Method and apparatus for security protocol and address translation integration
First Claim
1. A method for enhanced security when communicating over a network between a client computer behind a network address translation (NAT) configured gateway computer, and a remote computer, in response to the client computer making a first request for an IP address from the gateway computer, the method comprising:
- providing a public address from the gateway computer to the client computer, the public address being one of a gateway computer public address and a pool of gateway computer public addresses and being associated with a medium access control address for the client computer;
participating in a security association negotiation with the remote computer to obtain a security parameter index (SPI) from the remote computer provided to the gateway computer;
obtaining an initiator indicator comprising a negotiation status bit associated with the security association negotiation from the client computer; and
using the SPI as an indicator to record a local address for the client computer in association with a destination address for the remote computer, the local address and the destination address being obtained from the security association negotiation and recorded in a mapping table accessible by the gateway computer in association with the medium access control address, recording the initiator indicator in the mapping table in association with the local address, the medium access control address, a time stamp, and a security protocol type identifier in response to the existence of at least one type of security protocol header, to establish a unique secure communication between the client and the remote computer, the SPI thereafter being used to direct an incoming data packet from the remote computer to the client computer.
0 Assignments
0 Petitions
Accused Products
Abstract
Method and apparatus for Internet Protocol Security (IPSec) and Network Address Translation (NAT) integration is described. A client obtains a public address from a gateway for IPSec communication. A mapping table is used to form associations between a local address for the client and a destination address for a peer, an Internet Security Association and Key Management Protocol (ISAKMP) Initiator Cookie and a Security Parameters Index associated with communication between the client and the peer. Incoming and outgoing routing may be done at the gateway using the mapping table.
68 Citations
16 Claims
-
1. A method for enhanced security when communicating over a network between a client computer behind a network address translation (NAT) configured gateway computer, and a remote computer, in response to the client computer making a first request for an IP address from the gateway computer, the method comprising:
-
providing a public address from the gateway computer to the client computer, the public address being one of a gateway computer public address and a pool of gateway computer public addresses and being associated with a medium access control address for the client computer; participating in a security association negotiation with the remote computer to obtain a security parameter index (SPI) from the remote computer provided to the gateway computer; obtaining an initiator indicator comprising a negotiation status bit associated with the security association negotiation from the client computer; and using the SPI as an indicator to record a local address for the client computer in association with a destination address for the remote computer, the local address and the destination address being obtained from the security association negotiation and recorded in a mapping table accessible by the gateway computer in association with the medium access control address, recording the initiator indicator in the mapping table in association with the local address, the medium access control address, a time stamp, and a security protocol type identifier in response to the existence of at least one type of security protocol header, to establish a unique secure communication between the client and the remote computer, the SPI thereafter being used to direct an incoming data packet from the remote computer to the client computer. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method for processing an Internet Protocol Security (IPsec) packet from one of a plurality of local computers connected via a Network Address Translation (NAT) gateway computer, the packet to be sent to a remote computer, comprising:
-
checking at the NAT gateway computer for a public Internet Protocol (IP) source address for the IPsec packet assignable to the NAT gateway computer to one of the local computers; in response to the public IP source address being assigned by the NAT gateway computer, confirming the IPsec packet was sent by a remote computer including storing a medium access control (MAC) address for the local computer in a mapping table in association with the public IP source address of the local computer; obtaining an initiator indicator comprising a negotiation status bit associated with the security association negotiation from the client computer; recording the initiator indicator in the mapping table in association with the local address, the medium access control address, a time stamp, and a security protocol type identifier in response to the existence of at least one type of security protocol header; and transmitting to the destination address of the remote computer the IPsec packet without translating the public IP source address in response to confirmation that the IPsec packet was sent by the local computer to the remote computer utilizing a remote-to-local security parameter index (SPI) sent by the remote computer, thereby establishing a unique secure communication between the remote computer and a single local computer behind the gateway computer without a third party certification of the communication.
-
-
10. A method for routing a received packet having a source address comprising an address of a remote computer which transmitted the packet and a public address of a gateway computer which received the packet, comprising:
-
checking for the source address in a mapping table listed in association with the public address of the gateway computer; setting a pending bit in a field in the mapping table associated with the local computer; obtaining a security parameters index (SPI) from the received packet; checking for the security parameters index in the mapping table in association with the source address of the received packet; and in response to finding the security parameters index in the mapping table in association with the source address of the received packet, recording a time stamp, recording the initiator indicator in the mapping table in association with the local address, the medium access control address, the time stamp, and a security protocol type identifier in response to the existence of at least one type of security protocol header, received with the header, routing the received packet to a local address comprising a medium access control address associated with the security parameters index and the source address in the mapping table, the local address not being the public address of the gateway computer, thereby establishing a unique secure communication between the remote computer and a single local computer behind the gateway computer without a third party certification of the communication. - View Dependent Claims (11, 12, 13)
-
-
14. A computer-readable medium having stored thereon a plurality of instructions which, when executed by a gateway computer in at least partial response to a received packet having a source address and a public address of a gateway computer, causes execution of a method comprising:
-
checking for the source address in a mapping table listed in association with the public address of the gateway computer; setting a pending bit in a field in the mapping table associated with the local computer; obtaining a security parameters index from the received packet; checking for the security parameters index in the mapping table in association with the source address of the received packet; and in response to finding the security parameters index in the mapping table in association with the source address of the received packet, routing the received packet to a local address comprising a medium access control address associated with the security parameters index and the source address in the mapping table, the local address not being the public address of the gateway computer, recording the initiator indicator in the mapping table in association with the local address, the medium access control address, a time stamp, and a security protocol type identifier in response to the existence of at least one type of security protocol header, thereby establishing a unique secure communication between the remote computer and a single local computer behind the gateway computer without a third party certification of the communication. - View Dependent Claims (15)
-
-
16. A method for security enhanced communication from a client computer behind a gateway computer to a destination computer, the method comprising:
-
providing a public address for the gateway computer to the client computer; providing a medium access control address to the client computer; sending a packet from the client computer to the destination computer, the packet including a remote address for the destination computer, the medium access control (MAC) address and the public address; receiving the packet at the gateway computer, the gateway computer storing the medium access control number in association with the remote address; setting an initiator indicator to identify that a security parameter index for the remote address is yet to be received; and sending the message with the public address, and without the medium access control address, to the destination computer for establishing the security enhanced communication over a non-secure network, recording the initiator indicator in the mapping table in association with the local address, the medium access control address, a time stamp, and a security protocol type identifier in response to the existence of at least one type of security protocol header, and storing a security parameter index (SPI) received from the remote computer in a mapping table maintained by the gateway computer in association with the MAC to establish secure bidirectional communications between the client computer to the destination computer, thereby establishing a unique secure communication between the remote computer and a single local computer behind the gateway computer without a third party certification of the communication.
-
Specification