BACKGROUND

Field of the Disclosure.

[0001] This disclosure relates generally to sharing a single network IP address between and among two endpoints, services, or devices (hereafter referred to as endpoints), multiplexing the endpoint access to a single network IP address without interfering with applications, and without requiring manual configuration.

[0002] For example, the present disclosure may be used to avoid the problems created in NFV when NAT is used to share a single IP address between management endpoints and applications such as SD-WAN or firewalls. The present disclosure is also applicable to physical network functions.

[0003] Vocabulary.

[0004] Or - Unless explicit to the contrary, the word“or” should be interpreted as an inclusive or rather than an exclusive or. Thus, the default meaning of or should be the same as the more awkward and/or.

[0005] Set - Unless explicit to the contrary, the word“set” should be interpreted as a group of one or more items.

[0006] Substantially - Frequently, when describing an industrial process it is useful to note that a given parameter is substantially met. Examples may be substantially parallel,

substantially perpendicular, substantially uniform, and substantially flat. In this context, substantially X means that for purposes of this industrial process it is X. So something that may not be absolutely parallel but is for all practical purposes parallel, is substantially parallel. Likewise, mixed air that has substantially uniform temperature would have temperature deviations that were inconsequential for that industrial process. As recognized in C. E.

Equipment Co. v. United States, 13 U.S.P.Q.2d 1363, 1368 (Cl. Ct. 1989), the word

“substantially” in patent claims gives rise to some definitional leeway - thus the word “substantially” may prevent avoidance of infringement by minor changes that do not affect the results sought to be accomplished.

[0007] Units - Note that in order to provide focus on specific functions, the description below will reference various“units”. In this context, a unit implies the required resources to perform a given set of functions. This may include a combination of electro-mechanical devices such as a microphone or a camera and the processing power to control the devices then manipulate the data obtained by the devices. In some instances, the functionality from several individually discussed units may be performed using physical components that are shared by several of the units discussed below.

[0008] Flow Table - a lookup table that contains information about each flow in terms of its classification (source and destination IP addresses, source and destination ports, protocol). If a lookup results in finding a match, an entry will be return which contains a destination port and packet action.

[0009] Rule Table - a table that supports n-tuple pattern match lookup. If a lookup is successful, an entry will be returned that contains a destination port and packet action.

[0010] Endpoint - an IP-addressable entity that sends and receives IP traffic, including:

• Management Endpoint - used for managing network access and infrastructure; and

• Network Endpoint - used for providing network services to a subscriber.

[0011] IP - internet protocol is used for constructing packets for internet access.

[0012] MAC - Media access control is responsible for the transmission of data packets to and from the network.

[0013] Address Resolution Protocol (ARP) - is a communication protocol used for discovering the link layer address, such as a MAC address, associated with a given internet layer address, typically an IPv4 address. See Wikipedia at

en.wikipedia.org/wiki/Address_Resolution_Protocol.

[0014] Reserved Port - An IP port reserved for use by the management endpoint.

[0015] Lookup / match - the identification of an entry in the Rule Table or Flow Table that correlates to the given search criteria (i.e. matches), where the correlation may include exact contents, patterns with wild cards, bit masks, and ranges.

[0016] WAN - Wide area network. Used to connect a customer site to the internet.

[0017] SD-WAN - is an acronym for software-defined networking in a wide area network

(WAN). SD-WAN simplifies the management and operation of a WAN by decoupling (separating) the networking hardware from its control mechanism. This concept is similar to how software-defined networking implements virtualization technology to improve data center management and operation.

[0018] Network address translation (NAT) - is a method of remapping one IP address space into another by modifying network address information in the IP header of packets while they are in transit across a traffic routing device. The technique was originally used as a shortcut to avoid the need to readdress every host when a network was moved. It has become a popular and essential tool in conserving global address space in the face of IPv4 address exhaustion. One Internet-routable IP address of a NAT gateway can be used for an entire private network. See wikipedia.org/wiki/Network_address_translation

[0019] Proxy server - a server for network protocols (such as DHCP) that acts on behalf of another server, or as a gateway to anther server. The client of the proxy server is not aware of its existence.

[0020] uCPE - Universal customer premises equipment (uCPE) consists of software virtual network functions (VNFs) running on a standard operating system hosted on an open server. The uCPE is the whole system including all the ports, the VNFs, the management functions, and the hosting server. An ideal uCPE deployment supports a multi-vendor multi-component construction. As such, uCPE brings the power of the cloud to the telco network and is a gateway to innovation. See blog.advaoptical.com/en/what-is-universal-cpe.

[0021] Related Art.

[0022] FIG. 1 shows an example of broadband internet access. These types of services typically provide the user with a single dynamic public network IP address (IPl) that is provisioned by the Dynamic Host Configuration Protocol (DHCP) protocol.

[0023] Multiple endpoints (SD-WAN and public management VRF) need to access the internet, and each has its own private IP address (IP2 and IP3). The usual way to accomplish sharing of a single public network IP address is to use network address translation (NAT). NAT maps multiple IP source addresses into a single network IP address by translating the IP address and port field of the traffic.

[0024] NAT translation manipulates packets and introduces issues with certain applications such as software-defined wide-area network (SD-WAN), login/rsh, Kerberos, IPsec, and others.

[0025] Some applications do not work well with the use of NAT translation. NAT translation adds a delay (latency) as there is a translation of the IP address. Those of skill in the art will appreciate that a change of IP address triggers a need to calculate a new checksum and involves the use of a large lookup table.

[0026] The usual workaround to the issues described above is to introduce a passthrough feature to the NAT. This feature requires configuration of passthrough for certain ports. The passthrough approach is well known, and almost all modem home internet router/firewall devices support this type of feature. [0027] The drawbacks to this approach are:

[0028] 1) the passthrough ports must be explicitly configured rather than use automatic configuration and

[0029] 2) each packet is manipulated at the IP layer, introducing a heavy workload.

[0030] A more sophisticated approach is provided by Cradlepoint wireless router. It provides transparent access between a single IP endpoint and the IP network, except for reserved IP ports that must be avoided. That designated IP port is used by the Cradlepoint router for its own management.

[0031] The drawbacks to this approach is that any application that collides with the reserved IP ports will suffer a silent failure, in that any packets from the network using those ports will be intercepted by the management endpoint. The packet will not reach the intended target and will simply be discarded.

SUMMARY OF THE DISCLOSURE

[0032] Aspects of the teachings contained within this disclosure are addressed in the claims submitted with this application upon filing. Rather than adding redundant restatements of the contents of the claims, these claims should be considered incorporated by reference into this summary.

[0033] This summary is meant to provide an introduction to the concepts that are disclosed within the specification without being an exhaustive list of the many teachings and variations upon those teachings that are provided in the extended discussion within this disclosure. Thus, the contents of this summary should not be used to limit the scope of the claims that follow.

[0034] Inventive concepts are illustrated in a series of examples, some examples showing more than one inventive concept. Individual inventive concepts can be implemented without implementing all details provided in a particular example. It is not necessary to provide examples of every possible combination of the inventive concepts provide below as one of skill in the art will recognize that inventive concepts illustrated in various examples can be combined together in order to address a specific application.

[0035] Other systems, methods, features and advantages of the disclosed teachings will be immediately apparent or will become apparent to one with skill in the art upon examination of the following figures and detailed description. It is intended that all such additional systems, methods, features and advantages be included within the scope of and be protected by the accompanying claims. [0036] The present disclosure allows a network function (e.g. router, firewall or SD-WAN endpoint) or service chain of network functions to transparently access a network uplink, while also allowing a set of management entities to access the same link without interference or configuration. To the extent that a conflict arises between ports allocated to the management functions and to the network functions, the relevant port is automatically removed from use by management functions and allocated to network functions to end the conflict.

[0037] When a router is connected to a gateway via a Layer 2 interface (e.g. Ethernet), the router will adjust IP status when the Layer 2 interface transitions from Up to Down, and Down to Up. Thus, the present disclosure provides a Link State Transfer function such that the subtending network function will react to Link State changes just as if it were directly connected.

[0038] The present disclosure supports implementing a DHCP server for delivery of dynamic IP addresses to the network entity (EP3 in figures).

BRIEF DESCRIPTION OF THE FIGURES

[0039] The disclosure can be better understood with reference to the following figures. The components in the figures are not necessarily to scale, emphasis instead being placed upon illustrating the principles of the disclosure. Moreover, in the figures, like reference numerals designate corresponding parts throughout the different views.

[0040] FIG. 1 shows one prior art solution.

[0041] FIG. 2 shows the context for the current disclosure.

[0042] FIG. 3 shows the flow diagram for packets ingressing to the IP Multiplexer interface IF1 from the WAN gateway EP1.

[0043] FIG. 4 shows the flow diagram for packets ingressing to the IP Multiplexer interface IF2 from the network endpoint EP2.

[0044] FIG. 5 shows packets ingressing to the IP Multiplexer interface IF3 from the management endpoint EP3.

[0045] FIG. 6 shows an example of Rule Table format.

[0046] FIG. 7 shows an example of Flow Table format. DETAILED DESCRIPTION

[0047] The presently disclosed subject matter is described with specificity to meet statutory requirements. However, the description itself is not intended to limit the scope of this patent. Rather, the inventors have contemplated that the claimed subject matter might also be embodied in other ways, to include different steps or elements similar to the ones described in this document, in conjunction with other present or future technologies. Moreover, although the term "step" may be used herein to connote different aspects of methods employed, the term should not be interpreted as implying any particular order among or between various steps herein disclosed unless and except when the order of individual steps is explicitly described.

[0048] The disclosure describes how to multiplex IP streams from multiple sources using a single IP address, without requiring pre-configuration of IP addresses, and without manipulating user traffic at the IP layer. In doing so it enables multiple sources to share a single WAN IP address, which enables IP applications such as SD-WAN login/rsh, Kerberos, IPsec, and others to operate properly.

[0049] The disclosure describes how a set of ports are dynamically reserved for management traffic, and all other ports are passed through transparently. If one of these reserved ports is observed flowing from the network function, the port is removed from the reserved list for management traffic and another port is allocated for management traffic so that conflicts are avoided automatically.

[0050] Context.

[0051] FIG. 2 shows the context of the disclosure. There are three entities connected to the IP Multiplexer interfaces:

• IP Multiplexer interface IF1 is connected to endpoint EP1, which is the WAN gateway, with IP address IP2 and MAC address MAC1.

• IP Multiplexer interface IF2 is connected to endpoint EP2, which is the management endpoint, with IP address IP1 and MAC address MAC2. Note that there may optionally be a NAT function behind this endpoint to support subtending management applications. • IP Multiplexer interface IF3 is connected to endpoint EP3, which is the network endpoint with IP address IP1 and MAC address MAC3. Traffic on this port needs to pass to and from EP1 with no changes at the IP layer.

[0052] The following sections describe the flow diagrams for each port.

[0053] WAN gateway EP1 connected to IP Multiplexer interface IFl

[0054] FIG. 3 shows the processing of packets arriving on interface IFl from EP1.

[0055] When a packet is received on interface IFl from EP1, the IP Multiplexer calculates the destination interface or interfaces based on lookups in a dynamic Flow Table, or preconfigured Rule Table. Note that the Flow Table lookup may not find an entry, but the lookup in the Rule Table is guaranteed to return a matching entry.

[0056] The first step is to perform a Flow Table lookup using a 7-tuple key (Interface, EthType, IP Protocol, Source IP Address, Destination IP Address, Source Port, and Destination Port).

[0057] If the Flow Table lookup finds a match, the IP Multiplexer will apply returned action to the packet. If no match is found in the Flow Table, the same 7-tuple key will be used to perform a lookup in the Rule Table which will always result in a match and result in the creation of a new entry in the Flow Table to speed up subsequent lookups. Note that the Rule Table is generic and does not require customization before use with a specific customer.

[0058] The IP Multiplexer will apply the action returned from the either the Flow Table or Rule Table lookup.

[0059] If the action is L2 ARP, and the packet is an ARP Request and the target IP is IP 1, the IP Multiplexer responds with MAC0 as the hardware address in the reply.

[0060] If the action is L2 ARP, and the packet is an ARP Request and the target IP is not IP 1, the packet is forwarded to EP3 if configured, and to EP2 otherwise.

[0061] If the action is L2 ARP, and the packet is an ARP Reply, and the destination MAC is MAC0, the packet will be sent to both endpoints EP2 and EP3 via interfaces IF2 and IF3.

[0062] If the action is L2 ARP, and the packet is an ARP Reply, and the destination MAC is the broadcast MAC, the packet is sent unchanged to both EP2 and EP3.

[0063] If the action is L2 DHCP, the IP Multiplexer makes two copies of the packet. In the first copy, the destination MAC is replaced with MAC2, the client hardware address in the DHCP header is replaced with MAC2, and the packet is sent to EP2. In the second copy, the destination MAC is replaced with MAC3, the client hardware address in the DHCP header is replaced with MAC3, and the packet is sent to EP3.

[0064] If the action is L2 ICMP, and the packet is a reply, two copies are made, both with the source MAC set to MAC0. Copy 1 is sent to EP2, and copy 2 is sent to EP3.

[0065] In all cases, before sending the packet, the packet will be updated the relevant destination MAC information with the MAC for destination endpoint. For example, when sending to EP2, the updated destination MAC information will be changed to MAC2 for EP2, and likewise changed to MAC3 for EP3.The ARP response will convey to EP2 or EP3 the MAC address for EP1.

[0066] Turning now to FIG. 2 one can see that the IP Network beyond the gateway EP1 is connected at the IP Multiplexer that uses IP1 for the IP address of the IP Multiplexer whether the packet is destined for the EP3 network endpoint or the EP2 Management endpoint. Those of skill in the art will recognize that IP Network traffic destined to EP2 Management endpoint is going to be relatively rare. One example would be a management link to allow a network operator access EP2 management endpoint for remote monitoring and control.

[0067] Management endpoint EP2 connected to IP Multiplexer interface IF2.

[0068] FIG. 4 shows the processing of packets arriving at interface IF2 from EP2.

[0069] The management host endpoint may be controlling network services using Linux with a hosting platform (e.g. uCPE). Packets received on interface IF2 from EP2 are coming from the management host endpoint that has a confined TCP/UDP port space (i.e. restricted to a set of reserved ports). When a packet arrives from EP2, the source port is substituted with a port value from the reserved pool.

[0070] The IP Multiplexer processes packets from EP2 by first performing a 7-tuple key lookup in the Flow Table. If the lookup finds a match, a flow entry will be returned. The flow entry contains the destination interface (always interface IF1 connected to EP1) and one of two actions, L2 ARP or L2 FWD.

[0071] If the action is L2 ARP, and the source MAC is MAC2, the source MAC information in the ARP packet will be updated such that it appears the packet was generated by a single system endpoint (i.e. using MAC0 for the IP Multiplexer), and then a L2 FWD action will be applied to the packet. The L2 FWD action rewrites the Layer 2 source MAC address with the IP Multiplexer MAC (MAC0), rewrites the Layer 2 destination MAC with the IP Gateway MAC (MAC1), and then transmits the packet towards EP1. [0072] If the action is L2 ARP, and the source MAC is not MAC2, the packet is sent unchanged to EP1.

[0073] If the action is L2 DHCP, the source MAC is replaced with MAC0, the client hardware address in the DHCP header is replaced with MAC0. Then the DHCP options are searched for Client ID and Hostname. If found, these options are set to zero to force the DHCP server to use the client hardware address as the identifier.

[0074] If the action is L2 ICMP, the packet is forwarded to EP1 with the source MAC set to MAC0.

[0075] If Flow Table lookup does not find a match, the IP Multiplexer will perform lookup in the Rule Table using the same 7-tuple key. If rule entry is not found, the packet will be discarded. If a rule entry is found, and the action is L4 SRC PORT, a port value from the reserved range will be allocated for use as the new source port and a new Flow Table entry will be added, and rule entry action (i.e. L4 SRC PORT, L2 ARP or L2 FWD) will be applied to the packet.

[0076] Network endpoint EP3 connected to IP Multiplexer interface IF3

[0077] FIG. 5 shows the processing of packets arriving at interface IF3 from EP3.

[0078] When a packet arrives from EP3, the IP Multiplexer will record the source MAC address of the incoming packet to learn MAC3. This action is needed because MAC3 will not normally be known, and it may change.

[0079] The IP Multiplexer will then perform a 7-tuple Flow Table lookup. If the lookup returns a flow entry, the IP Multiplexer will apply the returned action (i.e. L2 ARP, L2 DHCP, L2 ICMP, or L2 FWD) to the packet and transmit the packet to the gateway EP1.

[0080] If the Flow Table lookup does not find a match, then a lookup in the Rule Table occurs and is guaranteed to successfully return a matching Rule Table entry. As the Rule Table for EP3 has a default rule, the Rule Table always returns a matching Rule Table entry. The IP Multiplexer then checks to see if the packets TCP/UDP port matches one of the reserved TCP/UDP ports for EP2 traffic. If there is a match, the reserved TCP/UDP port is marked unavailable, and Flow Table entries with EP2 and reserved TCP/UDP port are removed. New Flow Table entries are added for the traffic flows from EP3 to EP1, and from EP1 to EP3. The IP Multiplexer then applies the action (i.e. L2 ARP, L2 DHCP, L2 ICMP, or L2 FWD) which was returned from either the Flow Table or Rule Table lookup. Thus, EP3 packets can cause reallocation of a port previously allocated for use for EP2 packets, with the port becoming first unallocated and eventually allocated to EP3 use. [0081] The L2 ARP, L2 DHCP, and L2 ICMP actions are used to determine the type of packet, and what MAC fields within the packet need to be updated with the IP Multiplexer’s MAC MAC0.

[0082] If the action is L2 DHCP, the IP Multiplexer can be configured to behave in one of two ways. Using the first method, the packet’s source MAC is replaced with MAC0, the client hardware address in the DHCP header is replaced with MAC0. Then the DHCP options are searched for Client ID and Hostname. If found, these options are set to zero to force the DHCP server to use the client hardware address as the identifier. Then the packet is transmitted on interface IF1 to EP1. Using the second method, the IP Multiplexer acts as a DHCP proxy server and replies directly to the DHCP requests providing the Multiplexer’s IP address, IPl and the Gateway’s IP address. The second method is required if the IP Gateway is not capable of responding to DHCP requests. For example, if IF1 is an LTE interface, then the LTE interface’s IP address is acquired via LTE protocols rather than DHCP.

[0083] If the action is L2 ICMP, the packet is forwarded to EP1 with the source MAC set to MAC0.

[0084] If the action is L2 ARP, and the source MAC is MAC3, the packet is sent to EP1 with the Source MAC and source hardware address set to MAC0.

[0085] If the action is L2 ARP, and the source MAC is not MAC3, the packet is sent unchanged to EP1.

[0086] After the update, these actions perform a L2 FWD action. The L2 FWD action rewrites the Layer 2 Source MAC with the IP Multiplexer MAC MAC0 and then transmits the packet on interface IF1 to EP1.

[0087] Multiple Instances.

[0088] Network endpoints such as SD-WAN may have multiple network interfaces, as can the management endpoint. In the case that multiple WAN connections are available (e.g. broadband cable and wireless), the entire IP Multiplexer may be replicated, providing the same advantages on each of the network interfaces.

[0089] Link State Forwarding.

[0090] Network endpoints such as SD-WAN rely on Layer 2 state for forwarding decisions. The IP Multiplexer will force ports connected to EP2 and EP3 to a“down” state whenever the interface connector to EP1 is down, reverting to“up” when the interface connected to EP1 goes up. This enables the functions at EP2 and EP3 to re-route traffic if they have alternate interfaces available, as in the Multiple Instances scenario previously described. Forcing the network endpoints to adopt the status of the interface connected to EP1 allows the SD-WAN to react immediately to loss of connectivity to the gateway router EP1.

[0091] ADVANTAGES.

[0092] Fewer Public IPv4 Addresses.

[0093] Public IPv4 addresses are a scarce resource, and network operators charge by the number of addresses used. Using the teachings of the present disclosure allows for the use of just one public IP address rather than more than one.

[0094] Dynamic reserved TCP/UDP ports for endpoint EP2

[0095] The teachings of the present disclosure may be used to eliminate configuration of the IP Multiplexer. The teachings automatically react to EP2 conflicts with EP3 port allocations by changing the ports allocated to EP2 so that the conflict is removed. This keeps user data flowing between EP1 and EP3.

[0096] Laver 2 Link State Forwarding.

[0097] End-points such as SD-WAN rely on Layer 2 state for forwarding decisions. By forcing the network endpoints to adopt the status of the interface tied to the gateway router EP1, the present disclosure allows the SD-WAN or other services at either EP3 or EP2 to react to loss of connectivity on interface IF1 connected to the gateway router EP1.

[0098] ALTERNATIVES and VARIATIONS.

[0099] Virtual and Physical.

[00100] The teachings of the present disclosure may be applied to an IP Multiplexer and related components that are virtual. The teachings of the present disclosure are equally applicable to an IP Multiplexer and related components that are physical devices. Those of skill in the art will understand that one or more physical devices mapping to the components discussed in the various figures may co-exist within one device housing. The teachings of the present disclosure may also be applied to a mix of physical and virtual components.

[00101] One of skill in the art will recognize that some of the alternative implementations set forth above are not universally mutually exclusive and that in some cases additional implementations can be created that employ aspects of two or more of the variations described above. Likewise, the present disclosure is not limited to the specific examples or particular embodiments provided to promote understanding of the various teachings of the present disclosure. Moreover, the scope of the claims which follow covers the range of variations, modifications, and substitutes for the components described herein as would be known to those of skill in the art.

[00102] Where methods and/or events described above indicate certain events and/or procedures occurring in a certain order, the ordering of certain events and/or procedures may be modified. Additionally, certain events and/or procedures may be performed concurrently in a parallel process when possible, as well as performed sequentially as described above.

[00103] The legal limitations of the scope of the claimed invention are set forth in the claims that follow and extend to cover their legal equivalents. Those unfamiliar with the legal tests for equivalency should consult a person registered to practice before the patent authority which granted this patent such as the United States Patent and Trademark Office or its counterpart.