a source port number for the first endpoint apparatus, 22 the modified version of the received network layer PDU comprises a transport layer PDU that comprises a transport layer header, and the transport layer header comprises a source port field containing the source port number allocated for the first endpoint apparatus.
35. The method of claim 34, further comprising creating a port forwarding rule using the allocated source port number.
36. The method of claim 23, wherein the NAT token comprises a non-public network layer address for the first endpoint apparatus.
37. The method of claim 23 or 36, wherein the NAT token comprises a port number identifying a port to which the first endpoint apparatus is listening, and the mapping information maps the identity of the first endpoint apparatus to the public source address by mapping to the public source address a tuple comprising the identity of the first endpoint apparatus and the port number.
38. The method of claim 37, wherein the received network layer PDU comprises a transport layer PDU comprising a header comprising a source port field containing a source port number selected by the NAT apparatus, and the mapping information maps the tuple comprising the identity of the first endpoint apparatus and the port number to both the public source address allocated to the first endpoint apparatus and the source port number selected by the NAT apparatus.
39. The method of claim 23, 37, or 38, wherein the identity is a public key belonging to the first endpoint or is an identity generated using the public key.
40. The method of any one of claims 21-39, wherein 23 the network layer PDU further comprises a payload, the payload comprises a Transmission Control Protocol, TCP, PDU having a SYN flag, and the SYN flag is set to 1.
41. A computer program (643) comprising instructions (644) which when executed by processing circuitry (602) of a network node (600) causes the network node to perform the method of any one of claims 21-23.
42. A carrier containing the computer program of claim 41, wherein the carrier is one of an electronic signal, an optical signal, a radio signal, and a computer readable storage medium (642).
PCT/EP2021/086894 2021-12-20 2021-12-20 Network address translation WO2023117046A1 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
PCT/EP2021/086894 WO2023117046A1 (en) 2021-12-20 2021-12-20 Network address translation

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
PCT/EP2021/086894 WO2023117046A1 (en) 2021-12-20 2021-12-20 Network address translation

Publications (1)

Publication Number Publication Date
WO2023117046A1 true WO2023117046A1 (en) 2023-06-29

Family

ID=80112375

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/EP2021/086894 WO2023117046A1 (en) 2021-12-20 2021-12-20 Network address translation

Country Status (1)

Country Link
WO (1) WO2023117046A1 (en)

Non-Patent Citations (4)

* Cited by examiner, † Cited by third party
Title
BOUCADAIR M ET AL: "Port Control Protocol (PCP) Server Selection - RFC7488", 1 March 2015 (2015-03-01), pages 1 - 12, XP055937561, Retrieved from the Internet <URL:https://www.rfc-editor.org/rfc/pdfrfc/rfc7488.txt.pdf> [retrieved on 20220701] *
SRIRAMA SATISH NARAYANA ET AL: "TCP Hole Punching Approach to Address Devices in Mobile Networks", 2014 INTERNATIONAL CONFERENCE ON FUTURE INTERNET OF THINGS AND CLOUD, IEEE, 27 August 2014 (2014-08-27), pages 90 - 97, XP032704044, DOI: 10.1109/FICLOUD.2014.24 *
WING D ET AL: "Port Control Protocol (PCP); rfc6887.txt", PORT CONTROL PROTOCOL (PCP); RFC6887.TXT, INTERNET ENGINEERING TASK FORCE, IETF; STANDARD, INTERNET SOCIETY (ISOC) 4, RUE DES FALAISES CH- 1205 GENEVA, SWITZERLAND, 30 April 2013 (2013-04-30), pages 1 - 88, XP015090359 *
YIAKOUMIS SELFIE NETWORKS Y ET AL: "Network Tokens; draft-yiakoumis-network-tokens-02.txt", no. 2, 22 December 2020 (2020-12-22), pages 1 - 26, XP015143456, Retrieved from the Internet <URL:https://tools.ietf.org/html/draft-yiakoumis-network-tokens-02> [retrieved on 20201222] *

Similar Documents

Publication Publication Date Title
Shelby et al. The constrained application protocol (CoAP)
CN107409125B (en) Efficient policy enforcement using network tokens for service-user plane approaches
Laganier et al. Host identity protocol (HIP) rendezvous extension
US9515995B2 (en) Method and apparatus for network address translation and firewall traversal
US8559448B2 (en) Method and apparatus for communication of data packets between local networks
AU2007322150B2 (en) Secure Location Session Manager
US20040179537A1 (en) Method and apparatus providing a mobile server function in a wireless communications device
WO2017023998A1 (en) Mechanisms for ad hoc service discovery
WO2010127610A1 (en) Method, equipment and system for processing visual private network node information
JP2022522040A (en) Methods, systems, and computers for monitoring LWM2M (Lightweight Machine to Machine) IoT (Internet of Things) devices via the SCEF (Service Capacity Exposure Function) T8 interface.
US20230189368A1 (en) Associating transport identifiers with quality of service flows
US7843948B2 (en) Method of communication
WO2006048725A2 (en) Method for negociating multiple security associations in advance for usage in future secure communication
US20090119770A1 (en) Firewall Control for Public Access Networks
CN112369115A (en) Method and node for realizing service management
US10827345B1 (en) Methods and systems for LoRaWAN traffic routing and control
Alani et al. Tcp/ip model
WO2021217869A1 (en) Method and system for transferring real ip address of client
CN116349265A (en) Techniques for enabling the opening of information regarding encrypted communications
WO2023117046A1 (en) Network address translation
US20230412558A1 (en) Methods and Apparatuses for Implementing a Service Request
Laganier et al. RFC 8004: Host Identity Protocol (HIP) Rendezvous Extension
EP3044929B1 (en) A mobile-device based proxy for browser-originated procedures
US20220201090A1 (en) Over-the-top management in a communication network
Pierrel et al. A policy system for simultaneous multiaccess with host identity protocol

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 21843917

Country of ref document: EP

Kind code of ref document: A1