System and method for network address translation integration with IP security
First Claim
Patent Images
1. A method of operating one or more tunnels of nested protocols that integrate network address translation (NAT) at an Internet Protocol (IP) layer, comprising the steps of:
- configuring a tunnel NAT IP address pool;
independently configuring one or more tunnels in a virtual private network to utilize tunnel NAT at one or both of a local and a remote tunnel endpoint;
upon starting an instantiation of a tunnel, selectively automatically generating a specific tunnel NAT rule or using a configured tunnel NAT rule as an instantiation-specific tunnel NAT rule for said instantiation;
applying said instantiation-specific NAT rule to a local or remote IP address to generate a NAT address from said NAT IP address pool;
using said NAT address, negotiating tunnel configuration and operational parameters between tunnel endpoints;
loading said operational parameters into an operating system kernel, said operational parameters including said instantiation-specific tunnel NAT rule; and
processing packet traffic as it enters and exits said local tunnel endpoint by applying said instantiation-specific tunnel NAT rule to each packet.
1 Assignment
0 Petitions
Accused Products
Abstract
IP security is provided in a virtual private network using network address translation (NAT) by performing one or a combination-of the three types of VPN NAT, including VPN NAT type a outbound source IP NAT, VPN NAT type c inbound source IP NAT, and VPN NAT type d inbound destination IP NAT. This involves dynamically generating NAT rules and associating them with the manual or dynamically generated (IKE) Security Associations, before beginning IP security that uses the Security Associations. Then, as IP Sec is performed on outbound and inbound datagrams, the NAT function is also performed.
-
Citations
3 Claims
-
1. A method of operating one or more tunnels of nested protocols that integrate network address translation (NAT) at an Internet Protocol (IP) layer, comprising the steps of:
-
configuring a tunnel NAT IP address pool;
independently configuring one or more tunnels in a virtual private network to utilize tunnel NAT at one or both of a local and a remote tunnel endpoint;
upon starting an instantiation of a tunnel, selectively automatically generating a specific tunnel NAT rule or using a configured tunnel NAT rule as an instantiation-specific tunnel NAT rule for said instantiation;
applying said instantiation-specific NAT rule to a local or remote IP address to generate a NAT address from said NAT IP address pool;
using said NAT address, negotiating tunnel configuration and operational parameters between tunnel endpoints;
loading said operational parameters into an operating system kernel, said operational parameters including said instantiation-specific tunnel NAT rule; and
processing packet traffic as it enters and exits said local tunnel endpoint by applying said instantiation-specific tunnel NAT rule to each packet.
-
-
2. A system for operating one or more tunnels of nested protocols that integrate network address translation (NAT) at an Internet Protocol (IP) layer, comprising:
-
means for configuring a tunnel NAT IP address pool;
means for independently configuring one or more tunnels in a virtual private network to utilize tunnel NAT at one or both of a local and a remote tunnel endpoint;
means for selectively automatically generating upon starting an instantiation of a tunnel a specific tunnel NAT rule or using a configured tunnel NAT rule as an instantiation-specific tunnel NAT rule for said instantiation;
means for applying said instantiation-specific NAT rule to a local or remote IP address to generate a NAT address from said NAT IP address pool;
means responsive to said NAT address for negotiating tunnel configuration and operational parameters between tunnel endpoints;
means for installing said tunnel instantiation including said operational parameters in an operating system kernel, said operational parameters including said instantiation-specific tunnel NAT rule; and
means for processing packet traffic as it enters and exits said local tunnel endpoint by applying said instantiation-specific tunnel NAT rule to each packet.
-
-
3. A program storage device readable by a machine, tangibly embodying a program of instructions executable by a machine to perform method steps for operating one or more tunnels of nested protocols that integrate network address translation (NAT) at an Internet Protocol (IP) layer, said method steps comprising:
-
configuring a tunnel NAT IP address pool;
independently configuring one or more tunnels in a virtual private network to utilize tunnel NAT at one or both of a local and a remote tunnel endpoint;
upon starting an instantiation of a tunnel, selectively automatically generating a specific tunnel NAT rule or using a configured tunnel NAT rule as an instantiation-specific tunnel NAT rule for said instantiation;
applying said instantiation-specific NAT rule to a local or remote IP address to generate a NAT address from said NAT IP address pool;
using said NAT address, negotiating tunnel configuration and operational parameters between tunnel endpoints;
loading said operational parameters into an operating system kernel, said operational parameters including said instantiation-specific tunnel NAT rule; and
processing packet traffic as it enters and exits said local tunnel endpoint by applying said instantiation-specific tunnel NAT rule to each packet.
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeInternational Business Machines Corporation
-
Original AssigneeInternational Business Machines Corporation
-
InventorsBoden, Edward B., Gruber, Franklin A.
-
Primary Examiner(s)Barron, Gilberto
-
Assistant Examiner(s)MEISLAHN, DOUGLAS J
-
Application NumberUS09/240,720Time in Patent Office1,677 DaysField of Search709/221, 709/238, 713/201, 713/200, 707/10US Class Current726/15CPC Class CodesH04L 61/25 of the same typeH04L 61/255 Maintenance or indexing of ...H04L 61/2557 Translation policies or rulesH04L 63/0272 Virtual private networksH04L 63/164 at the network layer
