Method and arrangement for providing security through network address translations using tunneling and compensations
First Claim
1. A method for securely communicating packets between a first computer device and a second computer device through a packet-switched data transmission network comprising intermediate computer devices, where at least one of said computer devices performs a network address translation and/or a protocol conversion, the method comprising the steps of determining what network address translations, if any, occur on packets transmitted between the first computer device and the second computer device, taking packets conforming to a first protocol and encapsulating them into packets conforming to a second protocol, which second protocol is capable of traversing network address translations, transmitting said packets conforming to said second protocol from the first computer device to the second computer device and decapsulating said transmitted packets conforming to said second protocol into packets conforming to said first protocol.
3 Assignments
0 Petitions
Accused Products
Abstract
This invention provides a method for providing network security services, such as those provided by the IPSEC protocol, through network address translation (NAT). The method is based on determining the transformations that occur on a packet and compensating for the transformations. Because only TCP and UDP protocols work through NATs, the IPSEC AH/ESP packets are encapsulated into UDP packets for transport. Special operations are performed to allow reliable communications in such environments.
-
Citations
23 Claims
-
1. A method for securely communicating packets between a first computer device and a second computer device through a packet-switched data transmission network comprising intermediate computer devices, where at least one of said computer devices performs a network address translation and/or a protocol conversion, the method comprising the steps of
determining what network address translations, if any, occur on packets transmitted between the first computer device and the second computer device, taking packets conforming to a first protocol and encapsulating them into packets conforming to a second protocol, which second protocol is capable of traversing network address translations, transmitting said packets conforming to said second protocol from the first computer device to the second computer device and decapsulating said transmitted packets conforming to said second protocol into packets conforming to said first protocol.
-
8. A method for conditionally setting up a secure communication connection between a first computer device and a second computer device through a packet-switched data transmission network comprising intermediate computer devices, where at least one of said computer devices performs a network address translation and/or a protocol conversion, the method comprising the steps of
finding out, whether or not the second computer device supports a communication method where: - it is determined what network address translations, if any, occur on packets transmitted between the first computer device and the second computer device;
packets are taken that conform to a first protocol and encapsulated into packets that conform to a second protocol, which second protocol is capable of traversing network address translations;
said packets conforming to said second protocol are transmitted from the first computer device to the second computer device; and
said transmitted packets conforming to said second protocol are decapsulated into packets conforming to said first protocol,as a response to a finding indicating that the second computer device supports said communication method, setting up a secure communication connection between the first computer device and the second computer device in which communication connection said communication method is employed and as a response to a finding indicating that the second computer device does not support said communication method, disabling the use of said communication method between the first and the second computer devices.
- it is determined what network address translations, if any, occur on packets transmitted between the first computer device and the second computer device;
-
9. A method for tunnelling packets between a first computer device and a second computer device through a packet-switched data transmission network comprising intermediate computer devices, where at least one of said computer devices performs a network address translation and/or a protocol conversion, the method comprising the steps of
establishing a bidirectional tunnelling mode between the first computer device and the second computer device by exchanging packets conforming to a secure communication protocol, taking packets conforming to a first protocol and encapsulating them at the first computer device into packets conforming to a second protocol, which second protocol is capable of traversing network address translations, transmitting said packets conforming to said second protocol from the first computer device to the second computer device, decapsulating said transmitted packets conforming to said second protocol into packets conforming to said first protocol at the second computer device, obtaining information about the address translations occurred on packets transmitted between the first computer device and the second computer device and using said obtained information to modify the established bidirectional tunnelling mode between the first computer device and the second computer device.
-
14. A method for tunnelling packets between a first computer device and a second computer device through a packet-switched data transmission network comprising intermediate computer devices, in which data transmission network there exists a security protocol comprising a key management connection that employs a specific packet format for key management packets, the method comprising the steps of
encapsulating data packets that are not key management packets into said specific packet format for key management packets, transmitting said data packets encapsulated into the specific packet format from the first computer device to the second computer device, discriminating at the second computer device the data packets encapsulated into the specific packet format from actual key management packets and decapsulating the data packets encapsulated into the specific packet format.
-
16. A method for securely communicating packets between a first computer device and a second computer device through a packet-switched data transmission network comprising intermediate computer devices, where at least one of said computer devices performs a network address translation and/or a protocol conversion and where a security protocol exists comprising a key management connection, the method comprising the steps of
for determining what network address translations, if any, occur on packets transmitted between the first computer device and the second computer device: - establishing a key management connection according to said security protocol between the first computer device and the second computer device;
composing an indicator packet with a header part and a payload part of which both comprise the network addresses of the first computer device and the second computer device as seen by the node composing said packet;
transmitting and receiving said indicator packet within the key management connection; and
comparing in the received indicator packet the addresses contained in the header part and the payload part, andusing the information concerning the determined occurrences of network address translations to securely communicating packets between the first computer device and the second computer device. - View Dependent Claims (17)
- establishing a key management connection according to said security protocol between the first computer device and the second computer device;
-
18. A method for securely communicating packets between a first computer device and a second computer device through a packet-switched data transmission network comprising intermediate computer devices, where at least one of said computer devices performs a network address translation and/or a protocol conversion;
- where a security protocol is acknowledged which determines transport-mode processing of packets for transmission and reception; and
where a high-level protocol checksum has been determined for checking the integrity of received packets, the method comprising the steps ofat the first computer device, performing transport-mode processing for packets to be transmitted to the second computer device, at the second computer device, performing transport-mode processing for packets received from the first computer device, said transport-mode processing comprising the decapsulation of received packets and at the second computer device, updating the high-level protocol checksum for decapsulated packets for compensating for changes, if any, caused by network address translations. - View Dependent Claims (19, 20, 21, 22)
- where a security protocol is acknowledged which determines transport-mode processing of packets for transmission and reception; and
-
23. A method for maintaining the unchanged form of address translations performed by network address translation devices on encapsulated actual data packets transmitted with certain address information between a first computer device and a second computer device through a packet-switched data transmission network, the method comprising the step of
forcing at least one of the first computer device and the second computer device to transmit to the other computer device keepalive packets with address information identical to that of actual data packets at a high enough frequency so that network address translation devices constantly reuse the mappings used for network address translation even when a certain fraction of the packets communicated between the first computer device and the second computer device are lost in the network.
Specification