Classifications

• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L43/00—Arrangements for monitoring or testing data switching networks
  • H04L43/02—Capturing of monitoring data
  • H04L43/026—Capturing of monitoring data using flow identification
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information
  • H04L63/306—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information intercepting packet switched data communications, e.g. Web, Internet or IMS communications
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L43/00—Arrangements for monitoring or testing data switching networks
  • H04L43/02—Capturing of monitoring data
  • H04L43/028—Capturing of monitoring data by filtering
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L43/00—Arrangements for monitoring or testing data switching networks
  • H04L43/04—Processing captured monitoring data, e.g. for logfile generation
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L43/00—Arrangements for monitoring or testing data switching networks
  • H04L43/06—Generation of reports
  • H04L43/065—Generation of reports related to network devices
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L43/00—Arrangements for monitoring or testing data switching networks
  • H04L43/12—Network monitoring probes
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L61/00—Network arrangements, protocols or services for addressing or naming
  • H04L61/09—Mapping addresses
  • H04L61/25—Mapping addresses of the same type
  • H04L61/2503—Translation of Internet protocol [IP] addresses
  • H04L61/2591—Identification of devices behind NAT devices
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L61/00—Network arrangements, protocols or services for addressing or naming
  • H04L61/09—Mapping addresses
  • H04L61/25—Mapping addresses of the same type
  • H04L61/2503—Translation of Internet protocol [IP] addresses
  • H04L61/2514—Translation of Internet protocol [IP] addresses between local and global IP addresses
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L61/00—Network arrangements, protocols or services for addressing or naming
  • H04L61/09—Mapping addresses
  • H04L61/25—Mapping addresses of the same type
  • H04L61/2503—Translation of Internet protocol [IP] addresses
  • H04L61/2517—Translation of Internet protocol [IP] addresses using port numbers
• • H—ELECTRICITY
  • H04—ELECTRIC COMMUNICATION TECHNIQUE
  • H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
  • H04L63/00—Network architectures or network communication protocols for network security
  • H04L63/30—Network architectures or network communication protocols for network security for supporting lawful interception, monitoring or retaining of communications or communication related information

Definitions

• This invention relates to address translation and in particular, but not exclusively, to the detection of address translations across a point of interconnection between networks, for example between two Internet Protocol (IP) networks having incompatible addressing schemes.
• IP Internet Protocol
• IP Network Address Translator (NAT) Terminology and Considerations by P. Srisuresh and M. Holdrege, August 1999, published by the Internet Society, has been devised as a technique for mapping Internet Protocol (IP) addresses from those used in one network to those used in another, for example between a private addressing scheme used within a corporate network and a global addressing scheme as used for the public Internet.
• IP Internet Protocol
• NAT/PAT devices can cause problems for compliance systems, for example, in that an examination of IP packets arriving at a network destination or being carried over a public network will not necessarily provide a unique identifier for the originator.
• the only source of information on the mapping to an originator is a transient record created within a respective NAT/PAT device, a record that exists, typically, only for the duration of a particular session, e.g. a Transmission Control Protocol (TCP) session, a User Datagram Protocol (UDP) session or an Internet Control Message Protocol (ICMP) query session.
• TCP Transmission Control Protocol
• UDP User Datagram Protocol
• ICMP Internet Control Message Protocol
• the present invention resides in an apparatus for mapping data packets undergoing changes to their addressing information between a first point and a second point in a network, the apparatus comprising: first data capture means for capturing data packets at a first tap point in a communications path, prior to address translation; second data capture means for capturing data packets at a second tap point in a communications path, following address translation; and passive correlating means for detecting mappings between data packets captured by the second data capture means and data packets captured by the first data capture means and for outputting a detected mapping between addressing information before and after translation.
• the first and second data capture means comprise means for associating data packets within a same identified data stream and for organising associated data packets into processing queues, establishing a different processing queue for each identified data stream.
• the correlating means may be arranged to read packets from each processing stream in a parallel processing arrangement.
• the first and second data capture means are arranged to associate data packets in a given data stream by determining a hash value for a predetermined combination of data fields in each data packet and maintaining a hash table mapping each distinct determined hash value to those packets having the same determined hash value.
• the present invention finds particular application in the mapping of network addresses within data streams comprising TCP or UDP sessions over an IP network.
• the apparatus of the present invention may be deployed to capture data from points either side of a NAT/PAT device and to passively resolve mappings between pre-NAT and post-NAT source 'IP quint' data fields.
• Figure 1 shows an example of a communications path between a user of a mobile communications device and an internet service being accessed from that device;
• Figure 2 shows a simplified communications arrangement with a deployed correlation device according to preferred embodiments of the present invention
• Figure 3 shows preferred functional elements in a correlation device according to the present invention.
• Figure 4 shows an example of an output by the correlation device of the present invention.
• NAT Network Address Translation
• CSP mobile communications service provider
• NAT/PAT Network Address Translation
• Figure 1 shows a typical communications path between a mobile communications device of a subscriber to the CSP's services wishing to access an internet-based service.
• Corresponding network architectures may be envisaged in which, for example, users in a corporate fixed line network wish to access the same internet-based service.
• a subscriber 10 to a CSP's mobile communications services is able to use a mobile communications device 15, for example a so- called "smart phone” or other mobile communications device, to access an internet-based service 20 over the CSP's private General Packet Radio Service (GPRS) or equivalent mobile communications network and the public internet 25.
• GPRS General Packet Radio Service
• the mobile communication device 15 communicates wirelessly with one or more local based stations 30 and a communications path is established through a serving GPRS support node (SGSN) 35 and its corresponding gateway GPRS support node (GGSN) 40 to a NAT/PAT device 45 deployed at the boundary between the CSP's network and the public internet 20.
• SGSN serving GPRS support node
• GGSN gateway GPRS support node
• the NAT/PAT device 45 is arranged to hide the private IP addressing scheme used within the CSP's network by substituting the private source IP address carried in the headers of all outgoing IP data packets with one common public routeable source IP address (or one of a small number of common public source IP addresses) for all internet communications sessions with subscribers in that particular CSP's network.
• the NAT/PAT device 45 also allocates a unique TCP/UDP source port number for that particular session and substitutes the original source port number with the newly allocated port number.
• the modified packets are then forwarded through a firewall/gateway device 60 to the internet 25.
• the NAT/PAT device 45 maintains a record in the form of a state table of the IP address and port allocations it has made so that when IP packets inbound to the network are received within a particular session, the destination IP address and port number of each received packet may be translated back to the original private source IP address for that session and routed to the originating mobile subscriber's device 15.
• NAT Network Address Translation
• An individual external NAT IP address may have been shared by many subscribers within the CSP's network and it is therefore not possible to uniquely identify an originating mobile subscriber by their IP address alone. Additional information on session mapping between internal and external IP addresses must be captured to be able to identify a particular mobile subscriber's session with any level of certainty.
• Seized hardware from servers hosting illegal material may conceivably contain logs of source IP addresses. Where those source IP addresses originate in networks with NAT devices in place, the source IP address logs enable LE to identify only the originating network. The individual subscriber on that network cannot be identified. If NAT logs have not been retained at the originating network, for example by the mobile CSP, then it may be impossible to link the external IP address captured in the source IP address log to an individual mobile subscriber.
• Preferred embodiments of the present invention are arranged to capture the information necessary to make such links. Such information would also be of use in a Lawful Interception system where traffic being monitored is captured on the public side of a NAT device, after address translation.
• Realtime mapping information of particular target sessions may be sent to a respective monitoring device so that it may identify and collect data for the correct sessions.
• a respective monitoring device may identify and collect data for the correct sessions.
• the present invention offers an entirely passive solution to the problem of linking source IP addressing to NAT/PAT allocated addressing.
• a preferred embodiment will now be described with reference to Figure 2. Referring to Figure 2, in a simplification of the communications path of
• a user's terminal equipment 100 is shown communicating with a remote server 105 over a communications path that includes a NAT/PAT device 1 10 for performing source IP address translations.
• a passive correlation device 1 15 according to the present invention is deployed to monitor data packets at first and second tap points 120, 125 in the communication path, the first tap point 120 for monitoring outgoing data packets before they enter the NAT/PAT device 1 10 and the second tap point 125 for monitoring data packets emerging from the NAT/PAT device 1 10.
• the correlation device 1 15 is arranged to implement a preferred correlation technique, to be described in detail below, for processing the monitored pre-NAT and post-NAT data packets and for deriving address and port mappings made by the NAT/PAT device 1 10, substantially in real-time. Such mappings may then be made available more or less rapidly for use in numerous applications requiring the identification of a true source address in a particular IP session being observed at some point downstream from the originator's network.
• a TCP/UDP session is identifiable by five data fields in a TCP or UDP packet header: the source IP address and port number; the destination IP address and port number; and the IP Protocol.
• This combination of IP addressing information is known as an IP quint, or IPQ.
• IPQ IP quint
• a NAT/PAT device 1 10 replaces the source IP address and port number, as described above, for various reasons, retaining a record of the mapping between originating and translated source data so that returning packets within the same TCP or UDP session may be delivered to their originator.
• the correlation device 1 15 of the present invention may not always enable a one-to-one correspondence to be established, for example if two users in a mobile network access the same web site at substantially the same time.
• Preferred steps in a simplified top-level process, as may be performed by the correlation device 1 15, for deriving the mappings made by the NAT/PAT device 1 10 may be summarised as follows: 1 ) at a first, pre-NAT tap point, capture outgoing data packets and associate captured packets within the same TCP/UDP session, identifiable from a comparison of their pre-NAT IPQs, and queue data packets from each identified session in a different processing queue;
• FIG. 3 shows a simplified functional block diagram of a preferred correlation device 1 15.
• the preferred functionality of the correlation device will be described mainly in the context of processing data packets relating to TCP/UDP sessions. However, it would be apparent to a person of ordinary skill in the data communications field how to apply the principles described to the processing of packets relating to other protocols.
• a pre-NAT session filter 150 is provided to receive outgoing IP packets captured at the first tap point 120 (as shown in Figure 2) immediately before entering a NAT/PAT device (not shown in Figure 3).
• a similarly functioning post-NAT session filter 155 is provided to receive outgoing IP packets emerging from the NAT/PAT device, captured at the tap point 125.
• the pre-NAT session filter 150 is arranged to examine at least the IPQs of the received IP packets and to associate those packets in the same TCP/UDP session, as distinguished by IPQ, organising packets from each distinct session into different pre-NAT session queues 160, four different session queues 160 being shown in Figure 3.
• the post-NAT session filter 155 examines at least the IPQs of received packets and organises packets with each distinct IPQ into different post-NAT session queues 165. While IP packets captured at the second tap point 125 may be associated by IPQ, they do not necessarily correspond to different sessions, as for the pre-NAT IP packets, due to the changes to source IP address and port number made by the NAT/PAT device. However, in a preferred embodiment, each of the session filters 150, 155 may be arranged to queue IP packets on the basis of the combination of IPQ and IP Identification fields so as to increase the chances of distinguishing post-NAT packets in different sessions with only a small additional processing overhead.
• a multi-core processor 170 is provided to perform the main correlation functions of the correlation device 1 15.
• the processor 170 comprises four processor cores with each processor core arranged to execute, in a separate processing thread, an instance of the correlation functionality.
• Each of the executing correlation threads is arranged to receive queued IP packets from a different post-NAT session queue 165, in parallel, and to look for a matching session from amongst the queued IP packets in the pre-NAT session queues 160.
• the processor 170 is arranged to receive and to output queue management control signals over notional control signal paths 175 and 180 to the pre-NAT and post-NAT session filters respectively.
• the processor when a pre-NAT session (160) has been matched to a packet in a post-NAT session queue 165, the processor signals to the post-NAT session filter 165 to cease capture of IP packets in the matched session (post-NAT IPQ + IP Identification field). Similarly, the processor 170 signals to the pre-NAT session filter to cease capture of IP packets relating to the matched pre-NAT session.
• Each session filter 150, 155 responds by clearing the respective queues 160, 165 of packets and begins to queue IP packets with a newly identified IPQ + IP Identification field, captured at the respective tap points 120, 125. In this way, the loading on the processor's correlation functionality is reduced as far as possible.
• matched pre-NAT and post-NAT IPQs are output by the processor 170 to a log 185 which may comprise volatile memory or a persistent storage device, accessible to other processes for reporting of matched pre-NAT to post-NAT IPQs to external systems.
• a log 185 which may comprise volatile memory or a persistent storage device, accessible to other processes for reporting of matched pre-NAT to post-NAT IPQs to external systems.
• each of the session filters 150, 155 executes a hashing function on the IPQ + IP Identification fields read from each received packet and maintains respective hash maps relating each distinct hash value to a session queue (160, 165) identifier. This provides a very rapid way for packets in the same session to be organised into different session queues 160, 165.
• the conceptual session queues 160, 165 illustrated in Figure 3 may comprise no more than a list of pointers in the respective hash maps to packets from the same session, the packets being otherwise held in a common buffer.
• the processor 170 is arranged to process packets from each queue in parallel using multiple instances of the correlation functionality, each instance running on a distinct CPU core of the multi-core processor 170.
• the preferred queuing arrangement ensures that all packets for a given session or stream (i.e. TCP, UDP or otherwise) are handled by the same processing thread. Furthermore, as all packets for a given session are handled by the same instance of correlation functionality, there is no need for inter-thread communication.
• the processor 170 aims to correlate a single packet from a post-NAT session queue 165, e.g. a TCP packet with the ACK flag set, with a single packet from one of the pre-NAT session queues 160.
• the detection of a particular type of packet, such as one with the ACK flag set, by the post-NAT session filter 155 may trigger the processor 170 to begin a correlation function using that packet. If successful this represents the most rapid correlation of pre- NAT and post-NAT sessions, likely to be performed in the example implementation above in less than 100ms.
• the session filters 150, 155 are arranged to record timing information to a high level of accuracy for each observed session, recording the time at which each session is first identified in received data and the time of closure (time last seen) of each identified session - being the time at which a correlation is found or the time of a timeout (corresponding to the timeout period applied to sessions by a NAT/PAT device). By considering the relative timing of sessions, the correlator may be able to resolve an ambiguity.
• VoIP Voice-over-IP
• FTP File Transfer Protocol
• the processor 170 or the session filters 150, 155 may be arranged to perform a similar alteration to the payload of packets such as VoIP or FTP packets so that the changes made by a NAT/PAT device can be taken into account when correlating sessions.
• RFC 3027 Provides with the IP Network Address Translator
• the processor 170 is arranged to generate four types of message, as follows: ⁇ START - indicates an unambiguous correlation, sent at the point of the correlation.
• • END - corresponds to a START message, this indicates that a session that was being analysed has timed out.
• MATCH - indicates a unique correlation between pre-NAT and post-NAT sessions.
• AMBIG - indicates one (of two or more) possible match for a post-NAT IPQ. Multiple AMBIG messages are generated, one for each possible pre-NAT IPQ. This message is sent following an IPQ timeout.
• FAIL - indicates a failure to match a post-NAT IPQ, sent after an IPQ timeout. This may be due to system faults, such as packet loss into the correlation device or bit errors caused by the NAT device or correlation device receiver, or by logical defects in the correlation device. Logical faults may include packet decoding, e.g. unhandled application-aware protocols requiring payload rewriting. If detected, correlation failures are reported to indicate that investigation may be required.
• the output fields preferably include the following:
• a separate process may be executed by the correlation device 1 15 to monitor the output log 185 of the processor 170 and to report the output data to other interested applications, or to field enquiries by remote applications.
• the first and second tap points 120, 125 are immediately adjacent, in network terms, before and after the NAT/PAT device 1 10 so that no further changes to the data packets between the first tap point 120 and the second tap point 125 would need to be taken into account by the correlation device, beyond those made by the NAT/PAT device 1 10 itself.
• the first tap point 120 may be located further into the network on the user's side, necessitating a certain amount of pre-processing of data by the correlation device 1 15 in order to extract the IP packets being conveyed within other network-specific protocols.
• the second tap point 125 may be located anywhere in the communications path between the NAT/PAT device 1 10 and the remote server 105, according to the particular communications sessions that need to be monitored. However, to enable all the outgoing traffic from a network to be captured, or to enable a required rate of data capture to be achieved, it may be necessary to locate the second tap point 125 close to the NAT/PAT device 1 10 or to the correlation device 1 15 itself.
• the pre-NAT session filter 150 may be required to carry out addition preprocessing steps before organising the captured data into IP session queues, for example to:
• the correlation device 1 15 is required to be able to receive packet data both ingoing to and outgoing from the NAT/PAT device, each at a rate of 10 GBits/s, and to process these data packets substantially in real-time.
• the passive correlation device 1 15 device would need to process data at 40GBit/s for a 10GBit/s NAT/PAT device 1 10.
• a successful correlation device has been implemented using an HP DL380 G7 server with 10 GB of RAM, two 150GB Operating System disks and one Packet Capture Card with 2 x 10Gbit interfaces.
• the correlation device 1 15 of the present invention may be used in a passive solution to correlate data packets captured at different points within a communications path in order to detect such alterations and to correlate data before and after such alterations have been made.
• the correlation device 1 15 may be deployed to capture data packets either side of an anonymising proxy in order to reverse the anonymisation being performed by the proxy.

Landscapes

• Engineering & Computer Science (AREA)
• Computer Networks & Wireless Communication (AREA)
• Signal Processing (AREA)
• Data Mining & Analysis (AREA)
• Technology Law (AREA)
• Computer Hardware Design (AREA)
• Computer Security & Cryptography (AREA)
• Computing Systems (AREA)
• General Engineering & Computer Science (AREA)
• Data Exchanges In Wide-Area Networks (AREA)

Applications Claiming Priority (2)

Publications (1)

Family

ID=46704237

Family Applications (1)

Country Status (2)

Cited By (11)

Families Citing this family (1)

Citations (3)

• 2012
  • 2012-06-26 GB GBGB1211323.9A patent/GB201211323D0/en not_active Ceased
• 2013
  • 2013-06-24 GB GB1311176.0A patent/GB2505288A/en not_active Withdrawn
  • 2013-06-24 WO PCT/GB2013/051652 patent/WO2014001773A1/fr not_active Ceased

Patent Citations (3)

Non-Patent Citations (2)

Also Published As

Similar Documents

Legal Events