Method and apparatus for traversing a translation device with a security protocol
First Claim
1. A method for sending user datagram protocol encapsulated encapsulating security protocol packets through a network address translation device on a private network from a client on the private network to a server on a public network, using a key management and exchange protocol negotiation, comprising:
- determining whether both the client and server are capable of sending the user datagram protocol encapsulated encapsulating security protocol packets, wherein the client sends a first key management and exchange protocol packet to the server and receives a second key management and exchange protocol packet from the server ,the first and second key management and exchange protocol packet send over first source and destination user datagram protocol port;
creating an entry in a data structure that uniquely identifies a connection between the client and the server exchanging key management and exchange protocol packets sent over the first source and destination user datagram protocol ports, the entry including at least an internet protocol address of the client and an internet protocol address of the server;
determining whether at least one of the client or the server operate behind the network address translation device; and
if it is determined that at least one of the client or the server operate behind the network address translation device;
selecting second source and destination ports, the second source and destination ports being distinct from the first source and destination ports; and
sending the user datagram protocol encapsulated encapsulating security protocol packets over the second source and destination ports so that the user datagram protocol encapsulated encapsulating security protocol packets are able to traverse the network address translation device, wherein the server identifies the client using the data structure;
wherein the network address translation device interprets the user datagram protocol encapsulated encapsulating security protocol packets designating the first destination port as key management and exchange protocol packets and user datagram protocol encapsulated encapsulating security protocol packets designating the second destination port as non-key management and exchange protocol packets.
2 Assignments
0 Petitions
Accused Products
Abstract
The invention uses a three phase IKE protocol main mode negotiation to implement a port float algorithm that permits UDP encapsulated ESP traffic to traverse an IPSec-aware NAT. The NAT is connected to a plurality of client computers on a private network and provides an interface between the client computers and a server connected to a public network. In a first phase, a client and the server determine whether both are capable of sending UDP encapsulated ESP packets. In a second phase, the client and server conduct NAT discovery and determine whether the client, server, or both operate behind a NAT. In a third phase, the client and server initiate a port float algorithm, moving a destination UDP port specified in IKE packets from a first port value to a second port value. The server maintains a data structure that allows the server to identify the client sending IKE packets after exiting the second phase and entering the third phase.
-
Citations
20 Claims
-
1. A method for sending user datagram protocol encapsulated encapsulating security protocol packets through a network address translation device on a private network from a client on the private network to a server on a public network, using a key management and exchange protocol negotiation, comprising:
-
determining whether both the client and server are capable of sending the user datagram protocol encapsulated encapsulating security protocol packets, wherein the client sends a first key management and exchange protocol packet to the server and receives a second key management and exchange protocol packet from the server ,the first and second key management and exchange protocol packet send over first source and destination user datagram protocol port; creating an entry in a data structure that uniquely identifies a connection between the client and the server exchanging key management and exchange protocol packets sent over the first source and destination user datagram protocol ports, the entry including at least an internet protocol address of the client and an internet protocol address of the server; determining whether at least one of the client or the server operate behind the network address translation device; and if it is determined that at least one of the client or the server operate behind the network address translation device; selecting second source and destination ports, the second source and destination ports being distinct from the first source and destination ports; and sending the user datagram protocol encapsulated encapsulating security protocol packets over the second source and destination ports so that the user datagram protocol encapsulated encapsulating security protocol packets are able to traverse the network address translation device, wherein the server identifies the client using the data structure; wherein the network address translation device interprets the user datagram protocol encapsulated encapsulating security protocol packets designating the first destination port as key management and exchange protocol packets and user datagram protocol encapsulated encapsulating security protocol packets designating the second destination port as non-key management and exchange protocol packets. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
-
-
9. A method for receiving user datagram protocol encapsulated encapsulating security protocol packets at a server on a public network, the user datagram protocol encapsulated encapsulating security protocol packets being sent from a client operating behind a network address translation device on a private network, comprising:
-
receiving a first key management and exchange protocol packet and sending a second key management and exchange protocol packet, the first and second key management and exchange protocol packets designating a first destination port and including a vendor identification value indicating a capability to send the user datagram protocol encapsulated encapsulating security protocol packets; storing a value identifying a connection between the client and the server exchanging key management and exchange protocol packets designating the first destination port; determining that at least the client operates behind the network address translation device; and if it is determined that at least the client operates behind the network address translation device; selecting a second destination port, the second destination port being distinct from the first destination port; receiving a third key management and exchange protocol packet designating the second destination port; determining that the third key management and exchange protocol packet is sent by the client by comparing a unique identification within the third key management and exchange protocol packet to the stored value; and receiving the user datagram protocol encapsulated encapsulating security protocol packets sent over the second destination port, the user datagram protocol encapsulated encapsulating security protocol packets designating the second destination port, so that the user datagram protocol encapsulated encapsulating security protocol packets are able to traverse the network address translation device. - View Dependent Claims (10, 11, 12)
-
-
13. Computer storage media having computer executable instructions for sending user datagram protocol encapsulated encapsulating security protocol packets through a network address translation device on a private network from a client on the private network to a server on a public network, using a key management and exchange protocol negotiation, comprising:
-
determining whether both the client and server are capable of sending the user datagram protocol encapsulated encapsulating security protocol packets, wherein the client sends a first key management and exchange protocol packet to the server and receives a second key management and exchange protocol packet from the server, the first and second key management and exchange protocol packets sent over first source and destination user datagram protocol ports; creating an entry in a data structure that uniquely identifies a connection between the client and the server exchanging key management and exchange protocol packets sent over the first source and destination user datagram protocol ports, the entry including at least an internet protocol address of the client and an internet protocol address of the server; determining whether at least one of the client or the server operate behind the network address translation device; and if it is determined that at least one of the client or the server operate behind the network address translation device; selecting second source and destination ports, the second source and destination ports being distinct from the first source and destination ports; and sending the user datagram protocol encapsulated encapsulating security protocol packets over the second source and destination ports so that the user datagram protocol encapsulated encapsulating security protocol packets are able to traverse the network address translation device, wherein the server identifies the client using the data structure. - View Dependent Claims (14, 15, 16, 17)
-
-
18. Computer storage media having computer executable instructions for receiving user datagram protocol encapsulated encapsulating security protocol packets at a server on a public network, the user datagram protocol encapsulated encapsulating security protocol packets being sent from a client operating behind a network address translation device on a private network, comprising:
-
receiving a first key management and exchange protocol packet and sending a second key management and exchange protocol packet, the first and second key management and exchange protocol packets designating a first destination port and including a vendor identification value indicating a capability to send the user datagram protocol encapsulated encapsulating security protocol packets; storing a value identifying a connection between the client and the server exchanging key management and exchange protocol packets designating the first destination port; determining that at least the client operates behind the network address translation device; and if it is determined that at least the client operates behind the network address translation device; selecting a second destination port, the second destination port being distinct from the first destination port; receiving a third key management and exchange protocol packet designating the second destination port; determining that the third key management and exchange protocol packet is sent by the client by comparing a unique identification within the third key management and exchange protocol packet to the stored value; and receiving user datagram protocol encapsulated encapsulating security protocol packets sent over the second destination port, the user datagram protocol encapsulated encapsulating security protocol packets designating the second destination port, so that the user datagram protocol encapsulated encapsulating security protocol packets are able to traverse the network address translation device. - View Dependent Claims (19, 20)
-
Specification