Method and arrangement for providing security through network address translations using tunneling and compensations
First Claim
Patent Images
1. A method for secure communications between a first device and a second device in a data communications system, the method comprising:
- receiving by the second device from the first device an Internet Key Exchange standard (IKE) key management packet communicated according to Uniform Datagram Protocol (UDP) as a part of IKE negotiations for establishing secure communications between the first device and the second device in a packet-based data communications system where a network address translation is possible between the first device and the second device and the first device has set a destination port field in the IKE key management packet to a standard port number for IKE;
determining and saving by the second device a UDP source port of the received IKE key management packet; and
sending a data packet using the UDP port number and Internet Protocol (IP) address of the first device determined during the IKE negotiations, wherein the destination port field of the data packet is set to the port number from which the first device appears to be sending packets.
3 Assignments
0 Petitions
Accused Products
Abstract
This invention provides a method for providing network security services, such as those provided by the IPSEC protocol, through network address translation (NAT). The method is based on determining the transformations that occur on a packet and compensating for the transformations. Because only TCP and UDP protocols work through NATs, the IPSEC AH/ESP packets are encapsulated into UDP packets for transport. Special operations are performed to allow reliable communications in such environments.
-
Citations
19 Claims
-
1. A method for secure communications between a first device and a second device in a data communications system, the method comprising:
-
receiving by the second device from the first device an Internet Key Exchange standard (IKE) key management packet communicated according to Uniform Datagram Protocol (UDP) as a part of IKE negotiations for establishing secure communications between the first device and the second device in a packet-based data communications system where a network address translation is possible between the first device and the second device and the first device has set a destination port field in the IKE key management packet to a standard port number for IKE; determining and saving by the second device a UDP source port of the received IKE key management packet; and sending a data packet using the UDP port number and Internet Protocol (IP) address of the first device determined during the IKE negotiations, wherein the destination port field of the data packet is set to the port number from which the first device appears to be sending packets. - View Dependent Claims (2, 3, 4)
-
-
5. A method of establishing secure communications between a first device and a second device in a data communications system, the method comprising
initiating negotiations in accordance with the Internet Key Exchange standard (IKE) by sending an IKE key management packet between the devices using Uniform Datagram Protocol (UDP) for establishing secure communications between the devices in a packet-based data communications system where a network address translation is possible between the devices, wherein a destination port field in the IKE key management packet is set to a standard port number for IKE; -
determining and saving by the first device an UDP source port of an IKE key management packet received from the second device; and sending a data packet using the UDP port number and Internet Protocol (IP) address of the second device determined during the IKE negotiations, wherein the destination port field of the packet is set to the port number from which the second network device appears to be sending packets. - View Dependent Claims (6, 7, 8)
-
-
9. An apparatus comprising:
-
at least one memory including computer program code; and at least one processor, wherein the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to process Internet Key Exchange standard (IKE) negotiations between a first device and a second device for establishing secure communications between the devices in a packet-based data communications system where a network address translation is possible between the devices, wherein an Internet Key Exchange standard (IKE) key management packet is received from the first device according to Uniform Datagram Protocol (UDP) as a part of IKE negotiations and the first device has set a destination port field in the IKE key management packet to a standard port number for IKE to determine and save an UDP source port of the IKE key management packet; and send a data packet using the UDP port number and Internet Protocol (IP) address of the other device determined during the IKE negotiations, wherein the destination port field of the data packet is set to the port number from which the other device appears to be sending packets. - View Dependent Claims (10, 11, 12)
-
-
13. An apparatus comprising:
-
at least one memory including computer program code; and at least one processor, wherein the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least to initiate negotiations in accordance with the Internet Key Exchange standard (IKE) by sending an IKE key management packet between a first device and a second device using Uniform Datagram Protocol (UDP) for establishing secure communications between the first device and the second device in a packet-based data communications system where a network address translation is possible between the first device and the second device, wherein a destination port field in the IKE key management packet is set to a standard port number for IKE; determine and save an UDP source port of a IKE key management packet received from the second device; and send a data packet using the UDP port number and Internet Protocol (IP) address of the second device determined during the IKE negotiations, wherein the destination port field of the packet is set to the port number from which the second device appears to be sending packets. - View Dependent Claims (14, 15, 16)
-
-
17. A non-transitory computer readable medium for secure communications between devices in a data communications system, comprising program code for causing a processor to perform instructions for:
-
communication of an Internet Key Exchange standard (IKE) key management packet according to Uniform Datagram Protocol (UDP) as a part of IKE negotiations for establishing secure communications between the devices in a packet-based data communications system where a network address translation is possible between the devices and a destination port field in the IKE key management packet is set to a standard port number for IKE; determining and saving of a UDP source port of an IKE key management packet received from the other device; and sending of a data packet using the UDP port number and Internet Protocol (IP) address determined during the IKE negotiations, wherein the destination port field of the data packet is set to the port number from which the other device appears to be sending packets. - View Dependent Claims (18, 19)
-
Specification