Method and apparatus for security protocol and address translation integration

US 7,143,137 B2
Filed: 06/13/2002
Issued: 11/28/2006
Est. Priority Date: 06/13/2002
Status: Active Grant

First Claim

Patent Images

1. A method for enhanced security when communicating over a network between a client computer behind a network address translation (NAT) configured gateway computer, and a remote computer, in response to the client computer making a first request for an IP address from the gateway computer, the method comprising:

providing a public address from the gateway computer to the client computer, the public address being one of a gateway computer public address and a pool of gateway computer public addresses and being associated with a medium access control address for the client computer;

participating in a security association negotiation with the remote computer to obtain a security parameter index (SPI) from the remote computer provided to the gateway computer;

obtaining an initiator indicator comprising a negotiation status bit associated with the security association negotiation from the client computer; and

using the SPI as an indicator to record a local address for the client computer in association with a destination address for the remote computer, the local address and the destination address being obtained from the security association negotiation and recorded in a mapping table accessible by the gateway computer in association with the medium access control address, recording the initiator indicator in the mapping table in association with the local address, the medium access control address, a time stamp, and a security protocol type identifier in response to the existence of at least one type of security protocol header, to establish a unique secure communication between the client and the remote computer, the SPI thereafter being used to direct an incoming data packet from the remote computer to the client computer.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Method and apparatus for Internet Protocol Security (IPSec) and Network Address Translation (NAT) integration is described. A client obtains a public address from a gateway for IPSec communication. A mapping table is used to form associations between a local address for the client and a destination address for a peer, an Internet Security Association and Key Management Protocol (ISAKMP) Initiator Cookie and a Security Parameters Index associated with communication between the client and the peer. Incoming and outgoing routing may be done at the gateway using the mapping table.

68 Citations

View as Search Results

16 Claims

1. A method for enhanced security when communicating over a network between a client computer behind a network address translation (NAT) configured gateway computer, and a remote computer, in response to the client computer making a first request for an IP address from the gateway computer, the method comprising:
- providing a public address from the gateway computer to the client computer, the public address being one of a gateway computer public address and a pool of gateway computer public addresses and being associated with a medium access control address for the client computer;
  
  participating in a security association negotiation with the remote computer to obtain a security parameter index (SPI) from the remote computer provided to the gateway computer;
  
  obtaining an initiator indicator comprising a negotiation status bit associated with the security association negotiation from the client computer; and
  
  using the SPI as an indicator to record a local address for the client computer in association with a destination address for the remote computer, the local address and the destination address being obtained from the security association negotiation and recorded in a mapping table accessible by the gateway computer in association with the medium access control address, recording the initiator indicator in the mapping table in association with the local address, the medium access control address, a time stamp, and a security protocol type identifier in response to the existence of at least one type of security protocol header, to establish a unique secure communication between the client and the remote computer, the SPI thereafter being used to direct an incoming data packet from the remote computer to the client computer.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1 further comprising:
    - setting a flag bit to indicate that the security parameters index value is not recorded in the mapping table; and
      
      clearing the flag bit after the security parameters index value is obtained.
  - 3. The method of claim 1 further comprising:
    - time stamping information recorded in the mapping table by storing a time stamp in the mapping table associated with the local address assigned to the client computer;
      
      waiting a predetermined time; and
      
      erasing information recorded in the mapping table if new information is not obtained for recordation in the mapping table by the predetermined time based from the time stamp.
  - 4. A method a claimed in claim 1 wherein the client computer sends a second IP request to the gateway computer, the request being assigned a second client identifier different than, but derived from, the client identifier assigned to the first client computer request.
  - 5. A method as claimed in claim 1 wherein the mapping table further stores an indicator cookie established by the local computer identifying further communications between the local computer and the destination address.
  - 6. A method as in claim 1 wherein the gateway computer determines that only the client computer can use the provided public address by inventing an associated local address in the mapping table.
  - 7. A method as in claim 1 wherein each said remote to local SPI designates a unique row in the mapping table at the gateway computer.
  - 8. A method as claimed in claim 1 wherein Internet Protocol Security (IPSec) governs transactions between the gateway computer and the remote computer and the transactions each include a header including either an authentication header (AH) or encapsulation security pay load (ESP).

9. A method for processing an Internet Protocol Security (IPsec) packet from one of a plurality of local computers connected via a Network Address Translation (NAT) gateway computer, the packet to be sent to a remote computer, comprising:
- checking at the NAT gateway computer for a public Internet Protocol (IP) source address for the IPsec packet assignable to the NAT gateway computer to one of the local computers;
  
  in response to the public IP source address being assigned by the NAT gateway computer, confirming the IPsec packet was sent by a remote computer including storing a medium access control (MAC) address for the local computer in a mapping table in association with the public IP source address of the local computer;
  
  obtaining an initiator indicator comprising a negotiation status bit associated with the security association negotiation from the client computer;
  
  recording the initiator indicator in the mapping table in association with the local address, the medium access control address, a time stamp, and a security protocol type identifier in response to the existence of at least one type of security protocol header; and
  
  transmitting to the destination address of the remote computer the IPsec packet without translating the public IP source address in response to confirmation that the IPsec packet was sent by the local computer to the remote computer utilizing a remote-to-local security parameter index (SPI) sent by the remote computer, thereby establishing a unique secure communication between the remote computer and a single local computer behind the gateway computer without a third party certification of the communication.

10. A method for routing a received packet having a source address comprising an address of a remote computer which transmitted the packet and a public address of a gateway computer which received the packet, comprising:
- checking for the source address in a mapping table listed in association with the public address of the gateway computer;
  
  setting a pending bit in a field in the mapping table associated with the local computer;
  
  obtaining a security parameters index (SPI) from the received packet;
  
  checking for the security parameters index in the mapping table in association with the source address of the received packet; and
  
  in response to finding the security parameters index in the mapping table in association with the source address of the received packet, recording a time stamp, recording the initiator indicator in the mapping table in association with the local address, the medium access control address, the time stamp, and a security protocol type identifier in response to the existence of at least one type of security protocol header, received with the header, routing the received packet to a local address comprising a medium access control address associated with the security parameters index and the source address in the mapping table, the local address not being the public address of the gateway computer, thereby establishing a unique secure communication between the remote computer and a single local computer behind the gateway computer without a third party certification of the communication.
- View Dependent Claims (11, 12, 13)
- - 11. The method of claim 10 wherein the public address is available to the gateway computer.
  - 12. The method of claim 11 wherein the public address is assignable from a pool of public addresses by the gateway computer.
  - 13. The method of claim 10 further comprising identifying the security parameters index with a type of security, the type of security stored in the mapping table in association with the security parameters index.

14. A computer-readable medium having stored thereon a plurality of instructions which, when executed by a gateway computer in at least partial response to a received packet having a source address and a public address of a gateway computer, causes execution of a method comprising:
- checking for the source address in a mapping table listed in association with the public address of the gateway computer;
  
  setting a pending bit in a field in the mapping table associated with the local computer;
  
  obtaining a security parameters index from the received packet;
  
  checking for the security parameters index in the mapping table in association with the source address of the received packet; and
  
  in response to finding the security parameters index in the mapping table in association with the source address of the received packet, routing the received packet to a local address comprising a medium access control address associated with the security parameters index and the source address in the mapping table, the local address not being the public address of the gateway computer, recording the initiator indicator in the mapping table in association with the local address, the medium access control address, a time stamp, and a security protocol type identifier in response to the existence of at least one type of security protocol header, thereby establishing a unique secure communication between the remote computer and a single local computer behind the gateway computer without a third party certification of the communication.
- View Dependent Claims (15)
- - 15. The computer-readable medium of claim 14 wherein the method further comprises checking the public address of the received packet as being in the mapping table as an assigned public address for the focal address for communication with the source address, the source address being a non-local source address.

16. A method for security enhanced communication from a client computer behind a gateway computer to a destination computer, the method comprising:
- providing a public address for the gateway computer to the client computer;
  
  providing a medium access control address to the client computer;
  
  sending a packet from the client computer to the destination computer, the packet including a remote address for the destination computer, the medium access control (MAC) address and the public address;
  
  receiving the packet at the gateway computer, the gateway computer storing the medium access control number in association with the remote address;
  
  setting an initiator indicator to identify that a security parameter index for the remote address is yet to be received; and
  
  sending the message with the public address, and without the medium access control address, to the destination computer for establishing the security enhanced communication over a non-secure network, recording the initiator indicator in the mapping table in association with the local address, the medium access control address, a time stamp, and a security protocol type identifier in response to the existence of at least one type of security protocol header, and storing a security parameter index (SPI) received from the remote computer in a mapping table maintained by the gateway computer in association with the MAC to establish secure bidirectional communications between the client computer to the destination computer, thereby establishing a unique secure communication between the remote computer and a single local computer behind the gateway computer without a third party certification of the communication.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
NVIDIA Corporation
Original Assignee
NVIDIA Corporation
Inventors
Sidenblad, Paul J., Nanda, Sameer, Maufer, Thomas Albert
Primary Examiner(s)
Lim, Krisna
Assistant Examiner(s)
CHEA, PHILIP J

Application Number

US10/172,352
Publication Number

US 20030233452A1
Time in Patent Office

1,629 Days
Field of Search

709/245, 709/249, 709/205, 709/230, 370/389, 726/11, 726/12, 726/14
US Class Current

709/205
CPC Class Codes

H04L 61/10   of different types

H04L 61/2514   between local and global IP...

H04L 61/255   Maintenance or indexing of ...

H04L 61/2557   Translation policies or rules

H04L 61/256   NAT traversal

H04L 61/5007   Internet protocol [IP] addr...

H04L 61/5014   using dynamic host configur...

H04L 63/0428   wherein the data content is...

H04L 63/164   at the network layer

H04L 69/24   Negotiation of communicatio...

Method and apparatus for security protocol and address translation integration

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

68 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Method and apparatus for security protocol and address translation integration

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

68 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links