System and method for network address translation integration with IP security
First Claim
Patent Images
1. Method for integrating network address translation within secured virtual private network, comprising the steps of:
- configuring an internal network host to send selected traffic to a proxy network address;
configuring a virtual private network gateway with a mapping table of network address translation rules; and
responsive to said network address translation rules, starting a virtual private network connection.
1 Assignment
0 Petitions
Accused Products
Abstract
IP security is provided in a virtual private network using network address translation (NAT) by performing one or a combination of the four types of VPN NAT, including VPN NAT type a source-outbound IP NAT, VPN NAT type b destination-outbound, VPN NAT type c inbound-source IP NAT, and VPN NAT type d inbound-destination IP NAT. This involves dynamically generating NAT rules and associating them with the manual or dynamically generated (IKE) Security Associations, before beginning IP security that uses the Security Associations. Then, as IP Sec is performed on outbound and inbound datagrams, the NAT function is also performed.
142 Citations
19 Claims
-
1. Method for integrating network address translation within secured virtual private network, comprising the steps of:
-
configuring an internal network host to send selected traffic to a proxy network address;
configuring a virtual private network gateway with a mapping table of network address translation rules; and
responsive to said network address translation rules, starting a virtual private network connection. - View Dependent Claims (2, 3, 4, 5)
generating a datagram at said internal network host;
routing said datagram to said gateway;
at said gateway, routing said datagram through filter rules defining a virtual private network tunnel;
processing a destination address in said datagram at said virtual private network tunnel responsive to said mapping table according to the steps of;
searching said table for a match on said destination address with a left address of a left/right address pair;
upon finding a match, doing address translation by substituting for said destination address the right address of said address pair; and
performing security processing.
-
-
4. The method of claim 3, further comprising the steps of:
-
receiving at said gateway an inbound datagram from an external host including a security indicia;
responsive to said security indicia, determining a network source connection address;
processing said network connection address according to the steps of;
searching said table for a match on said source connection address with a right address;
upon finding a match, doing address translation by substituting for said source connection address the left entry of said address pair; and
performing security processing.
-
-
5. The method of claim 4, said determining step including obtaining from a domain name server behind said gateway a locally routable host alias address for said external host.
-
6. A method for serving domain names, comprising:
-
configuring a domain name server behind a gateway to store for external hosts locally routable host alias addresses;
building a mapping table by;
presenting to a user a list of host names forming left hand address entries;
responsive to user selection of an entry in said list, prompting said user for entry of a corresponding right hand alias address entry;
iterating said presenting and prompting steps for a plurality of mapping table entries;
responsive to a request from a gateway or from a host behind said gateway for a right hand address, serving said alias address.
-
-
7. System for integrating network address translation within a secured virtual private network, comprising:
-
an internal network host for sending selected traffic to a proxy network address;
a mapping table of network address translation rules; and
a gateway responsive to said network address translation rules for starting a virtual private network connection. - View Dependent Claims (8, 9, 10, 11, 12, 13)
means for processing a destination address in said datagram at said virtual private network tunnel responsive to said mapping table.
-
-
11. The system of claim 10, further comprising:
-
mans for searching said table for a match on said destination address with a left address of a left/right address pair;
means operable upon finding a match for doing address translation by substituting for said destination address the right address of said address pair; and
means for performing security processing.
-
-
12. The system of claim 9, further comprising:
-
receiving including a security indicia;
means responsive to security indicia received at said gateway in an inbound datagram from an external host for determining a network source connection address;
means for processing said network connection address by searching said table for a match on said source connection address with a right address and, upon finding a match, doing address translation by substituting for said source connection address the left entry of said address pair; and
performing security processing.
-
-
13. The system of claim 12, further comprising a domain name server behind said gateway for serving locally routable host alias addresses for said external host to both said gateway and to said local host.
-
14. A system for serving domain names, comprising:
-
a domain name server behind a gateway for storing locally routable host alias addresses for external hosts;
means for generating a mapping table by presenting to a user a list of host names forming left hand address entries and responsive to user selection of an entry in said list, for iteratively prompting said user for entry of a corresponding right hand alias address entry; and
means responsive to a request from a gateway or from a host behind said gateway for a right hand address for serving said alias address.
-
-
15. A process for performing VPN NAT destination-out, comprising the steps of:
-
building a local binding table of rules including right rule entry and left rule entry pairs;
responsive to a locally initiated conversation requesting network address translation, creating an implicit MAP rule including a left entry and a right entry by copying a local client ID to the left entry and obtaining the right entry from an address pool;
performing security processing with respect to said right entry;
starting a VPN connection including loading a first implicit rule;
for outbound processing, comparing the destination address with said left rule entry in said local binding table, and if a match is found replacing said destination address with said right rule entry; and
for inbound processing, comparing the source address with said right rule entry in said local binding table, and if a match is found replacing said source address with said left rule entry.
-
-
16. A program storage device readable by a machine, tangibly embodying a program of instructions executable by a machine to perform method steps for integrating network address translation within secured virtual private network, said method steps comprising:
-
configuring an internal network host to send selected traffic to a proxy network address;
configuring a virtual private network gateway with a mapping table of network address translation rules; and
responsive to said network address translation rules, starting a virtual private network connection.
-
-
17. A program storage device readable by a machine, tangibly embodying a program of instructions, executable by a machine, to perform method steps for serving domain names, said method steps comprising:
-
configuring a domain name server behind a gateway to store for external hosts locally routable host alias addresses;
building a mapping table by;
presenting to a user a list of host names forming left hand address entries;
responsive to user selection of an entry in said list, prompting said user for entry of a corresponding right hand alias address entry;
iterating said presenting and prompting steps for a plurality of mapping table entries;
responsive to a request from a gateway or from a host behind said gateway for a right hand address, serving said alias address.
-
-
18. A program storage device readable by a machine, tangibly embodying a program of instructions executable by a machine to perform method steps for performing VPN NAT destination-out, said method steps comprising
building a local binding table of rules including right rule entry and left rule entry pairs; -
responsive to a locally initiated conversation requesting network address translation, creating an implicit MAP rule including a left entry and a right entry by copying a local client ID to the left entry and obtaining the right entry from an address pool;
performing security processing with respect to said right entry;
starting a VPN connection including loading a first implicit rule;
for outbound processing, comparing the destination address with said left rule entry in said local binding table, and if a match is found replacing said destination address with said right rule entry; and
for inbound processing, comparing the source address with said right rule entry in said local binding table, and if a match is found replacing said source address with said left rule entry.
-
-
19. An article of manufacture comprising:
-
a computer useable medium having computer readable program code means embodied therein for serving domain names, the computer readable program means in said article of manufacture comprising;
computer readable program code means for causing a computer to effect storing locally routable host alias addresses for external hosts;
computer readable program code means for generating a mapping table by presenting to a user a list of host names forming left hand address entries and responsive to user selection of an entry in said list, for iteratively prompting said user for entry of a corresponding right hand alias address entry; and
computer readable program code means responsive to a request from a gateway or from a host behind said gateway for a right hand address for serving said alias address.
-
Specification
-
- Resources
Litigation Campaign Assessment
Thank you for your request. You will receive a custom alert email when the Litigation Campaign Assessment is available.
×
-
Current AssigneeInternational Business Machines Corporation
-
Original AssigneeInternational Business Machines Corporation
-
InventorsMonroe, Tod A., Boden, Edward B.
-
Primary Examiner(s)Darrow, Justin T.
-
Assistant Examiner(s)Gurshman, Grigory
-
Application NumberUS09/595,950Time in Patent Office1,642 DaysField of Search713/201, 713/200US Class Current726/15CPC Class CodesH04L 61/25 of the same typeH04L 61/255 Maintenance or indexing of ...H04L 61/2557 Translation policies or rulesH04L 63/0272 Virtual private networksH04L 63/164 at the network layer
