Method for providing end-to-end security service in communication network using network address translation-protocol translation

US 20060253701A1
Filed: 05/03/2005
Published: 11/09/2006
Est. Priority Date: 05/03/2005
Status: Abandoned Application

First Claim

Patent Images

1. A method for providing end-to-end security service in a communication network having a network address translation-protocol translation function, the method comprising the steps of:

performing security negotiation between a first node included in a first communication network having the network address translation-protocol translation function and a second node included in a second communication network operating with a protocol different from the first communication network, storing protocol translation information generated when the security negotiation is performed at the first node; and

performing security transmission between the first node and the second node using the stored protocol translation information.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method for providing end-to-end security service in a communication network having an NAT-PT function comprises: performing security negotiation between a first node included in a first communication network having the network address translation-protocol translation function and a second node included in a second communication network operating with a protocol different from the first communication network; storing protocol translation information generated when the security negotiation is performed in the first node; and performing security transmission between the first and second nodes using the stored protocol translation information. The method transmits the address translation information to the ends in advance, thereby being capable of applying the security service using the address information on transmitting the data between hosts in the communication network using the address translation method.

Citations

28 Claims

1. A method for providing end-to-end security service in a communication network having a network address translation-protocol translation function, the method comprising the steps of:
- performing security negotiation between a first node included in a first communication network having the network address translation-protocol translation function and a second node included in a second communication network operating with a protocol different from the first communication network, storing protocol translation information generated when the security negotiation is performed at the first node; and
  
  performing security transmission between the first node and the second node using the stored protocol translation information.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, further comprising the step of performing authentication between the first node and the second node using the stored protocol translation information.
  - 3. The method of claim 2, wherein the step of performing the authentication comprises:
    - predicting, at the first node, address information to be translated on the basis of stored protocol translation information;
      
      generating, at the first node, authentication information on the basis of the predicted address information;
      
      transmitting the authentication information from the first node to the second node; and
      
      authenticating, at the second node, the first node on the basis of the authentication information.
  - 4. The method of claim 3, wherein the steps of performing the authentication further comprises:
    - generating, at the second node, authentication information on the basis of the address information of the second node;
      
      transmitting the authentication information from the second node to the first node;
      
      predicting, at the first node, translation address information of the first node on the basis of the stored protocol translation information; and
      
      authenticating, at the first node, the second node using the predicted translation address information and the authentication information transmitted from the second node.
  - 5. The method of claim 1, wherein the step of performing the security negotiation and storing the protocol translation information comprise:
    - translating, at a translation server for the network address and protocol translation, a protocol of a request message for the security negotiation to transmit the translated protocol to the second node in response to a request by the first node for the security negotiation;
      
      transmitting, at the translation server, the protocol translation information to the first node in response to a response message from the second node;
      
      storing, at the first node, the protocol translation information; and
      
      translating, at the translation server, a protocol of the response message from the second node.
  - 6. The method of claim 1, wherein the protocol translation information includes address information for the second communication network allocated to the first node so as to make it possible to recognize the first node in the second communication network.
  - 7. The method of claim 1, wherein the first communication network is an IPv6 (Internet Protocol version 6) network and the second communication network is an IPv4 (Internet Protocol version 4) network.
  - 8. The method of claim 7, wherein the protocol translation information is IP (Internet Protocol) header translation information between an IPv6 packet and an IPv4 packet.
  - 9. The method of claim 1, wherein the security service makes use of IPsec (Internet Protocol Security).
  - 10. The method of claim 1, wherein the step of performing the security transmission comprises transmitting and receiving packet data which includes an authentication header for permitting authentication of a data transmitter between the first node and the second node.
  - 11. The method of claim 10, wherein the step of performing the security transmission further comprises:
    - calculating, at the first node, an integrity check value on the basis of the stored protocol translation information;
      
      generating an authentication header including the integrity check value; and
      
      generating packet data, including the authentication header, for transmission to the second node.
  - 12. The method of claim 11, wherein the step of performing the security transmission further comprises;
    - receiving, at the first node, the packet data including the authentication header from the second node;
      
      calculating, at the first node, the integrity check value on the basis of the stored protocol translation information and in response to the reception of the packet data; and
      
      verifying the received packet data using the integrity check value.
  - 13. The method of claim 1, wherein the step of performing the security transmission comprises transmitting and receiving packet data which includes an encapsulating security payload supporting authentication of a transmitter and data encryption between the first node and the second node.
  - 14. The method of claim 13, wherein the step of performing the security transmission further comprises:
    - predicting and calculating, at the first node, a TCP/UDP (Transmission Control Protocol/User Datagram Protocol) checksum value on the basis of the stored protocol translation information;
      
      generating, at the first node, the encapsulating security payload using the predicted and calculated TCP/UDP checksum value; and
      
      transmitting the packet data, including the encapsulating security payload, to the second node.
  - 15. The method of claim 13, wherein the step of performing the security transmission further comprises:
    - receiving, at the first node, the packet data which includes the encapsulating security payload from the second node;
      
      predicting and calculating, at the first node, a TCP/UDP (Transmission Control Protocol/User Datagram Protocol) checksum value on the basis of the stored protocol translation information in response to the reception of the packet data; and
      
      verifying the received packet data using the predicted and calculated TCP/UDP checksum value.

16. A method for providing end-to-end security service in an IPv6 (Internet Protocol version 6) network having a network address translation-protocol translation function, the method comprising the steps of:
- performing security negotiation between an IPv6 node included in the IPv6 network and an IPv4 (Internet Protocol version
  
  4) node included in an IPv4 network;
  
  storing, in the IPv6 node, IP (Internet Protocol) header translation information, generated when the security negotiation is performed; and
  
  performing security transmission between the IPv6 node and the IPv4 node using the stored IP header translation information.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
- - 17. The method of claim 16, further comprising the step of performing authentication between the IPv6 node and the IPv4 node using the stored IP header translation information.
  - 18. The method of claim 17, wherein the step of performing the authentication comprises:
    - predicting, at the IPv6 node, address information to be translated on the basis of the stored IP header translation information;
      
      generating, at the IPv6 node, authentication information on the basis of the predicted address information;
      
      transmitting the authentication information to the IPv4 node; and
      
      authenticating, at the IPv4 node, the IPv6 node on the basis of the authentication information.
  - 19. The method of claim 18, wherein the step of performing the authentication further comprises:
    - generating, at the IPv4 node, authentication information on the basis of the address information of the IPv4 node;
      
      transmitting the authentication information from the IPv4 node to the IPv6 node;
      
      predicting, at the IPv6 node, translation address information of the IPv6 node on the basis of the stored IP header translation information; and
      
      authenticating, at the IPv6 node, the IPv4 node using the predicted translation address information and the authentication information transmitted from the IPv4 node.
  - 20. The method of claim 16, wherein the steps of performing the security negotiation and storing the IP header translation information comprise:
    - translating, at a translation server for the network address and protocol translation, an IP header of a request message for the security negotiation to transmit the translated IP header to the IPv4 node in response to a request by the IPv6 node for the security negotiation;
      
      transmitting, at the translation server, the IP header translation information to the IPv6 node in response to a response message from the IPv4 node;
      
      storing, at the IPv6 node, the IP header translation information; and
      
      translating, at the translation server, an IP header of the response message for transmission to the IPv6 node.
  - 21. The method of claim 16, wherein the IP header translation information includes an IPv4 address allocated to the IPv6 node so as to make it possible to recognize the IPv6 node in the IPv4 network.
  - 22. The method of claim 16, wherein the security service makes use of IPsec (Internet Protocol Security).
  - 23. The method of claim 16, wherein the step of performing the security transmission comprises transmitting and receiving packet data which includes an authentication header for permitting authentication of a data transmitter between the IPv6 node and the IPv4 node.
  - 24. The method of claim 23, wherein the step of performing the security transmission further comprises:
    - calculating, at the IPv6 node, an integrity check value on the basis of the stored IP header translation information;
      
      generating an authentication header including the integrity check value; and
      
      generating packet data, including the authentication header, for transmission to the IPv4 node.
  - 25. The method of claim 24, wherein the step of performing the security transmission further comprises;
    - receiving, at the IPv6 node, packet data including an authentication header from the IPv4 node;
      
      calculating, at the IPv6 node, the integrity check value on the basis of the stored IP header translation information in response to the reception of the packet data; and
      
      verifying the received packet data using the integrity check value.
  - 26. The method of claim 16, wherein the step of performing the security transmission comprises transmitting and receiving packet data which includes an encapsulating security payload supporting authentication of a transmitter and data encryption between the IPv6 node and the IPv4 node.
  - 27. The method of claim 26, wherein the step of performing the security transmission further comprises:
    - predicting and calculating, at the IPv6 node, a TCP/UDP (Transmission Control Protocol/User Datagram Protocol) checksum value on the basis of the stored IP header translation information;
      
      generating, at the IPv6 node, the encapsulating security payload using the predicted and calculated TCP/UDP checksum value; and
      
      transmitting the packet data, including the encapsulating security payload, to the IPv4 node.
  - 28. The method of claim 26, wherein the step of performing the security transmission further comprises:
    - receiving, at the IPv6 node, the packet data which includes the encapsulating security payload from the IPv4 node;
      
      predicting and calculating, at the IPv6 node, the TCP/UDP checksum value on the basis of the stored IP header translation information in response to the reception of the packet data; and
      
      verifying the received packet data using the predicted and calculated TCP/UDP checksum value.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Samsung Electronics Co. Ltd.
Original Assignee
Samsung Electronics Co. Ltd.
Inventors
Oh, Du-Young, Choi, In-Seok, Kim, Sun-Gi, Jung, Sou-Hwan, Park, Yong-Seok, Kang, Byung-Chang, Kim, Young-Han

Application Number

US11/119,727
Publication Number

US 20060253701A1
Time in Patent Office

Days
Field of Search
US Class Current

713/153
CPC Class Codes

H04L 61/251   between different IP versions

H04L 61/2564   for a higher-layer protocol...

H04L 63/08   for authentication of entit...

H04L 63/164   at the network layer

Method for providing end-to-end security service in communication network using network address translation-protocol translation

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Method for providing end-to-end security service in communication network using network address translation-protocol translation

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links