Method and arrangement for providing security through network address translations using tunneling and compensations
First Claim
1. A method for tunneling packets between a first computer device and a second computer device through a packet-switched data transmission network including intermediate computer devices, where at least one of said computer devices may perform a network address translation and/or a protocol conversion and in which data transmission network there exists a security protocol comprising a key management connection that employs a specific packet format for key management packets, the method comprising the steps of:
- determining, by one of said first or second computer devices, what network address translations or protocol conversions, if any, occur on packets received from said first computer device in a data path between said first computer device and said second computer device;
if it is found that network address translations or protocol conversions occur in the data path, said first computer device encapsulating data packets that are not key management packets into said specific packet format for key management packets;
transmitting said data packets encapsulated into the specific packet format from said first computer device to said second computer device;
discriminating by said second computer device the data packets encapsulated into the specific packet format from actual key management packets; and
decapsulating by said second computer device the data packets encapsulated into the specific packet format.
3 Assignments
0 Petitions
Accused Products
Abstract
This invention provides a method for providing network security services, such as those provided by the IPSEC protocol, through network address translation (NAT). The method is based on determining the transformations that occur on a packet and compensating for the transformations. Because only TCP and UDP protocols work through NATs, the IPSEC AH/ESP packets are encapsulated into UDP packets for transport. Special operations are performed to allow reliable communications in such environments.
-
Citations
9 Claims
-
1. A method for tunneling packets between a first computer device and a second computer device through a packet-switched data transmission network including intermediate computer devices, where at least one of said computer devices may perform a network address translation and/or a protocol conversion and in which data transmission network there exists a security protocol comprising a key management connection that employs a specific packet format for key management packets, the method comprising the steps of:
-
determining, by one of said first or second computer devices, what network address translations or protocol conversions, if any, occur on packets received from said first computer device in a data path between said first computer device and said second computer device; if it is found that network address translations or protocol conversions occur in the data path, said first computer device encapsulating data packets that are not key management packets into said specific packet format for key management packets; transmitting said data packets encapsulated into the specific packet format from said first computer device to said second computer device; discriminating by said second computer device the data packets encapsulated into the specific packet format from actual key management packets; and decapsulating by said second computer device the data packets encapsulated into the specific packet format. - View Dependent Claims (2)
-
-
3. A method for securely communicating packets between a first computer device and a second computer device through a packet-switched data transmission network including intermediate computer devices, where at least one of said computer devices may perform a network address translation and/or a protocol conversion, wherein a security protocol is employed which determines transport-mode processing of packets for transmission and reception, and wherein a high-level protocol checksum has been determined for checking the integrity of received packets, the method comprising the steps of:
-
determining , by one of said first or second computer devices, what network address translations or protocol conversions, if any, occur on packets received from said first computer device in a data path between said first computer device and said second computer device; performing, by said first computer device, transport-mode processing for packets to be transmitted to said second computer device; performing, by said second computer device, transport-mode processing for packets received from the first computer device, said transport-mode processing comprising the decapsulation of received packets, and if it was found that network address translations or protocol conversions occur in the data path, updating said high-level protocol checksum for decapsulated packets by said second computer device for compensating for changes, if any, caused by network address translations or protocol conversions. - View Dependent Claims (4, 5, 6, 7)
-
-
8. A method for maintaining a connection between a first computer device and a second computer device through a packet-switched data transmission network, where a network address translation and/or a protocol conversion may be performed on packets transmitted on a data path between said first computer device and said second computer device, the method comprising the steps of:
-
determining, by one of said first or second computer devices, what network address translations or protocol conversions, if any, occur on packets received from said first computer device in the data path between said first computer device and said second computer device; and if it is found that network address translations or protocol conversions occur in the data path, forcing at least one of said first computer device and said second computer device to transmit to the other computer device keep alive packets with address information identical to that of actual data packets at a high enough frequency so that any network address translation devices in said data path constantly maintain the mappings used for network address translation, even when a certain fraction of the packets communicated between the first computer device and the second computer device are lost in the network.
-
-
9. A method for receiving data transmitted in tunneled, secure packets sent from a first computer device to a second computer device through a packet-switched data transmission network comprising intermediate computer devices, where at least one of said intermediate computer devices may perform a network address translation or a protocol conversion resulting in alteration of a packet propagating therethrough, and wherein said tunneled, secure packets may comprise packets of a first secure protocol encapsulated in packets of a second protocol which can pass through network address translations or protocol conversions, the method comprising the steps of:
-
determining, by one of said first or second computer devices, what network address translations or protocol conversions, if any, occur on packets received from said first computer device in a .data path between said first computer device and said second computer device, if it is found that network address translations or protocol conversions occur in the data path, decapsulating, by said second computer device, packets received from said first, computer device and conforming to said second protocol to recover packets conforming to said first protocol; and said second computer device using said first secure protocol to recover data transmitted in said first secure protocol packets.
-
Specification