[go: up one dir, main page]

CN1476208A - A method of supporting address translation application gateway - Google Patents

A method of supporting address translation application gateway Download PDF

Info

Publication number
CN1476208A
CN1476208A CNA021257086A CN02125708A CN1476208A CN 1476208 A CN1476208 A CN 1476208A CN A021257086 A CNA021257086 A CN A021257086A CN 02125708 A CN02125708 A CN 02125708A CN 1476208 A CN1476208 A CN 1476208A
Authority
CN
China
Prior art keywords
address
application
message
gateway
protocol
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
CNA021257086A
Other languages
Chinese (zh)
Other versions
CN1223159C (en
Inventor
健 李
李健
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Huawei Technologies Co Ltd
Original Assignee
Huawei Technologies Co Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by Huawei Technologies Co Ltd filed Critical Huawei Technologies Co Ltd
Priority to CN 02125708 priority Critical patent/CN1223159C/en
Publication of CN1476208A publication Critical patent/CN1476208A/en
Application granted granted Critical
Publication of CN1223159C publication Critical patent/CN1223159C/en
Anticipated expiration legal-status Critical
Expired - Fee Related legal-status Critical Current

Links

Images

Landscapes

  • Data Exchanges In Wide-Area Networks (AREA)
  • Small-Scale Networks (AREA)

Abstract

本发明涉及一种支持地址转换应用网关的方法。包括在路由器上创建地址转换应用网关注册表,每个注册表项标识一种的应用协议;在网络地址转换模块中(NAT)定义一个处理回调函数的接口,如果NAT需要支持一种新的应用协议,按照上述特殊处理回调函数接口,针对这种协议的报文载荷中需要处理的地址信息建立相应的应用协议处理函数,并注册到应用网关注册表;在通信过程中,当有新的协议出现时,通过查找应用网关注册表识别该应用协议,通过注册的应用协议回调函数来实现应用网关的地址转换。本发明很好地解决了地址转换需要不断支持新的应用协议的问题。

Figure 02125708

The invention relates to a method for supporting an address conversion application gateway. Including creating an address translation application gateway registry on the router, each registry entry identifies a kind of application protocol; defining an interface for processing callback functions in the network address translation module (NAT), if NAT needs to support a new application Protocol, according to the above-mentioned special processing callback function interface, establish a corresponding application protocol processing function for the address information that needs to be processed in the message payload of this protocol, and register it in the application gateway registry; during the communication process, when there is a new protocol When it occurs, the application protocol is identified by searching the application gateway registry, and the address translation of the application gateway is realized through the registered application protocol callback function. The invention well solves the problem that address conversion needs to continuously support new application protocols.

Figure 02125708

Description

一种支持地址转换应用网关的方法A method of supporting address translation application gateway

技术领域technical field

本发明涉及数据通信领域,尤其涉及一种通过查找应用网关注册表的方式支持地址转换应用网关的方法。The invention relates to the field of data communication, in particular to a method for supporting an address translation application gateway by searching the application gateway registry.

技术背景technical background

Internet的迅速普及导致IP地址资源短缺的问题日趋突出,为解决这一矛盾而提出网络地址转换技术(NAT Network Address Trans1ation)。地址转换技术允许多台内部主机共用同一个合法的公有地址访问Internet,有效地解决了IP地址短缺的问题,但由此会导致许多对NAT敏感的应用协议无法正常工作。The rapid popularization of the Internet has led to the increasingly prominent problem of the shortage of IP address resources. To solve this contradiction, the Network Address Translation (NAT Network Address Translation) technology is proposed. Address translation technology allows multiple internal hosts to share the same legal public address to access the Internet, effectively solving the problem of IP address shortage, but it will cause many NAT-sensitive application protocols to fail to work normally.

因特网地址分配组织规定以下的三类网络地址保留用做私有地址:The Internet Assigned Numbers Organization stipulates that the following three types of network addresses are reserved for private addresses:

10.0.0.0        -    10.255.255.25510.0.0.0 - 10.255.255.255

172.16.0.0      -    172.31.255.255172.16.0.0 - 172.31.255.255

192.168.0.0     -    192.168.255.255192.168.0.0 - 192.168.255.255

如图1所示,内部网络就是使用了一个上述的“私有地址”的内部局域网。通过地址转换技术,可以使这个内部局域网的所有主机(或者部分主机)都可以访问Internet。As shown in FIG. 1, the internal network is an internal local area network using the above-mentioned "private address". Through address translation technology, all hosts (or some hosts) in this internal LAN can access the Internet.

地址转换有一对一和PAT(port address tranlation)两种方式。一对一方式的地址转换,只对报文中的IP地址信息进行转换,在这种方式下,每一个内部主机要占用地址池中的一个IP地址,当地址池内的地址被用尽时,就不能允许其它主机访问Internet。因此,NAT方式只允许若干个主机同时访问Internet,可以同时访问Internet的主机数目受合法地址的多少的局限。There are two ways of address translation: one-to-one and PAT (port address tranlation). One-to-one address translation only converts the IP address information in the message. In this mode, each internal host must occupy an IP address in the address pool. When the addresses in the address pool are exhausted, It cannot allow other hosts to access the Internet. Therefore, the NAT mode only allows several hosts to access the Internet at the same time, and the number of hosts that can access the Internet at the same time is limited by the number of legal addresses.

PAT方式的地址转换使用了TCP/UDP的端口信息,用“地址+端口”来区分内部局域网的主机对外发起的不同连接,即要转换数据包中的源地址也要转换端口信息,因此内部局域网的许多主机可以共享一个IP地址访问Internet,这样能允许更多的内部主机同时访问Internet。在实际使用的过程中,PAT方式是最主要的地址转换方式。The address translation of the PAT method uses the port information of TCP/UDP, and uses "address + port" to distinguish different connections initiated by the host of the internal LAN. That is, to convert the source address in the data packet, the port information is also converted. Many hosts can share one IP address to access the Internet, which allows more internal hosts to access the Internet at the same time. In actual use, the PAT method is the most important address translation method.

地址转换改变了IP数据包头的IP地址信息,可以隐藏内部局域网的真实IP地址,因此具有一定的安全保护作用,但由此会导致许多对地址转换敏感的应用协议无法正常工作。Address translation changes the IP address information of the IP data packet header, which can hide the real IP address of the internal LAN, so it has a certain security protection effect, but it will cause many application protocols sensitive to address translation to fail to work normally.

所谓对NAT敏感的协议是指该协议的某些报文的有效载荷中携带地址信息,需要NAT进行特殊处理,除了改变1P包头的地址信息以外还需要改变数据报文载荷中的地址信息。如果不按照地址转换规则对这些IP地址和端口号进行转换处理,将会严重影响后继的协议交互的一类协议。一个非常典型的应用就是FTP协议,下面以FTP为例说明。The so-called NAT-sensitive protocol refers to the address information carried in the payload of some packets of the protocol, which requires special processing by NAT. In addition to changing the address information of the 1P packet header, the address information in the data packet load also needs to be changed. If these IP addresses and port numbers are not converted according to the address conversion rules, it will seriously affect the subsequent protocol interaction. A very typical application is the FTP protocol. The following uses FTP as an example to illustrate.

在FTP中包含两种连接:控制连接(会话)、数据连接(传输)。其中控制连接是用大家都熟悉的21端口的TCP连接。数据连接是由客户端通过控制连接“通知”服务器它已经初始化好的地址和端口,然后FTP服务器通过20端口(默认情况)将数据传送到客户端。当客户端通知服务器的时候,会用到“PORT命令”,其中在这次TCP连接的数据中是这样的:“PORT 10,110,1,2,13,23\D\A”(表示:端口=13<<8+23,地址=10.110.1.2,其中地址就是内部网络中客户端的IP地址),于是服务器就可以知道客户端的数据连接的地址和端口了。很明显,在地址转换的过程中,对于PORT命令,我们除了改变IP地址以及端口信息,同时必须改变相应TCP中的数据,这样才可以保证使FTP服务器端可以把数据发送到正确的客户端。There are two types of connections in FTP: control connections (sessions) and data connections (transmissions). Among them, the control connection is a TCP connection with port 21 that everyone is familiar with. The data connection is "informed" by the client through the control connection to the server that it has initialized the address and port, and then the FTP server transmits the data to the client through port 20 (by default). When the client notifies the server, it will use the "PORT command", which is in the data of this TCP connection: "PORT 10, 110, 1, 2, 13, 23\D\A" (meaning: Port=13<<8+23, address=10.110.1.2, wherein the address is the IP address of the client in the internal network), so the server can know the address and port of the data connection of the client. Obviously, in the process of address translation, for the PORT command, in addition to changing the IP address and port information, we must also change the data in the corresponding TCP, so as to ensure that the FTP server can send the data to the correct client.

随着Internet的发展,地址转换需要支持的应用协议越来越多,必须对其进行针对每一个对NAT敏感的协议进行特殊处理,也就是需要实现这些协议的地址转换应用级网关。随着应用的增加,要求地址转换能够便捷地支持新的应用网关,在流程上具有良好的可扩充性。With the development of the Internet, address translation needs to support more and more application protocols, and it must be specially processed for each protocol sensitive to NAT, that is, the address translation application-level gateway that needs to implement these protocols. With the increase of applications, it is required that address translation can easily support new application gateways and have good scalability in the process.

发明内容Contents of the invention

本发明就是针对现有技术的缺点,提出一种通过注册方式支持地址转换应用网关的方法,以解决地址转换后对协议的支持。Aiming at the shortcomings of the prior art, the present invention proposes a method for supporting address conversion application gateways through registration to solve the problem of supporting protocols after address conversion.

一种支持地址转换应用网关的方法,其特征在于:A method for supporting an address translation application gateway, characterized in that:

在路由器上创建地址转换应用网关注册表,每个注册表项标识一种的应用协议;Create an address translation application gateway registry on the router, and each registry entry identifies a kind of application protocol;

在网络地址转换模块中(NAT)定义一个处理回调函数的接口,如果NAT需要支持一种新的应用协议,按照上述特殊处理回调函数接口,针对这种协议的报文载荷中需要处理的地址信息建立相应的应用协议处理函数,并注册到应用网关注册表;Define an interface for processing callback functions in the network address translation module (NAT). If NAT needs to support a new application protocol, according to the above-mentioned special processing callback function interface, address information that needs to be processed in the message load of this protocol Establish the corresponding application protocol processing function and register it in the application gateway registry;

在通信过程中,当有新的协议出现时,通过查找应用网关注册表识别该应用协议,通过注册的应用协议回调函数来实现应用网关的地址转换。During the communication process, when a new protocol appears, the application protocol is identified by searching the application gateway registry, and the address conversion of the application gateway is realized through the registered application protocol callback function.

所述的支持地址转换应用网关的方法,还包括将该应用协议对应的IP协议号、知名端口号和应用协议的处理回调函数指针作为注册参数。The method for supporting an address conversion application gateway further includes using the IP protocol number corresponding to the application protocol, the well-known port number, and the processing callback function pointer of the application protocol as registration parameters.

所述的应用协议处理函数,只对该协议报文载荷中的私有地址转换为合法的公有地址。The application protocol processing function only converts the private address in the payload of the protocol message into a legal public address.

所述的支持地址转换应用网关的方法,还包括一个设置访问控制列表步骤,该列表是依据IP数据包报头以及其所承载的上层协议数据包头的格式定义的规则,由该规则判断是否对数据报文进行地址转换。The described method for supporting the address translation application gateway also includes a step of setting an access control list, which is based on the IP packet header and the rules defined in the format of the upper layer protocol packet header carried by it, and judges whether to access the data by the rule. Packet address translation.

所述的应用协议报文向位于公网上的服务器转发,与向私网内的服务器转发时需要进行不同的特殊处理,应用网关需要为不同位置的服务器分别提供特殊处理的应用协议处理函数,这些处理函数均被注册到应用网关注册表项内,地址转换流程根据报文的转发目的服务器所在位置决定调用哪一个回调函数。The application protocol message is forwarded to a server located on the public network, and different special processing needs to be performed when forwarding to a server in a private network. The application gateway needs to provide special processing application protocol processing functions for servers in different locations. These The processing functions are all registered in the application gateway registry entry, and the address translation process determines which callback function to call according to the location of the forwarding destination server of the message.

所述的应用协议报文由私网向公网转发,与从公网向私网转发时需要进行不同的特殊处理,应用网关需要为转换方向和还原方向分别提供特殊处理的应用协议处理函数,这些处理函数均被注册到应用网关注册表项内,地址转换流程根据报文的转发方向决定调用哪一个回调函数。The application protocol message is forwarded from the private network to the public network, and requires different special processing than when it is forwarded from the public network to the private network. The application gateway needs to provide special processing application protocol processing functions for the conversion direction and the restoration direction, respectively. These processing functions are all registered in the application gateway registry key, and the address translation process determines which callback function to call according to the forwarding direction of the message.

所述的支持地址转换应用网关的方法,数据报文由私网向公网转发的流程为:According to the method of supporting address translation application gateway, the process of forwarding the data message from the private network to the public network is as follows:

a、地址转换模块收到IP层转来的报文后,根据访问控制列表判断是否要对该报文进行地址转换,如果不需要转换就直接转发,如果需要转换则进入步骤b;After a, the address translation module receives the message that the IP layer transfers, judges according to the access control list whether to carry out address translation to this message, if do not need conversion just directly forward, if need conversion then enter step b;

b、取报文的源地址信息查找地址转换散列表,如果未找到,就根据配置的地址转换创建一个新的地址转换散列表,该地址转换散列表内记录了私有的地址和合法的Internet地址信息;b. Get the source address information of the message and search the address translation hash table. If not found, create a new address translation hash table according to the configured address translation. Private addresses and legal Internet addresses are recorded in the address translation hash table information;

c、根据地址转换散列表记录的信息,将报文的源地址转换为合法的Internet地址;c. Convert the source address of the message into a legal Internet address according to the information recorded in the address translation hash table;

d、查找应用网关注册表,根据查找结果确定对该报文是否需要应用网关的特殊处理,如果不需要,即只需要转换报文头内的地址信息,地址转换结束,否则进入步骤e;d, search the application gateway registration form, and determine whether the special processing of the application gateway is required for the message according to the search result, if not, that is, only the address information in the message header needs to be converted, and the address conversion is completed, otherwise enter step e;

e、通过调用此协议特殊处理的应用协议处理函数,转换报文载荷内的地址信息。e. By calling the application protocol processing function specially processed by this protocol, the address information in the packet payload is converted.

所述的支持地址转换应用网关的方法,步骤d中,对于内部主机访问Internet服务器,只需要根据IP协议号和目的端口查找应用网关注册表项。In the method for supporting the address translation application gateway, in step d, for the internal host to access the Internet server, it is only necessary to search for the application gateway registry entry according to the IP protocol number and the destination port.

所述的支持地址转换应用网关的方法,步骤c中的转换过程由NAT完成,只转换了报文头内的IP地址。In the method for supporting an address translation application gateway, the translation process in step c is completed by NAT, and only the IP address in the message header is translated.

所述的支持地址转换应用网关的方法,当数据报文由公网向私网转发的流程为:In the method for supporting address translation application gateways, the process of forwarding data packets from the public network to the private network is as follows:

a、地址转换模块收到IP层转来的报文后,根据报文的目的地址、目的端口到地址转换散列表里面查找地址转换记录,如果没有相应的地址转换散列表,则不进行NAT转换,将报文直接转发,如果查找到了相应的地址转换散列表,则进入步骤b;a. After the address translation module receives the message transferred from the IP layer, it searches for the address translation record in the address translation hash table according to the destination address and destination port of the message. If there is no corresponding address translation hash table, NAT translation is not performed. , directly forward the message, if the corresponding address translation hash table is found, then go to step b;

b、根据散列表内记录的地址转换信息,地址转换模块将报文头内的目的地址信息转换成私网用户的地址;b. According to the address translation information recorded in the hash table, the address translation module converts the destination address information in the message header into the address of the private network user;

c、查找应用网关注册表,根据查找结果确定对该报文是否需要应用网关的特殊处理,如果不需要,地址还原流程已结束,如果需要,进入步骤d;c. Search the application gateway registration form, and determine whether the special processing of the application gateway is required for the message according to the search result. If not, the address restoration process has ended. If necessary, enter step d;

d、调用还原方向的应用协议处理函数,转换报文载荷内的地址信息。所述的步骤b中,只转换了报文头内的IP地址。d. Call the application protocol processing function in the restoring direction to convert the address information in the packet payload. In the step b, only the IP address in the message header is converted.

本发明在实现一般的地址转换功能的基础上,通过特殊协议注册的方式提供了完善的地址转换应用网关扩充机制。如果要地址转换支持一种新的应用协议,只需开发该协议的地址转换应用级网关,借助本方法的应用网关注册手段将其注册,就可以使得NAT技术支持该协议,而不需要改变NAT流程及其它已经支持的协议。本发明在流程上便于支持新的应用协议,很好地解决了地址转换需要不断支持新的应用协议的问题。On the basis of realizing the general address conversion function, the invention provides a perfect address conversion application gateway expansion mechanism through special protocol registration. If address translation is required to support a new application protocol, it is only necessary to develop the address translation application-level gateway of the protocol, and register it with the application gateway registration method of this method, so that the NAT technology can support the protocol without changing the NAT processes and other already supported protocols. The invention is convenient to support new application protocols in flow, and well solves the problem that address conversion needs to continuously support new application protocols.

附图说明Description of drawings

图1是现有技术中NAT典型组网图;Fig. 1 is a typical networking diagram of NAT in the prior art;

图2是本发明IP报文由内部私网发往Internet的地址转换流程图;Fig. 2 is the address translation flowchart that IP message of the present invention is sent to Internet by internal private network;

图3是本发明IP报文由Internet发往内部私网的地址转换流程图。Fig. 3 is the address conversion flow chart of the present invention that the IP message is sent from the Internet to the internal private network.

具体实施方式Detailed ways

下面结合说明书附图来说明本发明的具体实施方式。The specific implementation manners of the present invention will be described below in conjunction with the accompanying drawings.

本发明的核心思想,是通过注册的方式扩充NAT支持新的应用网关,通过查找应用网关注册表项识别应用协议,再通过注册的回调函数来实现应用网关的地址转换流程。The core idea of the present invention is to expand NAT to support new application gateways by means of registration, to identify application protocols by searching registration entries of application gateways, and to realize the address conversion process of application gateways through registered callback functions.

本发明要先在路由器上创建一个地址转换应用网关注册表,该表中包括应用网关的特殊处理回调函数指针,还包括该协议对应的IP协议号、知名端口号,这样,每个注册表项就标识了一种特殊的应用协议;The present invention will first create an address conversion application gateway registry on the router, which includes the special processing callback function pointer of the application gateway, and also includes the corresponding IP protocol number and well-known port number of the protocol. In this way, each registry item It identifies a special application protocol;

在NAT定义一个特殊处理回调函数接口,该接口的定义方式可能根据不同的开发者有不同的定义,但主要功能都是一个函数指针的作用。当NAT需要支持一种新的应用协议时,由开发人员按照上述的特殊处理回调函数接口,针对这种协议的报文载荷中需要处理的地址信息开发相应的应用协议处理函数,并将该函数作为注册参数注册到应用网关注册表中。该应用协议处理函数只需将该协议报文载荷中的私有地址转换为合法的公有地址,而不必对报文头内的地址信息进行处理。Define a special processing callback function interface in NAT. The definition method of this interface may be different according to different developers, but the main function is the function of a function pointer. When NAT needs to support a new application protocol, the developer develops a corresponding application protocol processing function for the address information that needs to be processed in the message load of this protocol according to the above-mentioned special processing callback function interface, and uses this function Register in the application gateway registry as a registration parameter. The application protocol processing function only needs to convert the private address in the payload of the protocol message into a legal public address without processing the address information in the message header.

由于应用协议报文从私网向公网转发与从公网向私网转发,有可能需要不同的处理方式,所以开发的应用协议处理函数可能相同,也可能不相同,因此可以开发不同的应用协议处理函数,分为转换方向和还原方向的应用协议处理函数,这要根据实际情况来确定。Since application protocol messages are forwarded from the private network to the public network and forwarded from the public network to the private network, different processing methods may be required, so the developed application protocol processing functions may be the same or different, so different applications can be developed The protocol processing function is divided into the application protocol processing function of the conversion direction and the restoration direction, which should be determined according to the actual situation.

同样,由于应用协议报文向位于公网上的服务器转发,与向私网内的服务器转发时需要进行不同的特殊处理,应用网关需要为不同位置的服务器分别提供特殊处理的应用协议处理函数,这些处理函数均被注册到应用网关注册表项内,地址转换流程根据报文的转发目的服务器所在位置决定调用哪一个回调函数。Similarly, since application protocol packets are forwarded to servers located on the public network, different special processing is required when forwarding to servers in the private network. The application gateway needs to provide special processing application protocol processing functions for servers in different locations. The processing functions are all registered in the application gateway registry entry, and the address translation process determines which callback function to call according to the location of the forwarding destination server of the message.

最后,将该应用协议对应的IP协议号、知名端口号、应用协议的处理回调函数指针作为注册参数,创建新的应用网关注册表项,将该表项添加到前面形成的应用网关注册表中。实现新的应用网关,借助了NAT基本功能模块的注册手段,而不需要对NAT基本功能模块及其它应用网关进行任何修改。Finally, use the IP protocol number corresponding to the application protocol, the well-known port number, and the processing callback function pointer of the application protocol as registration parameters, create a new application gateway registry entry, and add this entry to the previously formed application gateway registry . The new application gateway is implemented by means of the registration means of the NAT basic function module, without any modification to the NAT basic function module and other application gateways.

当有新的协议出现,通过查找上面形成的应用网关注册表识别该应用协议,通过注册的应用协议处理函数来实现应用网关的地址转换。When a new protocol appears, identify the application protocol by searching the application gateway registry formed above, and realize the address conversion of the application gateway through the registered application protocol processing function.

在使用时,可以设置访问控制列表,该列表实际上是一个判断规则,是依据IP数据包报头以及它承载的上层协议数据包头的格式定义了规则,可以表示允许或者是禁止具有某些特征(包头数据可以描述的)的数据包,由该规则判断是否对往来的数据报文进行地址转换。如果需要进行地址转换,则通过查找应用网关注册表识别该应用协议,通过注册的应用协议处理函数来实现应用网关的地址转换。When in use, you can set the access control list, which is actually a judgment rule, which defines the rules based on the format of the IP packet header and the upper-layer protocol packet header it carries, and can indicate that certain features are allowed or prohibited ( The packet header data can be described), and this rule determines whether to perform address translation on the incoming and outgoing data packets. If address translation is required, the application protocol is identified by searching the application gateway registry, and the address translation of the application gateway is realized through the registered application protocol processing function.

如图2所示,是在本发明中,一个数据报文由私网向公网转发的流程,具体包括如下步骤:As shown in Figure 2, it is in the present invention, the flow process that a data message is forwarded from private network to public network, specifically comprises the following steps:

a、地址转换模块收到IP层转来的报文后,根据定义的访问控制列表判断是否要对该报文进行地址转换,如果不需要转换就直接转发;如果需要转换,继续步骤b;After a, the address translation module receives the message that IP layer transfers, judges according to the access control list of definition whether to carry out address translation to this message, just forward directly if not needing conversion; If need conversion, continue step b;

b、取报文的源地址(端口)信息查找地址转换散列表,如果未找到,就根据配置的地址转换创建一个新的散列表,该散列表内记录了私有的地址(端口)和合法的Internet地址(端口)信息,散列表内记录了每一个NAT转换的源地址、源端口、协议、时间、转换后的地址和端口等信息,各个开发者实现的方式可能会因为算法不同而有所不同;b. Get the source address (port) information of the message to search the address translation hash table. If not found, a new hash table is created according to the configured address translation. Private addresses (ports) and legal addresses are recorded in the hash table Internet address (port) information, information such as the source address, source port, protocol, time, converted address and port of each NAT conversion is recorded in the hash table, and the implementation methods of each developer may vary due to different algorithms different;

c、根据地址转换散列表记录的信息,将报文的源地址转换为合法的Internet地址;c. Convert the source address of the message into a legal Internet address according to the information recorded in the address translation hash table;

上述转换过程由NAT基本功能完成,实际上只转换了报文头内的IP地址(端口),所有需要地址转换的报文都需要经过以上转换过程,而不管该报文是否属于特殊的应用协议,以上的步骤实际上是现有的NAT地址转换一致。The above conversion process is completed by the basic function of NAT. In fact, only the IP address (port) in the packet header is converted. All packets that require address translation need to go through the above conversion process, regardless of whether the packet belongs to a special application protocol. , the above steps are actually consistent with the existing NAT address translation.

d、通过地址转换流程查找应用网关注册表:对于内部主机访问Internet服务器的应用,因为该目的端口为知名端口,只需要根据IP协议号和目的端口查找应用网关注册表项;地址转换流程根据查找结果确定对该报文是否需要应用网关的特殊处理,如果不需要,即只需要转换报文头内的地址(端口)信息,地址转换已结束;如果需要对报文进行特殊处理,则进入步骤e;d. Search the application gateway registry through the address translation process: For the application of internal host access to the Internet server, because the destination port is a well-known port, only need to find the application gateway registry entry according to the IP protocol number and destination port; the address translation process is based on the search As a result, it is determined whether the special processing of the application gateway is required for the message. If not, only the address (port) information in the message header needs to be converted, and the address conversion has ended; if special processing is required for the message, then enter the step e;

e、地址转换流程通过特殊处理回调函数指针直接调用此协议的应用协议处理函数,转换报文载荷内的地址信息。由于在应用网关注册表项内已经事先注册了该特殊处理回调函数的指针,因此地址转换流程可以通过函数指针直接调用此回调函数,转换报文载荷内的地址信息。e. The address conversion process directly calls the application protocol processing function of this protocol through a special processing callback function pointer, and converts the address information in the message payload. Since the pointer of the special processing callback function has been registered in advance in the application gateway registry entry, the address conversion process can directly call the callback function through the function pointer to convert the address information in the packet payload.

经过步骤d、e后,已经将报文载荷内的私有地址转换成为合法的Internet地址,使应用协议的后续交互过程能够正常完成。After steps d and e, the private address in the message payload has been converted into a legal Internet address, so that the subsequent interaction process of the application protocol can be completed normally.

如图3所示,是本发明IP报文由Internet发往的内部私网地址转换流程图,从图中可以看到,报文由Internet发往内部私网,地址转换还原的流程与此相似,不同的是,地址还原过程只查找已经存在的散列表,将报文的目的地址信息转换为内部私网的地址信息,过程如下:As shown in Figure 3, it is the internal private network address translation flow chart that the IP message of the present invention is sent to by the Internet, as can be seen from the figure, the message is sent to the internal private network by the Internet, and the process of address translation restoration is similar to this , the difference is that the address restoration process only searches the existing hash table, and converts the destination address information of the message into the address information of the internal private network. The process is as follows:

a、地址转换模块收到IP层转来的报文后,根据报文的目的地址、目的端口到地址转换散列表里面查找地址转换记录,如果没有相应的地址转换散列表,则不进行NAT转换,将报文直接转发,如果查找到了相应的地址转换散列表,则进入步骤b;a. After the address translation module receives the message transferred from the IP layer, it searches for the address translation record in the address translation hash table according to the destination address and destination port of the message. If there is no corresponding address translation hash table, NAT translation is not performed. , directly forward the message, if the corresponding address translation hash table is found, then go to step b;

b、根据散列表内记录的地址转换信息,地址转换模块将报文头内的目的地址(端口)信息转换成私网用户的地址;B, according to the address translation information recorded in the hash table, the address translation module converts the destination address (port) information in the message header into the address of the private network user;

上述转换过程也是由NAT基本功能完成,实际上只转换了报文头内的IP地址。The above conversion process is also completed by the basic function of NAT, in fact, only the IP address in the packet header is converted.

c、地址还原流程查找应用网关注册表,根据查找结果确定对该报文是否需要应用网关的特殊处理,如果不需要,地址还原流程已结束,如果需要,进入步骤d;c. The address restoration process searches the application gateway registry, and determines whether the message requires special processing by the application gateway according to the search result. If not, the address restoration process is over. If necessary, go to step d;

d、地址还原流程调用还原方向的应用协议处理函数,转换报文载荷内的地址信息。d. The address restoration process calls the application protocol processing function in the restoration direction to convert the address information in the packet payload.

本发明在实现一般的地址转换功能的基础上,通过特殊协议注册的方式提供了完善的地址转换应用网关扩充机制。如果要地址转换支持一种新的应用协议,只需开发该协议的地址转换应用级网关,借助本方法的应用网关注册手段将其注册,就可以使得NAT技术支持该协议,而不需要改变NAT流程及其它已经支持的协议。本发明在流程上便于支持新的应用协议,很好地解决了地址转换需要不断支持新的应用协议的问题。On the basis of realizing the general address conversion function, the invention provides a perfect address conversion application gateway expansion mechanism through special protocol registration. If address translation is required to support a new application protocol, it is only necessary to develop the address translation application-level gateway of the protocol, and register it with the application gateway registration method of this method, so that the NAT technology can support the protocol without changing the NAT processes and other already supported protocols. The invention is convenient to support new application protocols in flow, and well solves the problem that address conversion needs to continuously support new application protocols.

我们以前面所述的FTP协议为例来说明。Let's take the FTP protocol mentioned above as an example to illustrate.

要使NAT能够支持FTP协议,允许内部私网的用户访问Internet上的FTP站点,必须确定要对FTP哪些报文进行特殊转换,需要进行什么样的处理。当私网的用户GET文件或执行LIST命令时,会在FTP控制报文内发送命令“PORT 10,110,1,2,13,23\D\A”(表示:端口=13<<8+23,地址=10.110.1.2),其中的地址是用户的私网IP地址,Internet上的FTP服务器会向PORT命令指定的端口发送数据连接。显然,如果不对PORT命令进行特殊处理,建立数据连接会失败,必须将PORT命令携带的私有地址转换为合法的Internet地址,并根据数据连接使用的地址和端口创建一个地址转换散列表,以允许FTP服务器能主动向私网用户的主机发起数据连接。To enable NAT to support the FTP protocol and allow internal private network users to access FTP sites on the Internet, it is necessary to determine which FTP packets need to be specially converted and what processing needs to be performed. When a private network user GETs a file or executes a LIST command, the command "PORT 10, 110, 1, 2, 13, 23\D\A" will be sent in the FTP control message (indicates: port=13<<8+ 23, address=10.110.1.2), where the address is the private network IP address of the user, and the FTP server on the Internet will send a data connection to the port specified by the PORT command. Obviously, if the PORT command is not specially treated, the establishment of a data connection will fail. It is necessary to convert the private address carried by the PORT command into a legal Internet address, and create an address translation hash table based on the address and port used by the data connection to allow FTP The server can actively initiate a data connection to the host of the private network user.

开发人员按照NAT定义的特殊处理回调函数接口开发相应的FTP协议处理函数。该处理函数负责把FTP PORT命令携带的私有地址转换成合法的Internet地址,并根据PORT命令指定的端口和地址创建一个地址转换散列表,这样才能允许FTP服务器主动向私网用户主机发起FTP数据连接。该处理函数只需处理FTP控制报文载荷的内容,而不必转换报文IP头内的地址和TCP头内的端口号,IP头内的地址和TCP头内的端口号由NAT基本功能模块负责转换为公有地址。Developers develop corresponding FTP protocol processing functions according to the special processing callback function interface defined by NAT. This processing function is responsible for converting the private address carried by the FTP PORT command into a legal Internet address, and creating an address conversion hash table according to the port and address specified by the PORT command, so as to allow the FTP server to actively initiate an FTP data connection to the private network user host . This processing function only needs to process the content of the FTP control message load, without converting the address in the IP header and the port number in the TCP header. The address in the IP header and the port number in the TCP header are in charge of the NAT basic function module Convert to public address.

最后,将FTP PORT命令的处理函数注册到应用网关注册表中。FTP的控制连接使用知名的TCP 21端口,只需要将TCP协议、知名端口21、FTP PORT命令处理函数作为注册参数创建一个应用网关注册表项,在路由器启动时,调用相应的注册函数添加到应用网关注册表中。这样便能使NAT能支持FTP协议了。Finally, register the processing function of the FTP PORT command in the application gateway registry. The FTP control connection uses the well-known TCP port 21. You only need to use the TCP protocol, the well-known port 21, and the FTP PORT command processing function as registration parameters to create an application gateway registry entry. When the router starts, call the corresponding registration function to add to the application in the gateway registry. This enables NAT to support the FTP protocol.

NAT转换FTP PORT报文的详细过程前面已经叙述过,在此不再描述。The detailed process of NAT converting the FTP PORT message has been described above and will not be described here.

以上举例可以看出,要支持新的应用网关借助了NAT基本功能模块的注册手段,只需要开发对应的应用协议特殊处理函数并进行注册,而不需要对NAT基本功能模块及其它应用网关进行任何修改。From the above example, it can be seen that to support the new application gateway with the help of the registration method of the NAT basic function module, it is only necessary to develop the corresponding special processing function of the application protocol and register it, without any need for the NAT basic function module and other application gateways. Revise.

从上面的实施例不难看出,本发明实现简单,不需增添新的硬件设备,而且对已有的智能网系统没有任何限制,但却能大大方便用户。It is not difficult to see from the above embodiments that the present invention is simple to implement, does not need to add new hardware devices, and does not have any restrictions on the existing intelligent network system, but it can greatly facilitate users.

以上所述,仅为本发明较佳的具体实施方式,但本发明的保护范围并不局限于此,任何熟悉本技术领域的技术人员在本发明揭露的技术范围内,可轻易想到的变化或替换,都应涵盖在本发明的保护范围之内。因此,本发明的保护范围应该以权利要求书的保护范围为准。The above is only a preferred embodiment of the present invention, but the scope of protection of the present invention is not limited thereto. Any person skilled in the art within the technical scope disclosed in the present invention can easily think of changes or Replacement should be covered within the protection scope of the present invention. Therefore, the protection scope of the present invention should be determined by the protection scope of the claims.

Claims (11)

1, a kind of method of supporting address convertion applied gateway is characterized in that:
Create the address convertion applied gateway registration table on router, each registry key identifies a kind of application protocol;
Interface of handling call back function of (NAT) definition in network address conversion module, if NAT need support a kind of new application protocol, according to above-mentioned special processing call back function interface, the address information that needs in the message load at this agreement to handle is set up application corresponding protocol processes function, and is registered to the application gateway registration table;
In communication process, when new agreement occurs, discern this application protocol by searching the application gateway registration table, realize the address transition of application gateway by the application protocol call back function of registration.
2, the method for support address convertion applied gateway as claimed in claim 1 is characterized in that also comprising that processing call back function pointer with IP protocol number, well-known port number and the application protocol of this application protocol correspondence is as the registration parameter.
3, the method for support address convertion applied gateway as claimed in claim 2 is characterized in that described application protocol processing function, only the privately owned address in this protocol massages load is converted to legal publicly-owned address.
4, the method for support address convertion applied gateway as claimed in claim 3, it is characterized in that also comprising one the Access Control List (ACL) step is set, this tabulation be according to IP packet header with and the rule of the formal definition of the upper-layer protocol data packet head that carried, whether the data message is carried out address transition by this rule judgment.
5, the method for support address convertion applied gateway as claimed in claim 4, it is characterized in that described application protocol message is to the server forwards that is positioned on the public network, need carry out different special processings during with server forwards in private network, application gateway need provide the application protocol of special processing to handle function for the server of diverse location respectively, these are handled function and all are registered in the application gateway registry key, and which call back function is the address transition flow process call according to the decision of message forwarding destination server position.
6, the method for support address convertion applied gateway as claimed in claim 5, it is characterized in that described application protocol message transmitted to public network by private network, with when private network is transmitted, need carry out different special processings from public network, application gateway need be handled function for conversion direction and reduction direction provide the application protocol of special processing respectively, these are handled function and all are registered in the application gateway registry key, and which call back function is the address transition flow process determine to call according to the message forwarding direction.
7, the method for support address convertion applied gateway as claimed in claim 6 is characterized in that the flow process that data message is transmitted to public network by private network is:
A, address conversion module judge whether and will carry out address transition to this message that if do not need conversion just directly to transmit, conversion then entering step b if desired according to Access Control List (ACL) after receiving the message that the IP layer transfers;
B, the source address information of getting message are searched the address transition hash table, if do not find, just create a new address transition hash table according to the address transition of configuration, have write down privately owned address and legal Internet address information in this address transition hash table;
C, according to the information of address transition hash table record, the source address of message is converted to legal Internet address;
D, search the application gateway registration table, determine the whether special processing of needs application gateway of this message if do not need, is promptly only needed the address information in the conversion heading according to lookup result, address transition finishes, otherwise enters step e;
E, handle function by the application protocol that calls this agreement special processing, the address information in the conversion message load.
8, the method for support address convertion applied gateway as claimed in claim 7 is characterized in that in the steps d, for inside host access Internet server, only need search the application gateway registry key according to IP protocol number and destination interface.
9, the method for support address convertion applied gateway as claimed in claim 7 is characterized in that the transfer process among the step c is finished by NAT, has only changed the IP address in the heading.
10, the method for support address convertion applied gateway as claimed in claim 6 is characterized in that when the flow process that data message is transmitted to private network by public network being:
After a, address conversion module are received the message that the IP layer transfers, destination address, destination interface according to message are searched the address transition record to address transition hash table the inside, if there is not corresponding address transition hash table, then do not carry out the NAT conversion, message is directly transmitted, if found corresponding address transition hash table, then entered step b;
B, according to the information of address conversion that writes down in the hash table, address conversion module converts the destination address information in the heading to the address of private user;
C, search the application gateway registration table, determine that according to lookup result if do not need, address reduction flow process finishes, if desired, enters steps d to the whether special processing of needs application gateway of this message;
D, the application protocol that calls the reduction direction are handled function, the address information in the conversion message load.
11, the method for support address convertion applied gateway as claimed in claim 10 is characterized in that among the described step b, has only changed the IP address in the heading.
CN 02125708 2002-08-13 2002-08-13 Method of supporting address transfer application network Expired - Fee Related CN1223159C (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
CN 02125708 CN1223159C (en) 2002-08-13 2002-08-13 Method of supporting address transfer application network

Applications Claiming Priority (1)

Application Number Priority Date Filing Date Title
CN 02125708 CN1223159C (en) 2002-08-13 2002-08-13 Method of supporting address transfer application network

Publications (2)

Publication Number Publication Date
CN1476208A true CN1476208A (en) 2004-02-18
CN1223159C CN1223159C (en) 2005-10-12

Family

ID=34143016

Family Applications (1)

Application Number Title Priority Date Filing Date
CN 02125708 Expired - Fee Related CN1223159C (en) 2002-08-13 2002-08-13 Method of supporting address transfer application network

Country Status (1)

Country Link
CN (1) CN1223159C (en)

Cited By (14)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2008003269A1 (en) * 2006-06-29 2008-01-10 Huawei Technologies Co., Ltd. A method,device and system for supporting transparent proxy in wireless access gateway
CN100452769C (en) * 2005-12-31 2009-01-14 武汉市中光通信公司 System of soft exchange network passing through firewall based on ALG+MP and its method
CN101119324B (en) * 2007-09-21 2010-04-14 杭州华三通信技术有限公司 Network address translation attribute adaptive method and device
CN101953146A (en) * 2008-02-19 2011-01-19 日本电气株式会社 Gateway device, communication system and communication method
CN101483590B (en) * 2008-01-11 2011-03-23 鸿富锦精密工业(深圳)有限公司 Network communication equipment and packet routing method thereof
CN101635676B (en) * 2009-08-31 2011-07-27 杭州华三通信技术有限公司 Message processing method and network equipment
CN101697528B (en) * 2009-10-30 2011-11-16 杭州华三通信技术有限公司 Method and device for sharing loads between NAT gateway devices
CN101620536B (en) * 2009-08-17 2012-11-14 用友软件股份有限公司 Method and device for invoking performance function
CN103166855A (en) * 2011-12-12 2013-06-19 深圳市共进电子股份有限公司 Method and system for recognizing and transforming address information in network message
CN103684909A (en) * 2013-11-30 2014-03-26 广州西维尔计算机系统有限公司 Method for processing messages on basis of event sources
WO2016062140A1 (en) * 2014-10-20 2016-04-28 中兴通讯股份有限公司 Method and apparatus for implementing interworking between virtual private cloud network and external network
CN105827427A (en) * 2015-01-08 2016-08-03 联想(北京)有限公司 Information processing method and electronic devices
CN106484947A (en) * 2016-09-08 2017-03-08 国电南瑞科技股份有限公司 Based on event driven electrical network CIM/E model analyzing method
CN113489811A (en) * 2021-07-30 2021-10-08 迈普通信技术股份有限公司 IPv6 flow processing method and device, electronic equipment and computer readable storage medium

Cited By (18)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN100452769C (en) * 2005-12-31 2009-01-14 武汉市中光通信公司 System of soft exchange network passing through firewall based on ALG+MP and its method
CN101406008B (en) * 2006-06-29 2012-07-11 华为技术有限公司 Method, apparatus and system for supporting transparent proxy by wireless access gateway
RU2407196C2 (en) * 2006-06-29 2010-12-20 Хуавэй Текнолоджиз Ко., Лтд. Method and device for support of transparent proxy server service in gateway of wireless access and system equipped with such gateway
WO2008003269A1 (en) * 2006-06-29 2008-01-10 Huawei Technologies Co., Ltd. A method,device and system for supporting transparent proxy in wireless access gateway
CN101119324B (en) * 2007-09-21 2010-04-14 杭州华三通信技术有限公司 Network address translation attribute adaptive method and device
CN101483590B (en) * 2008-01-11 2011-03-23 鸿富锦精密工业(深圳)有限公司 Network communication equipment and packet routing method thereof
CN101953146A (en) * 2008-02-19 2011-01-19 日本电气株式会社 Gateway device, communication system and communication method
CN101620536B (en) * 2009-08-17 2012-11-14 用友软件股份有限公司 Method and device for invoking performance function
CN101635676B (en) * 2009-08-31 2011-07-27 杭州华三通信技术有限公司 Message processing method and network equipment
CN101697528B (en) * 2009-10-30 2011-11-16 杭州华三通信技术有限公司 Method and device for sharing loads between NAT gateway devices
CN103166855A (en) * 2011-12-12 2013-06-19 深圳市共进电子股份有限公司 Method and system for recognizing and transforming address information in network message
CN103684909A (en) * 2013-11-30 2014-03-26 广州西维尔计算机系统有限公司 Method for processing messages on basis of event sources
CN103684909B (en) * 2013-11-30 2017-06-13 广州西维尔计算机系统有限公司 Information processing method and system based on event source
WO2016062140A1 (en) * 2014-10-20 2016-04-28 中兴通讯股份有限公司 Method and apparatus for implementing interworking between virtual private cloud network and external network
CN105827427A (en) * 2015-01-08 2016-08-03 联想(北京)有限公司 Information processing method and electronic devices
CN105827427B (en) * 2015-01-08 2020-06-23 联想(北京)有限公司 Information processing method and electronic equipment
CN106484947A (en) * 2016-09-08 2017-03-08 国电南瑞科技股份有限公司 Based on event driven electrical network CIM/E model analyzing method
CN113489811A (en) * 2021-07-30 2021-10-08 迈普通信技术股份有限公司 IPv6 flow processing method and device, electronic equipment and computer readable storage medium

Also Published As

Publication number Publication date
CN1223159C (en) 2005-10-12

Similar Documents

Publication Publication Date Title
US8422391B2 (en) Method, media gateway and media gateway controller for maintaining NAT address mapping table
CN1209712C (en) Network address translation gateway for local area networks using local IP addresses and non-translatable port addresses
CN1223159C (en) Method of supporting address transfer application network
CN1153416C (en) Packet switch communication method
US7139828B2 (en) Accessing an entity inside a private network
CN1158615C (en) Method and device for implementing load balancing on streaming media server
CN101217493B (en) TCP data package transmission method
CN1146809C (en) Integrated IP network
US20040246991A1 (en) IP address translator and packet transfer apparatus
CN1679302A (en) System and method for dynamic simultaneous connection to multiple service providers
CN1708029A (en) Method for establizing retransmission flow table
CN1838636A (en) Method and apparatus for traversing a data packet through a network address translation device
CN1582560A (en) Method and system for contacting a device on a private network using a private domain name server
CN102420774B (en) Method for realizing intranet penetration by using Internet group management protocol (IGMP) and intranet penetration system
CN1863157A (en) Method and apparatus for implementing network communication through NAT
CN1452342A (en) Method for managing broadcast of multi-broadcast service source in mobile network
CN1941738A (en) Device and method for telecommunicating between customer end application component and object server
CN1297105C (en) Method for implementing multirole main machine based on virtual local network
CN1968194A (en) Method for passing through network address switching
CN1893394A (en) Method for passing through network address conversion
CN100348008C (en) Method for making calling treatment in VoIP gateway and link test and its system
CN1235368C (en) Address conversion method for simultaneously supporting one-to-one and many-to-many under the PAT mode
CN1870568A (en) Method for implementing network address conversion anti-virus transition
CN1728661A (en) Method for Realizing Backup and Load Sharing on Address Resolution Protocol Proxy
CN1697445A (en) Implementation method for transferring data in virtual private network

Legal Events

Date Code Title Description
C06 Publication
PB01 Publication
C10 Entry into substantive examination
SE01 Entry into force of request for substantive examination
C14 Grant of patent or utility model
GR01 Patent grant
C17 Cessation of patent right
CF01 Termination of patent right due to non-payment of annual fee

Granted publication date: 20051012

Termination date: 20110813