Title of Invention	METHOD, APPARATUS AND SYSTEM FOR TRANSMITTING UDP DATA PAKKETS OVER A WIDE AREA NETWORK.
Abstract	Currently data transmission over the Internet between two client computers where both client computers are protected by firewalls is problematic, since firewalls block incoming packets. A method is provided for permitting packet based data transmission between a first client computer C1 protected by a first NAPT or NAT firewall and a second client computer C2 protected by a second NAPT or NAT firewall to traverse the first and the second firewalls. The method can also be applied to other devices, such as routers, using NAT or NAPT.

Title of Invention

METHOD, APPARATUS AND SYSTEM FOR TRANSMITTING UDP DATA PAKKETS OVER A WIDE AREA NETWORK.

Abstract

Currently data transmission over the Internet between two client computers where both client computers are protected by firewalls is problematic, since firewalls block incoming packets. A method is provided for permitting packet based data transmission between a first client computer C1 protected by a first NAPT or NAT firewall and a second client computer C2 protected by a second NAPT or NAT firewall to traverse the first and the second firewalls. The method can also be applied to other devices, such as routers, using NAT or NAPT.

Full Text	METHOD AND APPARATUS TO PERMIT DATA TRANSMISSION TO TRAVERSE FIREWALLS Related application This application claims priority from previously filed United States provisional patent application serial number 60/269,357, filed February 20, 2001, entitled METHOD AND APPARATUS TO PERMIT REAL-TIME MEDIA DELIVERY TO TRAVERSE FIREWALLS ON A COMPUTER NETWORK. Technical Field The invention relates to the field of data transmission over a computer network, and more particularly to methods for permitting data transmissions using packet based transmission protocols to traverse firewalls. Background Art Computers connected to wide area networks like the Internet are commonly protected by firewalls. Firewalls are most commonly used to protect computers operating on local area networks, but they can also be used to protect individual computers, including servers, which access a wide area network. In this application, the term "client computer" will encompass any computer with access to a wide area network, and also a program operating on such a computer. Such a computer may, but need not, operate on a local area network, and may perform the functions of a server on the wide area network. Firewalls typically perform a number of functions. They protect internal computers from outside computers on the wide area network, while allowing internal computers to access the wide area network. Firewalls can also make local network administration more efficient, by permitting a large number of client computers to share a limited pool of Internet Protocol (IP) addresses on the wide area network, and by accommodating changes within the local network without having to re-configure access to the other computers on the wide area network. A firewall is typically a program or collection of related programs on a network gateway server which check each network packet to determine whether to forward it to its destination. To create a barrier between an internal computer and the outside wide area network, firewalls commonly use NAT (network address translation) or NAPT (network address and port translation). NAT is the translation of an internal IP address used by a client computer (and known within the internal network, if the client computer is operating on one), to a different IP address known within the outside wide area network. The firewall maps internal IP addresses to one or more global external IP addresses, and reverse maps the external IP addresses on incoming packets back into internal IP addresses. NAPT is the translation of both internal IP addresses and internal ports to different external IP addresses and external ports known within the outside network. Firewalls using NAPT commonly screen incoming packets to make sure thai they come from a previously identified IP address and port. That is, a request from a particular IP address and port traverses the firewall only if a request previously went out from the firewall to that IP address and port. Data transmission over the Internet has become an everyday occurrence. Many Internet data transmissions are used to transport audio and / or video data from a live or on-demand streaming server to streaming clients, to provide real- time interactive communication (such as "chat") between client computers, to transport the contents of web-pages from web-servers to web-clients, and for many other types of communication among networked programs. Different protocols are used to transmit different types of data. For example, text chat is generally transmitted using Transmission Control Protocol (TCP), while audio / video conferencing and live audio / video streaming are generally transmitted using UDP (User Datagram Protocol). Communications through a server connected directly to the Internet (that is, not behind a firewall) are not generally obstructed by client-side firewalls; the act of logging on to a server generally opens a return path from the server through the firewall. However, firewalls commonly block direct client-to-client, or "peer-to-peer" communication. One attempted solution is to open certain ports in the firewall, but this solution (i) requires modification of the firewall settings, which most network administrators are reluctant to do, and (ii) does not work with firewalls that perform any sort of port translation. The present invention provides a method for permitting packet based data transmission to traverse firewalls usingisither NAPT or NAT without altering firewall settings. The invention is disclosed in the context of a firewall using NAPT, as the more general case. However, the method provided in the invention is equally applicable to a firewall using NAT, and also to other types of devices, such as routers, using either NAPT or NAT Disclosure of Invention The invention therefore provides a method of transmitting a data packet from a first computer to a second computer over a wide area computer network, a data packet transmitted from the first computer having a first source address designating the first computer and a data packet transmitted from the second computer having a second source address designating the second computer, wherein the first computer is protected by a first firewall which translates the first source address to a first external address when transmitting a data packet from the first computer to the wide area network, and the second computer is protected by a second firewall which translates the second source address to a second external address when transmitting a data packet from the second computer to the wide area network, the first and second firewalls communicating over the wide area computer network, the method using a designated recipient computer in communication with the first and second computers via the wide area computer network, said method comprising: a) the first and second computers sending first and second data packets to the designated recipient computer; b) the designated recipient computer communicating the first external address from the first data packet to the second computer and communicating the second external address from the second data packet to said first computer; c) the second computer sending a data packet to the first external address; and d) the first computer sending a data packet to said second external address. The method further provides for two-way transmission of data by additionally having the second computer then send a data packet to the first external address. The method can be applied to a plurality of computers protected by firewalls communicating over a wide area network. The firewalls may be NAT or NAPT. In particular the method works if the IP address and port are translated at the firewall, or only the IP address. The designated recipient computer can be any type of computer, including without limitation a designated server, a peer computer involved in the data transmission, or a peer computer not involved in the data transmission. The present invention further provides a computer program product for carrying out the foregoing method, and a system for transmitting a data packet between two firewall-protected computers over a wide area network, Brief Description of Accompaning Drawings Figure 1 is a schematic diagram illustrating a preferred embodiment of the invention; and Figure 2 is a flowchart illustrating a preferred embodiment of the invention. Best Mode(s) for Carrying Out the Invention Fig. 1 schematically illustrates a client computer C1 (12) on local area network (14), protected by NAPT firewall FW1 (16), wishing to send a UDP data stream, such as a live video data stream, over Internet 10, to client computer C2 (20) on local area network (22), protected by NAPT firewall FW2 (24). Within this schematic, Cl has internal IP address H1, and will use internal port h1 to transmit the UDP data stream. Firewall FW1 translates these into external IP address F1 and external port f1 (18). C2 has internal 1P address H2, and will use internal port h2 to receive the UDP data stream. Firewall FW2 will receive UDP packets destined for C2 at external IP address F2 and external port f2 (26). Both C1 and C2 log onto a server S1 (28), whose purpose is to establish a path to transmit the UDP data stream from C1 to C2. However, the UDP data stream is not transmitted through the server. It is sent client-to-client to take advantage of efficiencies and scalability that can be realized from peer-to-peer communication over the Internet. Peer-to-peer communications are prevented by almost all firewalls. NAP1 firewalls FW1 and FW2 will only permit an incoming UDP packet to pass if (i) its source and destination addresses match the destination and source addresses, respectively, of a recent outgoing UDP packet, and (ii) its source and destination ports match the destination and source ports, respectively, of a recent outgoing UDP packet. If either Cl or C2 attempts to send a packet to the other, the receiver's firewall will block the incoming packet if it does not meet these criteria. The present invention permits Cl to send a UDP data stream to C2 by the following steps: (1) Cl sends a UDP packet U1 to server S1. Cl initiates the transmission from its internal IP address and UDP port (H1 :h1). Firewall FW1 translates the IP address and port to Fl :fl at the external interface of FW1. (2) When S1 receives packet U1 from F1: f1, S1 can identi fy F1 and fl as the external IP address and external port from which FW1 will send the UDP data stream originating with Cl. (3) C2 sends a UDP packet U2 to server S1. C2 initiates the transmission from its internal IP address and UDP port (H2:h2). Firewall FW2 translates the IP address and port to F2:f2 at the external interface of FW2. (4) When SI receives packet U2 from F2:f2, S1 can identify F2 and f2 as the external IP address and external port at which FW2 will receive the UDP data stream to be transmitted from C1 to C2. (5) S1 tells C2 that F1 :fl are the external IP address and port from which Cl will send the UDP data stream. (6) S1 tells C1 that F2:f2 are the external IP address and port to which the UDP data stream destined for C2 should be sent. (7) C2 sends a UDP packet U3 to Fl :fl, using its internal port h2. Firewall FW2 will send the packet from F2:f2. This packet will be blocked by firewall FW1. However, as described in step (8), it will prompt firewall FW2 to pass subsequent packets sent by C1 destined for C2. (8) When Cl subsequently sends a data stream consisting of UDP packets destined for C2 from its internal port h1, firewall FW1 will send them from Fl :fl to F2:f2. Because of the packet sent in step (7), firewall FW2 recognizes Fl:fl as an address and port to which it has recently sent a packet from F2:f2. Accordingly, it permits packets sent from F1 :f1 to F2:f2 to pass through the firewall, and forwards them to H2:h2, the internal IP address and port for C2. In this way, the invention creates a means by which UDP data streams originating with Cl pass through to C2. This can be used for streaming applications, in which Cl sends a live or on-demand data stream to C2. Steps similar to (1) to (8), carried out vice versa, will permit UDP data streams originating with C2 to pass through firewall F1, to C1. Thus, Cl and C2 can 14 utilize applications which depend on two-way transmission of UDP data streams, such as video conferencing. Similar steps carried out by a number of client compufers, C1,.. .,CN, will permit one-to-many, many-to-one, or many-to-many transmission of UDP data streams through NAPT firewalls. For the method to work with a firewall using NAPT, the packets sent in steps (1) and (3) will generally have to be of the same type (i.e. TCP, UDP, etc.) as the type used to transmit the data in step (8). The reason is that many computer applications or firewalls use different ports to transmit and receive different types of data. However, if that is not the case, the packets sent in steps (1) and (3) need not be of the same type as the type used in step (8). In addition, firewall FW1 must use the same external IP address and port to send the initial packet in step (1) as it uses subsequently to commence sending the data to C2 in step (8) (although the method can be adapted to accommodate subsequent changes in the IP addresses and ports, as described more fully below). This generally happens in practice so long as the software at client computer Cl is written to send both transmissions from the same internal IP address and port, as most firewall programs using NAPT currently create one-to-one mappings between internal IP addresses and ports and external IP addresses and ports used to send the same type of packet. Similarly, firewall FW2 must use the same external IP address and port to send the packet in step (3) that it will use to commence receiving the data in step (8). This also will generally happen in practice, so long as the software at client computer C2 is written to send the packet in step (3) from, and to receive the data in step (8) at, the same internal IP address and port. As will be apparent to those skilled in the art, the method can be readily adapted to support two-way data transmission between C1 and C2, to support one- to-many data transmission from Cl to client computers C2,.. .,CN, to support many-to-one data transmission from client computers C2,.. .,CN to C1, or to support many-to-many data transmission among client computers C1,... ,CN. As well, the invention has been described with both C1 and C2 protected by firewalls, as that situation provides the clearest description of the invention. However, the method is readily adapted to the situation where only the receiving client computer is protected by a firewall. The designated recipient computer can be any type of computer, including without limitation a designated server, a peer computer involved in the data transmission, or a peer computer not involved in the data transmission. As will be apparent to those skilled in the art in light of the foregoing disclosure, many alterations and modifications are possible in the practice of this invention without departing from the spirit or scope thereof. For example, the possible alterations and modifications include, but are not limited to, the following: 1. For robustness against packet loss or delay, C1 and /or C2 could send multiple packets to S1 in steps (1) and (3), instead of a single packet. Packets could be sent until confirmation is received that S1 has received one of the packets. 2. Also for robustness against packet loss or delay, C2 could send multiple packets in step (7), instead of a single packet. Packets could be sent until confirmation is received that FW1 has received one of the packets. 3. The method can also be used when either C1 or C2 uses separate ports for sending and receiving UDP data streams. For example, if Cl uses h1 for sending UDP data streams and h3 for receiving data streams, firewall FW1 will translate these into f1 and f3 respectively. C2 would have to send a UDP packet from its receiving port to fl, and Cl would have to send a UDP packet from f3 to the sending port for C2. These packets would open paths over which C1 could send to C2 (through fl), and over which C2 could send to C1 (through f3). 4. In the case of two-way communication, and where firewalls FW1 and FW2 use the same external ports for both sending and receiving UDP data, the initial data packets in the data streams can be used as the packets required to open the paths (as in step (7)). The initial data packets may be blocked, until a data packet is sent in the other direction. However, applications using UDP transmissions are typically robust against packet loss, and the method will work so long as loss of the initial data packet or packets is not critical to the application in question. 5. If firewall FW1 (or FW2) changes the external IP address or port which it uses to transmit UDP data for any reason (such as a long data transmission or period of silence), the method can be adapted to refresh the data identifying the external IP addresses and ports, to maintain open transmission paths. For example, if FW1 changes the external IP address or port used to transmit UDP data originating from Cl, new packets will be sent periodically to the intermediary server S1 as in step (1), above, to identify any new IP address or port being used by FW1. The remaining steps (2) through (8) can then be repeated using new data. All that the method requires is that the same external sending IP address and port be used by FW1 for a long enough period of time that the initial packet sent to S1 in step (1) come from the same IP address and port as the initial data packets in the UDP data stream. 6. In the best mode described above, server S1 is used as intermediary to receive UDP packets originating from Cl and C2, and to use information contained in those packets to identify the external ports being used by FW1 and FW2. However, any other means for informing each terminal of the other's external ports will also work according to the invention. For example, Cl and C2 could use different echo servers, S1 and S2, which return any UDP packet to its source. This will permit Cl and C2 to identify F1 :f1 and F2:f2, respectively. Cl and C2 could use any other means, such as off-line exchange of information by the users, or TCP transmissions either directly to the other or through a common server, to inform each other about F1 :fl and F2:f2. 7. The method can be used where client computers communicate through a server computer, although the method is not usually needed in that case, as a client computer generally opens a return path from the server when it logs on to the server. 8. The method can also be used where only the receiving client computer is behind a firewall, but there is no firewall protecting the sending client computer. 9. Although the above method has been described in the context of real-time audio and video communications using UDP packets, it will be apparent to those skilled in the art that the method has application to other forms of packet based data transmission. 10. The method can also be adapted to firewalls which do not create one-to- one mappings between internal and external IP addresses and ports, by deducing the mapping scheme from received packets, and then utilizing the deduced mapping schemes to send the required packets from the external receiving IP addresses and ports of each client computer to the external sending IP addresses and ports of each other client computer. 11. While the invention has been disclosed in connection with a NAPT firewall, it would also operate in the same manner if firewalls FW1 and FW2 are NAT firewalls. In that case, NAT FW1 would translate H1 :h1 to F1 :h1, and NAT FW2 would translate H2:h2 to F2:h2. The method would otherwise be identical. WE CLAIM 1. A method of transmitting a UDP data packet from a first computer (12) to a second computer (20) over a wide area computer network (10), said first computer having a first internal network address (H1) and a designated internal port (h1) from which it will transmit the UDP data packet and said second computer having a second internal network address (H2) and a designated internal port (h2) at which it will receive the UDP data packet, wherein said first computer is protected by a first firewall (16) which translates said first internal network address to a first external network address (F1) when communicating over said wide area computer network, and said second computer is protected by a second firewall (24) which translates said second internal network address to a second external network address (F2) when communicating over said wide area computer network said first and second firewalls communicating over said wide area computer network, characterized by said method with the aid of a designated recipient computer (28) in communication with said first and second computers via said wide area computer network said method comprising: a) said first computer sending a first UDP data packet (U1) to said designated recipient computer using its designated internal transmitting port, and said second computer sending a second UDP data packet (U2) to said designated recipient computer using its designated internal receiving port; b) said designated recipient computer communicating said first external network address and said designated internal transmitting port determined from said first UDP data packet to said second computer, and communicating said second external network address and said designated internal receiving port determined from said second UDP data packet to said first computer; c) said second computer sending a UDP data packet (U3) using its designated internal receiving port to said first external network address and the designated internal transmitting port of said first computer; and d) said first computer sending a UDP data packet using its designated internal transmitting port to said second external network address and the designated internal receiving port of said second computer. 2. A method for permitting two-way transmission of UDP data packets' between a first computer (12) and a second computer (20) over a wide area computer network (10), each of said first and second computers having an internal network address, a designated internal port from which it will transmit the UDP data packets, and a designated internal port at which it will receive the UDP data packets, wherein said first computer is protected by a first firewall (16) which translates said internal network address (H1) of said first computer to a first external network address (F1) when communicating over said wide area computer networks and said second computer is protected by a second firewall (24) which translates said second internal network address (H2) to a second external network address (F2) when communicating over said wide area computer network (10), said first and second firewalls communicating over said wide area computer network, wherein said method using a designated recipient computer (28) in communication with said first and second computers via said wide area computer network said method comprising: a) said first computer sending two UDP data packets to said designated recipient computer, one sent using the designated internal transmitting port (h1) of said first computer and one sent using the designated internal receiving port of said first computer; and said second computer sending two UDP data packets to said designated recipient computer, one sent using the designated internal transmitting port of said second computer and one sent using the designated internal receiving port (h2) of said second computer; b) said designated recipient computer communicating said first external network address, designated internal transmitting port and designated internal receiving port of said first computer, determined from said data packets sent from said first computer, to said second computer, and communicating said second external network address, designated internal transmitting port, and designated internal receiving port of said second computer, determined from said data packets sent from said second computer, to said first computer; c) said second computer sending a UDP data packet using its designated internal receiving port to said first external network address and designated internal transmitting port of said first computer, and said first computer sending a UDP packet using its designated internal receiving port to said second external network address and designated internal transmitting port of said second computer; d) said first computer sending UDP data packets using its designated internal transmitting port to said second external network address and designated internal receiving port of said second computer, and said second computer sending UDP data packets using its designated internal transmitting port to said first network address and designated internal receiving port of said first computer. 3. A method for permitting two-way transmission of UDP data packets between any two of a plurality of computers over a wide area computer network (10), each computer having an internal network address, a designated internal port from which it will transmit the UDP data packets, and a designated internal port at which it will receive the UDP data packets, wherein each computer is protected by a firewall which translates said internal network address of said computer to an external network address when communicating over said wide area computer network, said firewalls communicating over said wide area computer network wherein said method using a designated recipient computer (28) in communication with said plurality of computers via said wide area computer network, said method comprising: a) said plurality of computers sending respective UDP data packets to said designated recipient computer using their designated internal receiving ports, and sending respective UDP data packets to said designated recipient computer using their designated internal transmitting ports; b) said designated recipient computer communicating the respective external network addresses, designated internal transmitting ports, and designated internal receiving ports determined from said data packets to said plurality of computers; c) a first of said plurality of computers (12) having a first external network address (H1) sending a first UDP data packet using its designated internal receiving port to a second external network address (H2) and designated internal transmitting port associated with a second of said plurality of computers (20), and said second of said plurality of computers sending a UDP data packet using its designated internal receiving port to said first external network address (F1) and designated internal transmitting port associated with said fist of said plurality of computers; and d) said second computer sending UDP data packets using its designated internal transmitting port to said first external network address (Fl) and designated internal receiving port associated with said first computer, and said first computer sending UDP data packets using its designated internal transmitting report to said second external network address (F2) and internal receiving port associated with said second computer. 4. The method as claimed in claim 1, wherein each of said firewalls protecting each of said computers further translates said designated internal transmitting and receiving ports of each of said computers to external transmitting and receiving ports, and: i) in step b) of claim 1, said designated recipient computer communicates said first external network address and an external transmitting port (f1) determined from said first UDP data packet to said second computer and communicates said second external network address and an external receiving port (f2) determined from said second UDP data packet to said first computer; ii) in step (c) of claim 1, the UDP data packet sent from said second computer is sent using the designated internal receiving port of said second computer to said first external network address and external transmitting port of said first computer; and iii) in step d) of claim 1, the UDP data packet sent from said first computer is sent using the designated internal transmitting port of said first computer to said second external network address and external receiving port of said second computer. 5. The method as claimed in claim 2, wherein each of said firewalls protecting each of said computers further translates said designated internal transmitting and receiving ports of each of said computers to external transmitting and receiving ports, and: i) in step b) of claim 2 said designated recipient computer communicates said first external network address, external transmitting port (f1); and external receiving port of said first computer, determined from said data packets sent from said first computer, to said second computer, and communicates said second external network address, external transmitting port (f2), and external receiving port of said second computer, determined from said data packets sent from said second computer, to said first computer; ii) in step c) of claim 2, the UDP data packet sent from said second computer is sent using the designated internal receiving port of said second computer to said first external network address and external transmitting port of said first computer, and the UDP data packet sent from said first computer is sent using the designated internal receiving port of said first computer to said second external network address and external transmitting port of said second computer; and iii) in step d) of claim 2, the UDP data packets sent from said first computer arc sent using the designated internal transmitting port of said first computer to said second external network address and external receiving port of said second computer, and the UDP packets sent from said second computer arc sent using the designated internal transmitting port of said second computer to said first external network address and external receiving port of said first computer. 6. The method as claimed in claim 3, wherein each of said firewalls protecting each of said computers further translates said designed internal transmitting and receiving ports of each of said computers to external transmitting and receiving ports, and: i) in step b) of claim 3, said designated recipient computer communicates the respective external network addresses, external transmitting ports, and external receiving ports determined from said data packets to said plurality of computers; ii) in step c) of claim 3, said first of said plurality of computers sends a first UDP packet using its designated internal receiving port to said second external network address and external transmitting port (f2) associated with said second of said plurality of computers, and said second of said plurality of computers sends a UDP data packet using its designated internal receiving port to said first external network address and external transmitting port (f1) associated with said first of said plurality of computers; and iii) in step d) of claim 3, said second computer sends UDP data packets using its designated internal transmitting port to said first external network address and external receiving port associated with said first computer, and said first computer sends UDP data packets using its designated internal transmitting report to said second external network address and external receiving port associated with said second computer. 7. The method as claimed in claims 1 to 3, wherein said firewalls are NAT firewalls. 8. The method as claimed in claims 4 to 6, wherein said firewalls are NAPT firewalls. 9. The method as claimed in claims 1 to 6, wherein said data packets consist of live audio / video data streams. 10. The method as claimed in claims 1 to 6, wherein said data packets consist of stored audio / video data. 11. The method as claimed in claims 1 to 6, wherein said data packets consists of the contents of a stored computer file. 12. The method as claimed in claims 1 to 6, wherein said data packets consists of data streams carrying audio / video conferencing communication. 13. The method as claimed in claims 1 to 6, wherein in step a), multiple data packets are sent by each of said sending computers. 14. The method as claimed in claims 1 to 6, wherein in step c), multiple data packets are sent by each of said sending computers. 15. The method as claimed in claims 1 to 6, wherein, in step d), multiple data packets are sent by each of said sending computers. 16. The method as claimed in claims 1 to 3, wherein each of said computers uses the same internal ports for sending and receiving said data packets and: i) the UDP data packets sent by each sending computer are sent using the common internal transmitting and receiving port of said computer, and ii) the UDP data packets sent to each receiving computer are sent to the common internal transmitting and receiving port of said computer. 17. The method as claimed in claims 4 to 6, wherein each of said computer uses the same internal ports for transmitting and receiving said data packets, which internal ports get translated by said firewalls into the same external ports for sending and receiving said data packets and: i) the UDP data packets sent by each sending computer arc sent using the common internal transmitting and receiving port of said computer and ii) the UDP data packets sent to each receiving computer arc sent to the common external transmitting and receiving port of said computer. 18. The method as claimed in claims 1 to 6, wherein the steps therein are repeated periodically to accommodate changes in the external ports being used by some or all of the firewalls. 19. The method as claimed in claims 1 to 6, wherein said designated recipient computer is a common server. 20. The method as claimed in claims 1 to 6, wherein said designated recipient computer is a peer computer involved in the data transmission. 21. The method as claimed in claims 1 to 6, wherein said designated recipient computer is a peer computer not involved in the data transmission. 22. The method as claimed in claims 1 to 6, wherein: i) said designated recipient computer is an echo server, and said echo server communicates said addresses and ports from each of said UDP data packets transmitted to said designated recipient computer to the computer which was the source of said UDP data packet, and ii) said source computers communicate their respective addresses and ports to the other computers over said wide area computer network. 23. The method as claimed in claims 1 to 6, wherein said computers communicate through a wide area network by transmitting data through a server computer. 24. A system for transmitting a UDP data packet between two firewall- protected computers over a wide area network (10), said system comprising: - first and second computers adapted to communicate over a wide area computer network, wherein said first computer (12) has a first internal network address (H1) and a designated internal port (h1) for transmitting said UDP data packet and said second computer (20) has a second internal network address (H2) and a designated internal port (h2) for receiving said UDP data packet, wherein said first computer is protected by a first firewall (16) which translates said first internal network address and designated internal transmitting port to a first external network address (F1) and external transmitting port (fl) when communicating over said wide area network, and said second computer is protected by a second firewall (24) which translates said second internal network address and designated internal receiving port to a second external network address (F2) and external receiving port (f2) when communicating over said wide area network said first and second firewalls communicating over said wide area computer network; - characterized by a designated recipient computer (28) in communication with said first and second computers via said wide area computer network; - wherein said first and second computers comprise means for sending first (U1) and second (U2) UDP data packets to said designated recipient computer; - said first computer is adapted to send said first UDP data packet (U1) using its designated internal transmitting port and said second computer is adapted to send said second UDP data packet using its designated internal receiving port; - said designated recipient computer comprises means for communicating said first external network address and external transmitting port determined from said first UDP data packet to said second computer and communicating said second external network address and external receiving port determined from said second UDP data packet to said first computer; - said second computer comprises means for sending a UDP data packet (U3) using its internal receiving port to said first external network address and the external transmitting port of said first computer; and said first computer comprising means for sending said UDP data packet using its internal transmitting report to said second external network address and the external receiving port of said second computer. Currently data transmission over the Internet between two client computers where both client computers are protected by firewalls is problematic, since firewalls block incoming packets. A method is provided for permitting packet based data transmission between a first client computer C1 protected by a first NAPT or NAT firewall and a second client computer C2 protected by a second NAPT or NAT firewall to traverse the first and the second firewalls. The method can also be applied to other devices, such as routers, using NAT or NAPT.

Full Text

METHOD AND APPARATUS TO PERMIT DATA TRANSMISSION TO TRAVERSE FIREWALLS
Related application
This application claims priority from previously filed United States
provisional patent application serial number 60/269,357, filed February 20, 2001,
entitled METHOD AND APPARATUS TO PERMIT REAL-TIME MEDIA
DELIVERY TO TRAVERSE FIREWALLS ON A COMPUTER NETWORK.
Technical Field
The invention relates to the field of data transmission over a computer
network, and more particularly to methods for permitting data transmissions using
packet based transmission protocols to traverse firewalls.
Background Art
Computers connected to wide area networks like the Internet are
commonly protected by firewalls. Firewalls are most commonly used to protect
computers operating on local area networks, but they can also be used to protect
individual computers, including servers, which access a wide area network. In
this application, the term "client computer" will encompass any computer with
access to a wide area network, and also a program operating on such a computer.
Such a computer may, but need not, operate on a local area network, and may
perform the functions of a server on the wide area network.
Firewalls typically perform a number of functions. They protect internal
computers from outside computers on the wide area network, while allowing
internal computers to access the wide area network. Firewalls can also make local
network administration more efficient, by permitting a large number of client
computers to share a limited pool of Internet Protocol (IP) addresses on the wide
area network, and by accommodating changes within the local network without
having to re-configure access to the other computers on the wide area network.

A firewall is typically a program or collection of related programs on a
network gateway server which check each network packet to determine whether
to forward it to its destination. To create a barrier between an internal computer
and the outside wide area network, firewalls commonly use NAT (network
address translation) or NAPT (network address and port translation). NAT is the
translation of an internal IP address used by a client computer (and known within
the internal network, if the client computer is operating on one), to a different IP
address known within the outside wide area network. The firewall maps internal
IP addresses to one or more global external IP addresses, and reverse maps the
external IP addresses on incoming packets back into internal IP addresses. NAPT
is the translation of both internal IP addresses and internal ports to different
external IP addresses and external ports known within the outside network.
Firewalls using NAPT commonly screen incoming packets to make sure thai they
come from a previously identified IP address and port. That is, a request from a
particular IP address and port traverses the firewall only if a request previously
went out from the firewall to that IP address and port.
Data transmission over the Internet has become an everyday occurrence.
Many Internet data transmissions are used to transport audio and / or video data
from a live or on-demand streaming server to streaming clients, to provide real-
time interactive communication (such as "chat") between client computers, to
transport the contents of web-pages from web-servers to web-clients, and for
many other types of communication among networked programs. Different
protocols are used to transmit different types of data. For example, text chat is
generally transmitted using Transmission Control Protocol (TCP), while audio /
video conferencing and live audio / video streaming are generally transmitted
using UDP (User Datagram Protocol). Communications through a server
connected directly to the Internet (that is, not behind a firewall) are not generally
obstructed by client-side firewalls; the act of logging on to a server generally
opens a return path from the server through the firewall. However, firewalls
commonly block direct client-to-client, or "peer-to-peer" communication. One

attempted solution is to open certain ports in the firewall, but this solution (i)
requires modification of the firewall settings, which most network administrators
are reluctant to do, and (ii) does not work with firewalls that perform any sort of
port translation. The present invention provides a method for permitting packet
based data transmission to traverse firewalls usingisither NAPT or NAT without
altering firewall settings. The invention is disclosed in the context of a firewall
using NAPT, as the more general case. However, the method provided in the
invention is equally applicable to a firewall using NAT, and also to other types of
devices, such as routers, using either NAPT or NAT
Disclosure of Invention
The invention therefore provides a method of transmitting a data packet
from a first computer to a second computer over a wide area computer network, a
data packet transmitted from the first computer having a first source address
designating the first computer and a data packet transmitted from the second
computer having a second source address designating the second computer,
wherein the first computer is protected by a first firewall which translates the first
source address to a first external address when transmitting a data packet from the
first computer to the wide area network, and the second computer is protected by
a second firewall which translates the second source address to a second external
address when transmitting a data packet from the second computer to the wide
area network, the first and second firewalls communicating over the wide area
computer network, the method using a designated recipient computer in
communication with the first and second computers via the wide area computer
network, said method comprising: a) the first and second computers sending first
and second data packets to the designated recipient computer; b) the designated
recipient computer communicating the first external address from the first data
packet to the second computer and communicating the second external address
from the second data packet to said first computer; c) the second computer

sending a data packet to the first external address; and d) the first computer
sending a data packet to said second external address.
The method further provides for two-way transmission of data by
additionally having the second computer then send a data packet to the first
external address. The method can be applied to a plurality of computers protected
by firewalls communicating over a wide area network. The firewalls may be
NAT or NAPT. In particular the method works if the IP address and port are
translated at the firewall, or only the IP address. The designated recipient
computer can be any type of computer, including without limitation a designated
server, a peer computer involved in the data transmission, or a peer computer not
involved in the data transmission.
The present invention further provides a computer program product for
carrying out the foregoing method, and a system for transmitting a data packet
between two firewall-protected computers over a wide area network,
Brief Description of Accompaning Drawings
Figure 1 is a schematic diagram illustrating a preferred embodiment of the
invention; and
Figure 2 is a flowchart illustrating a preferred embodiment of the
invention.
Best Mode(s) for Carrying Out the Invention
Fig. 1 schematically illustrates a client computer C1 (12) on local area
network (14), protected by NAPT firewall FW1 (16), wishing to send a UDP data
stream, such as a live video data stream, over Internet 10, to client computer C2
(20) on local area network (22), protected by NAPT firewall FW2 (24). Within
this schematic, Cl has internal IP address H1, and will use internal port h1 to

transmit the UDP data stream. Firewall FW1 translates these into external IP
address F1 and external port f1 (18). C2 has internal 1P address H2, and will use
internal port h2 to receive the UDP data stream. Firewall FW2 will receive UDP
packets destined for C2 at external IP address F2 and external port f2 (26). Both
C1 and C2 log onto a server S1 (28), whose purpose is to establish a path to
transmit the UDP data stream from C1 to C2. However, the UDP data stream is
not transmitted through the server. It is sent client-to-client to take advantage of
efficiencies and scalability that can be realized from peer-to-peer communication
over the Internet.
Peer-to-peer communications are prevented by almost all firewalls. NAP1
firewalls FW1 and FW2 will only permit an incoming UDP packet to pass if (i) its
source and destination addresses match the destination and source addresses,
respectively, of a recent outgoing UDP packet, and (ii) its source and destination
ports match the destination and source ports, respectively, of a recent outgoing
UDP packet. If either Cl or C2 attempts to send a packet to the other, the
receiver's firewall will block the incoming packet if it does not meet these criteria.
The present invention permits Cl to send a UDP data stream to C2 by the
following steps:
(1) Cl sends a UDP packet U1 to server S1. Cl initiates the transmission
from its internal IP address and UDP port (H1 :h1). Firewall FW1 translates the IP
address and port to Fl :fl at the external interface of FW1.
(2) When S1 receives packet U1 from F1: f1, S1 can identi fy F1 and fl as the
external IP address and external port from which FW1 will send the UDP data
stream originating with Cl.

(3) C2 sends a UDP packet U2 to server S1. C2 initiates the transmission
from its internal IP address and UDP port (H2:h2). Firewall FW2 translates the IP
address and port to F2:f2 at the external interface of FW2.
(4) When SI receives packet U2 from F2:f2, S1 can identify F2 and f2 as the
external IP address and external port at which FW2 will receive the UDP data
stream to be transmitted from C1 to C2.
(5) S1 tells C2 that F1 :fl are the external IP address and port from which Cl
will send the UDP data stream.
(6) S1 tells C1 that F2:f2 are the external IP address and port to which the
UDP data stream destined for C2 should be sent.
(7) C2 sends a UDP packet U3 to Fl :fl, using its internal port h2. Firewall
FW2 will send the packet from F2:f2. This packet will be blocked by firewall
FW1. However, as described in step (8), it will prompt firewall FW2 to pass
subsequent packets sent by C1 destined for C2.
(8) When Cl subsequently sends a data stream consisting of UDP packets
destined for C2 from its internal port h1, firewall FW1 will send them from Fl :fl
to F2:f2. Because of the packet sent in step (7), firewall FW2 recognizes Fl:fl as
an address and port to which it has recently sent a packet from F2:f2.
Accordingly, it permits packets sent from F1 :f1 to F2:f2 to pass through the
firewall, and forwards them to H2:h2, the internal IP address and port for C2.
In this way, the invention creates a means by which UDP data streams
originating with Cl pass through to C2. This can be used for streaming
applications, in which Cl sends a live or on-demand data stream to C2. Steps
similar to (1) to (8), carried out vice versa, will permit UDP data streams
originating with C2 to pass through firewall F1, to C1. Thus, Cl and C2 can
14

utilize applications which depend on two-way transmission of UDP data streams,
such as video conferencing. Similar steps carried out by a number of client
compufers, C1,.. .,CN, will permit one-to-many, many-to-one, or many-to-many
transmission of UDP data streams through NAPT firewalls.
For the method to work with a firewall using NAPT, the packets sent in
steps (1) and (3) will generally have to be of the same type (i.e. TCP, UDP, etc.)
as the type used to transmit the data in step (8). The reason is that many computer
applications or firewalls use different ports to transmit and receive different types
of data. However, if that is not the case, the packets sent in steps (1) and (3) need
not be of the same type as the type used in step (8). In addition, firewall FW1
must use the same external IP address and port to send the initial packet in step
(1) as it uses subsequently to commence sending the data to C2 in step (8)
(although the method can be adapted to accommodate subsequent changes in the
IP addresses and ports, as described more fully below). This generally happens in
practice so long as the software at client computer Cl is written to send both
transmissions from the same internal IP address and port, as most firewall
programs using NAPT currently create one-to-one mappings between internal IP
addresses and ports and external IP addresses and ports used to send the same type
of packet. Similarly, firewall FW2 must use the same external IP address and port
to send the packet in step (3) that it will use to commence receiving the data in
step (8). This also will generally happen in practice, so long as the software at
client computer C2 is written to send the packet in step (3) from, and to receive
the data in step (8) at, the same internal IP address and port.
As will be apparent to those skilled in the art, the method can be readily
adapted to support two-way data transmission between C1 and C2, to support one-
to-many data transmission from Cl to client computers C2,.. .,CN, to support
many-to-one data transmission from client computers C2,.. .,CN to C1, or to
support many-to-many data transmission among client computers C1,... ,CN. As
well, the invention has been described with both C1 and C2 protected by

firewalls, as that situation provides the clearest description of the invention.
However, the method is readily adapted to the situation where only the receiving
client computer is protected by a firewall.
The designated recipient computer can be any type of computer, including
without limitation a designated server, a peer computer involved in the data
transmission, or a peer computer not involved in the data transmission.
As will be apparent to those skilled in the art in light of the foregoing
disclosure, many alterations and modifications are possible in the practice of this
invention without departing from the spirit or scope thereof. For example, the
possible alterations and modifications include, but are not limited to, the
following:
1. For robustness against packet loss or delay, C1 and /or C2 could send
multiple packets to S1 in steps (1) and (3), instead of a single packet. Packets
could be sent until confirmation is received that S1 has received one of the
packets.
2. Also for robustness against packet loss or delay, C2 could send multiple
packets in step (7), instead of a single packet. Packets could be sent until
confirmation is received that FW1 has received one of the packets.
3. The method can also be used when either C1 or C2 uses separate ports for
sending and receiving UDP data streams. For example, if Cl uses h1 for sending
UDP data streams and h3 for receiving data streams, firewall FW1 will translate
these into f1 and f3 respectively. C2 would have to send a UDP packet from its
receiving port to fl, and Cl would have to send a UDP packet from f3 to the
sending port for C2. These packets would open paths over which C1 could send
to C2 (through fl), and over which C2 could send to C1 (through f3).

4. In the case of two-way communication, and where firewalls FW1 and
FW2 use the same external ports for both sending and receiving UDP data, the
initial data packets in the data streams can be used as the packets required to open
the paths (as in step (7)). The initial data packets may be blocked, until a data
packet is sent in the other direction. However, applications using UDP
transmissions are typically robust against packet loss, and the method will work
so long as loss of the initial data packet or packets is not critical to the application
in question.
5. If firewall FW1 (or FW2) changes the external IP address or port which it
uses to transmit UDP data for any reason (such as a long data transmission or
period of silence), the method can be adapted to refresh the data identifying the
external IP addresses and ports, to maintain open transmission paths. For
example, if FW1 changes the external IP address or port used to transmit UDP
data originating from Cl, new packets will be sent periodically to the
intermediary server S1 as in step (1), above, to identify any new IP address or port
being used by FW1. The remaining steps (2) through (8) can then be repeated
using new data. All that the method requires is that the same external sending IP
address and port be used by FW1 for a long enough period of time that the initial
packet sent to S1 in step (1) come from the same IP address and port as the initial
data packets in the UDP data stream.
6. In the best mode described above, server S1 is used as intermediary to
receive UDP packets originating from Cl and C2, and to use information
contained in those packets to identify the external ports being used by FW1 and
FW2. However, any other means for informing each terminal of the other's
external ports will also work according to the invention. For example, Cl and C2
could use different echo servers, S1 and S2, which return any UDP packet to its
source. This will permit Cl and C2 to identify F1 :f1 and F2:f2, respectively. Cl
and C2 could use any other means, such as off-line exchange of information by

the users, or TCP transmissions either directly to the other or through a common
server, to inform each other about F1 :fl and F2:f2.
7. The method can be used where client computers communicate through a
server computer, although the method is not usually needed in that case, as a
client computer generally opens a return path from the server when it logs on to
the server.
8. The method can also be used where only the receiving client computer is behind
a firewall, but there is no firewall protecting the sending client computer.
9. Although the above method has been described in the context of real-time
audio and video communications using UDP packets, it will be apparent to those
skilled in the art that the method has application to other forms of packet based
data transmission.
10. The method can also be adapted to firewalls which do not create one-to-
one mappings between internal and external IP addresses and ports, by deducing
the mapping scheme from received packets, and then utilizing the deduced
mapping schemes to send the required packets from the external receiving IP
addresses and ports of each client computer to the external sending IP addresses
and ports of each other client computer.
11. While the invention has been disclosed in connection with a NAPT
firewall, it would also operate in the same manner if firewalls FW1 and FW2 are
NAT firewalls. In that case, NAT FW1 would translate H1 :h1 to F1 :h1, and NAT
FW2 would translate H2:h2 to F2:h2. The method would otherwise be identical.

WE CLAIM
1. A method of transmitting a UDP data packet from a first computer (12) to
a second computer (20) over a wide area computer network (10), said
first computer having a first internal network address (H1) and a
designated internal port (h1) from which it will transmit the UDP data
packet and said second computer having a second internal network
address (H2) and a designated internal port (h2) at which it will receive
the UDP data packet, wherein said first computer is protected by a first
firewall (16) which translates said first internal network address to a first
external network address (F1) when communicating over said wide area
computer network, and said second computer is protected by a second
firewall (24) which translates said second internal network address to a
second external network address (F2) when communicating over said
wide area computer network said first and second firewalls
communicating over said wide area computer network, characterized by
said method with the aid of a designated recipient computer (28) in
communication with said first and second computers via said wide area
computer network said method comprising:

a) said first computer sending a first UDP data packet (U1) to said
designated recipient computer using its designated internal
transmitting port, and said second computer sending a second
UDP data packet (U2) to said designated recipient computer using
its designated internal receiving port;
b) said designated recipient computer communicating said first
external network address and said designated internal transmitting
port determined from said first UDP data packet to said second
computer, and communicating said second external network
address and said designated internal receiving port determined
from said second UDP data packet to said first computer;
c) said second computer sending a UDP data packet (U3) using its
designated internal receiving port to said first external network
address and the designated internal transmitting port of said first
computer; and

d) said first computer sending a UDP data packet using its designated
internal transmitting port to said second external network address
and the designated internal receiving port of said second
computer.
2. A method for permitting two-way transmission of UDP data packets'
between a first computer (12) and a second computer (20) over a wide
area computer network (10), each of said first and second computers
having an internal network address, a designated internal port from which
it will transmit the UDP data packets, and a designated internal port at
which it will receive the UDP data packets, wherein said first computer is
protected by a first firewall (16) which translates said internal network
address (H1) of said first computer to a first external network address
(F1) when communicating over said wide area computer networks and
said second computer is protected by a second firewall (24) which
translates said second internal network address (H2) to a second external
network address (F2) when communicating over said wide area computer
network (10), said first and second firewalls communicating over said
wide area computer network, wherein said method using a designated

recipient computer (28) in communication with said first and second
computers via said wide area computer network said method comprising:
a) said first computer sending two UDP data packets to said
designated recipient computer, one sent using the designated
internal transmitting port (h1) of said first computer and one sent
using the designated internal receiving port of said first computer;
and said second computer sending two UDP data packets to said
designated recipient computer, one sent using the designated
internal transmitting port of said second computer and one sent
using the designated internal receiving port (h2) of said second
computer;
b) said designated recipient computer communicating said first
external network address, designated internal transmitting port
and designated internal receiving port of said first computer,
determined from said data packets sent from said first computer,
to said second computer, and communicating said second external
network address, designated internal transmitting port, and
designated internal receiving port of said second computer,

determined from said data packets sent from said second
computer, to said first computer;
c) said second computer sending a UDP data packet using its
designated internal receiving port to said first external network
address and designated internal transmitting port of said first
computer, and said first computer sending a UDP packet using its
designated internal receiving port to said second external network
address and designated internal transmitting port of said second
computer;
d) said first computer sending UDP data packets using its designated
internal transmitting port to said second external network address
and designated internal receiving port of said second computer,
and said second computer sending UDP data packets using its
designated internal transmitting port to said first network address
and designated internal receiving port of said first computer.
3. A method for permitting two-way transmission of UDP data packets
between any two of a plurality of computers over a wide area computer
network (10), each computer having an internal network address, a
designated internal port from which it will transmit the UDP data packets,

and a designated internal port at which it will receive the UDP data
packets, wherein each computer is protected by a firewall which
translates said internal network address of said computer to an external
network address when communicating over said wide area computer
network, said firewalls communicating over said wide area computer
network wherein said method using a designated recipient computer (28)
in communication with said plurality of computers via said wide area
computer network, said method comprising:
a) said plurality of computers sending respective UDP data packets to
said designated recipient computer using their designated internal
receiving ports, and sending respective UDP data packets to said
designated recipient computer using their designated internal
transmitting ports;
b) said designated recipient computer communicating the respective
external network addresses, designated internal transmitting ports,
and designated internal receiving ports determined from said data
packets to said plurality of computers;
c) a first of said plurality of computers (12) having a first external
network address (H1) sending a first UDP data packet using its

designated internal receiving port to a second external network
address (H2) and designated internal transmitting port associated
with a second of said plurality of computers (20), and said second
of said plurality of computers sending a UDP data packet using its
designated internal receiving port to said first external network
address (F1) and designated internal transmitting port associated
with said fist of said plurality of computers; and
d) said second computer sending UDP data packets using its
designated internal transmitting port to said first external network
address (Fl) and designated internal receiving port associated with
said first computer, and said first computer sending UDP data
packets using its designated internal transmitting report to said
second external network address (F2) and internal receiving port
associated with said second computer.
4. The method as claimed in claim 1, wherein each of said firewalls
protecting each of said computers further translates said designated
internal transmitting and receiving ports of each of said computers to
external transmitting and receiving ports, and:

i) in step b) of claim 1, said designated recipient computer communicates
said first external network address and an external transmitting port (f1)
determined from said first UDP data packet to said second computer and
communicates said second external network address and an external
receiving port (f2) determined from said second UDP data packet to said
first computer;
ii) in step (c) of claim 1, the UDP data packet sent from said second computer
is sent using the designated internal receiving port of said second computer
to said first external network address and external transmitting port of said
first computer; and
iii) in step d) of claim 1, the UDP data packet sent from said first computer is
sent using the designated internal transmitting port of said first computer to
said second external network address and external receiving port of said
second computer.
5. The method as claimed in claim 2, wherein each of said firewalls
protecting each of said computers further translates said designated
internal transmitting and receiving ports of each of said computers to
external transmitting and receiving ports, and:

i) in step b) of claim 2 said designated recipient computer communicates
said first external network address, external transmitting port (f1); and
external receiving port of said first computer, determined from said data
packets sent from said first computer, to said second computer, and
communicates said second external network address, external
transmitting port (f2), and external receiving port of said second
computer, determined from said data packets sent from said second
computer, to said first computer;
ii) in step c) of claim 2, the UDP data packet sent from said second
computer is sent using the designated internal receiving port of
said second computer to said first external network address and
external transmitting port of said first computer, and the UDP
data packet sent from said first computer is sent using the
designated internal receiving port of said first computer to said
second external network address and external transmitting port
of said second computer; and
iii) in step d) of claim 2, the UDP data packets sent from said first
computer arc sent using the designated internal transmitting

port of said first computer to said second external network address
and external receiving port of said second computer, and the UDP
packets sent from said second computer arc sent using the designated
internal transmitting port of said second computer to said first external
network address and external receiving port of said first computer.
6. The method as claimed in claim 3, wherein each of said firewalls
protecting each of said computers further translates said designed internal
transmitting and receiving ports of each of said computers to external
transmitting and receiving ports, and:
i) in step b) of claim 3, said designated recipient computer communicates
the respective external network addresses, external transmitting ports,
and external receiving ports determined from said data packets to said
plurality of computers;
ii) in step c) of claim 3, said first of said plurality of computers
sends a first UDP packet using its designated internal receiving
port to said second external network address and external
transmitting port (f2) associated with said second of said
plurality of computers, and said second of said plurality of

computers sends a UDP data packet using its designated
internal receiving port to said first external network address and
external transmitting port (f1) associated with said first of said
plurality of computers; and
iii) in step d) of claim 3, said second computer sends UDP data
packets using its designated internal transmitting port to said
first external network address and external receiving port
associated with said first computer, and said first computer
sends UDP data packets using its designated internal
transmitting report to said second external network address and
external receiving port associated with said second computer.
7. The method as claimed in claims 1 to 3, wherein said firewalls are NAT
firewalls.
8. The method as claimed in claims 4 to 6, wherein said firewalls are NAPT
firewalls.
9. The method as claimed in claims 1 to 6, wherein said data packets consist
of live audio / video data streams.

10. The method as claimed in claims 1 to 6, wherein said data packets consist
of stored audio / video data.
11. The method as claimed in claims 1 to 6, wherein said data packets
consists of the contents of a stored computer file.
12. The method as claimed in claims 1 to 6, wherein said data packets
consists of data streams carrying audio / video conferencing
communication.
13. The method as claimed in claims 1 to 6, wherein in step a), multiple data
packets are sent by each of said sending computers.
14. The method as claimed in claims 1 to 6, wherein in step c), multiple data
packets are sent by each of said sending computers.
15. The method as claimed in claims 1 to 6, wherein, in step d), multiple data
packets are sent by each of said sending computers.

16. The method as claimed in claims 1 to 3, wherein each of said computers
uses the same internal ports for sending and receiving said data packets
and:
i) the UDP data packets sent by each sending computer are sent using the
common internal transmitting and receiving port of said computer, and
ii) the UDP data packets sent to each receiving computer are sent to the
common internal transmitting and receiving port of said computer.
17. The method as claimed in claims 4 to 6, wherein each of said computer
uses the same internal ports for transmitting and receiving said data
packets, which internal ports get translated by said firewalls into the same
external ports for sending and receiving said data packets and:
i) the UDP data packets sent by each sending computer arc sent using the
common internal transmitting and receiving port of said computer and
ii) the UDP data packets sent to each receiving computer arc sent to the
common external transmitting and receiving port of said computer.

18. The method as claimed in claims 1 to 6, wherein the steps therein are
repeated periodically to accommodate changes in the external ports being
used by some or all of the firewalls.
19. The method as claimed in claims 1 to 6, wherein said designated recipient
computer is a common server.
20. The method as claimed in claims 1 to 6, wherein said designated recipient
computer is a peer computer involved in the data transmission.
21. The method as claimed in claims 1 to 6, wherein said designated recipient
computer is a peer computer not involved in the data transmission.
22. The method as claimed in claims 1 to 6, wherein:
i) said designated recipient computer is an echo server, and said echo
server communicates said addresses and ports from each of said UDP
data packets transmitted to said designated recipient computer to the
computer which was the source of said UDP data packet, and

ii) said source computers communicate their respective addresses and ports
to the other computers over said wide area computer network.
23. The method as claimed in claims 1 to 6, wherein said computers
communicate through a wide area network by transmitting data through a
server computer.
24. A system for transmitting a UDP data packet between two firewall-
protected computers over a wide area network (10), said system
comprising:
- first and second computers adapted to communicate over
a wide area computer network, wherein said first computer
(12) has a first internal network address (H1) and a
designated internal port (h1) for transmitting said UDP

data packet and said second computer (20) has a second
internal network address (H2) and a designated internal port
(h2) for receiving said UDP data packet, wherein said first
computer is protected by a first firewall (16) which translates
said first internal network address and designated internal
transmitting port to a first external network address (F1) and
external transmitting port (fl) when communicating over said
wide area network, and said second computer is protected by
a second firewall (24) which translates said second internal
network address and designated internal receiving port to a
second external network address (F2) and external receiving
port (f2) when communicating over said wide area network
said first and second firewalls communicating over said wide
area computer network;
- characterized by a designated recipient computer (28) in
communication with said first and second computers via
said wide area computer network;
- wherein said first and second computers comprise means
for sending first (U1) and second (U2) UDP data packets to
said designated recipient computer;

- said first computer is adapted to send said first UDP data
packet (U1) using its designated internal transmitting port
and said second computer is adapted to send said second
UDP data packet using its designated internal receiving
port;
- said designated recipient computer comprises means for
communicating said first external network address and
external transmitting port determined from said first UDP
data packet to said second computer and communicating
said second external network address and external
receiving port determined from said second UDP data
packet to said first computer;
- said second computer comprises means for sending a UDP
data packet (U3) using its internal receiving port to said
first external network address and the external
transmitting port of said first computer; and

said first computer comprising means for sending said UDP
data packet using its internal transmitting report to said
second external network address and the external
receiving port of said second computer.
Currently data transmission over the Internet between two client computers
where both client computers are protected by firewalls is problematic, since
firewalls block incoming packets. A method is provided for permitting packet
based data transmission between a first client computer C1 protected by a first
NAPT or NAT firewall and a second client computer C2 protected by a second
NAPT or NAT firewall to traverse the first and the second firewalls. The method
can also be applied to other devices, such as routers, using NAT or NAPT.

Documents:

« Previous Patent

Next Patent »

Patent Number

224961

Indian Patent Application Number

01044/KOLNP/2003

PG Journal Number

44/2008

Publication Date

31-Oct-2008

Grant Date

29-Oct-2008

Date of Filing

18-Aug-2003

Name of Patentee

EYEBALL NETWORKS INC.

Applicant Address

500-100 PARK ROYAL, WEST VANCOUVER, BRITISH COLUMBIA V7T 1A2

Inventors:

#	Inventor's Name	Inventor's Address
1	PICHE CHRISTOPHER	500-100 PARK ROYAL, WEST VANCOUVER, BRITISH COLUMBIA V7T 1A2
2	KHAN MD. SHAHADATULLAH	1102-145 ST. GEORGES AVENUE, NORTH VANCOUVER, BRITISH COLUMBIA V7T 3G8
3	MARWOOD DAVID EVEREIT	863 WESTVIEW CRESCENT, NORTH VACOUVER, BRITISH COLUMBIA V7N 3X9
4	CHUNG MICHAEL	1495 JOHNSON ROAD, RR6, GIBSONS, BRITISH COLUMBIA V0N 1V6

PCT International Classification Number

H04L 29/06, 29/12

PCT International Application Number

PCT/CA02/00214

PCT International Filing date

2002-02-19

PCT Conventions:

#	PCT Application Number	Date of Convention	Priority Country
1	60/269,357	2001-02-20	Canada