Transparent Bridging of Transmission Control Protocol (TCP) Connections

摘要

A transparent TCP proxy device intercepts TCP connection requests received from a TCP client and destined for a TCP server as if acting as the TCP server in a handshake with the TCP client. Only after completing the handshake with the TCP client, the transparent TCP proxy participates in a handshake with the TCP server as if acting as the TCP client. After the handshake with the TCP server is complete, the transparent TCP proxy intercepts and translates subsequent TCP packets received from the TCP client and destined for the TCP server into a form expected by the TCP server including updating an acknowledgement number and TCP checksum; and intercepts and translates subsequent TCP packets received from the TCP server and destined for the TCP client into a form expected by the TCP client including updating an acknowledgement number and TCP checksum.

主权项

1. A method in a transparent Transmission Control Protocol (TCP) proxy for transparent bridging of TCP connections, comprising:
intercepting a first TCP SYN packet sent from a TCP client and destined for a TCP server that initiates a TCP connection between the TCP client and the TCP server; transmitting a first TCP SYN-ACK packet to the TCP client as if the transparent TCP proxy is the TCP server in response to intercepting the first TCP SYN packet, wherein the first TCP SYN-ACK packet includes a first sequence number that is chosen by the transparent TCP proxy, wherein the first sequence number is a first initial sequence number (ISN); intercepting a first TCP ACK packet sent from the TCP client and destined for the TCP server in response to transmitting the first TCP SYN-ACK packet, wherein the first TCP ACK packet acknowledges receipt of the TCP client of the first TCP SYN-ACK packet; transmitting, in response to intercepting the first TCP ACK packet, a second TCP SYN packet to the TCP server as if the transparent TCP proxy is the TCP client, wherein the second TCP SYN packet is substantially the same as the first TCP SYN packet; intercepting a second TCP SYN-ACK packet sent from the TCP server and destined for the TCP client in response to transmitting the second TCP SYN packet to the TCP server, wherein the second TCP SYN-ACK packet includes a second sequence number that is chosen by the TCP server, wherein the second sequence number is a second ISN; transmitting a second TCP ACK packet to the TCP server as if the transparent TCP proxy is the TCP client in response to intercepting the second TCP SYN-ACK packet; calculating and storing a difference between the first ISN included in the first TCP SYN-ACK packet and the second ISN included in the second TCP SYN-ACK packet; intercepting a first data packet sent from the TCP client and destined for the TCP server, wherein the first data packet includes a first acknowledgement number based on the first sequence number, and wherein the first data packet includes a first TCP checksum; updating the first acknowledgement number to a second acknowledgement number using the difference between the first ISN and the second ISN so that the updated acknowledgement number is a value that is expected by the TCP server; calculating a second TCP checksum that uses the second acknowledgement number instead of the first acknowledgement number; transmitting a second data packet to the TCP server as if the transparent TCP proxy is the TCP client, wherein the second data packet includes the second acknowledgement number and the second TCP checksum; intercepting a third data packet sent from the TCP server and destined for the TCP client, wherein the third data packet includes a third TCP checksum and a third sequence number; updating the third sequence number to a fourth sequence number using the difference between the first sequence number and the second sequence number so that the fourth sequence number is a value that is expected by the TCP client; calculating a fourth TCP checksum that uses the fourth sequence number instead of the third sequence number; transmitting a fourth data packet to the TCP client as if the transparent TCP proxy is the TCP server, wherein the fourth data packet includes the fourth TCP checksum and the fourth sequence number; calculating and storing a difference between the first TCP checksum and the second TCP checksum; intercepting a fifth data packet transmitted from the TCP client and destined for the TCP server, wherein the fifth data packet includes a third acknowledgement number and a fifth TCP checksum; updating the third acknowledgement number to a fourth acknowledgement number using the difference between the first sequence number and the second sequence number so that the fourth acknowledgement number is a value that is expected by the TCP server; updating the fifth TCP checksum to a sixth TCP checksum using the difference between the first TCP checksum and the second TCP checksum; transmitting a sixth data packet to the TCP server as if the transparent TCP proxy is the TCP client, wherein the sixth data packet includes the fourth acknowledgement number and the sixth TCP checksum; calculating and storing a difference between the third TCP checksum and the fourth TCP checksum; intercepting a seventh data packet transmitted from the TCP server and destined for the TCP client, wherein the seventh data packet includes a seventh TCP checksum and a fifth sequence number; updating the fifth sequence number to a sixth sequence number using the difference between the first sequence number and the second sequence number so that the sixth sequence number is a value that is expected by the TCP client; updating the seventh TCP checksum to an eighth TCP checksum using the difference between the third TCP checksum and the fourth TCP checksum; and transmitting an eighth data packet to the TCP client as if the transparent TCP proxy is the TCP server, wherein the eighth data packet includes the eighth TCP checksum and the sixth sequence number.