Method and arrangement for providing security through network address translations using tunneling and compensations

US 8,245,288 B2
Filed: 09/08/2011
Issued: 08/14/2012
Est. Priority Date: 06/15/1999
Status: Expired due to Fees

First Claim

Patent Images

1. A method for secure communications between a first device and a second device in a data communications system, the method comprising:

receiving by the second device from the first device an Internet Key Exchange standard (IKE) key management packet communicated according to Uniform Datagram Protocol (UDP) as a part of IKE negotiations for establishing secure communications between the first device and the second device in a packet-based data communications system where a network address translation is possible between the first device and the second device and the first device has set a destination port field in the IKE key management packet to a standard port number for IKE;

determining and saving by the second device a UDP source port of the received IKE key management packet; and

sending a data packet using the UDP port number and Internet Protocol (IP) address of the first device determined during the IKE negotiations, wherein the destination port field of the data packet is set to the port number from which the first device appears to be sending packets.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This invention provides a method for providing network security services, such as those provided by the IPSEC protocol, through network address translation (NAT). The method is based on determining the transformations that occur on a packet and compensating for the transformations. Because only TCP and UDP protocols work through NATs, the IPSEC AH/ESP packets are encapsulated into UDP packets for transport. Special operations are performed to allow reliable communications in such environments.

Citations

19 Claims

1. A method for secure communications between a first device and a second device in a data communications system, the method comprising:
- receiving by the second device from the first device an Internet Key Exchange standard (IKE) key management packet communicated according to Uniform Datagram Protocol (UDP) as a part of IKE negotiations for establishing secure communications between the first device and the second device in a packet-based data communications system where a network address translation is possible between the first device and the second device and the first device has set a destination port field in the IKE key management packet to a standard port number for IKE;
  
  determining and saving by the second device a UDP source port of the received IKE key management packet; and
  
  sending a data packet using the UDP port number and Internet Protocol (IP) address of the first device determined during the IKE negotiations, wherein the destination port field of the data packet is set to the port number from which the first device appears to be sending packets.
- View Dependent Claims (2, 3, 4)
- - 2. The method according to claim 1, wherein the first device comprises an initiator and the second device comprises a responder of the IKE negotiations.
  - 3. The method as claimed in claim 1, wherein a port number of a network address translator is used if the IKE key management packet was received via the network address translator.
  - 4. The method as claimed in claim 1, comprising detecting a network address translator between the devices, and in response thereto using UDP encapsulation for encapsulating security payload.

5. A method of establishing secure communications between a first device and a second device in a data communications system, the method comprisinginitiating negotiations in accordance with the Internet Key Exchange standard (IKE) by sending an IKE key management packet between the devices using Uniform Datagram Protocol (UDP) for establishing secure communications between the devices in a packet-based data communications system where a network address translation is possible between the devices, wherein a destination port field in the IKE key management packet is set to a standard port number for IKE;
- determining and saving by the first device an UDP source port of an IKE key management packet received from the second device; and
  
  sending a data packet using the UDP port number and Internet Protocol (IP) address of the second device determined during the IKE negotiations, wherein the destination port field of the packet is set to the port number from which the second network device appears to be sending packets.
- View Dependent Claims (6, 7, 8)
- - 6. The method according to claim 5, wherein the first device comprises an initiator and the second device comprises a responder of the IKE negotiations.
  - 7. The method as claimed in claim 5, wherein a port number of a network address translator is used if the IKE key management packet was received via the network address translator.
  - 8. The method as claimed in claim 5, comprising detecting a network address translator between the devices, and in response thereto using UDP encapsulation for encapsulating security payload.

9. An apparatus comprising:
- at least one memory including computer program code; and
  
  at least one processor,wherein the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least toprocess Internet Key Exchange standard (IKE) negotiations between a first device and a second device for establishing secure communications between the devices in a packet-based data communications system where a network address translation is possible between the devices, wherein an Internet Key Exchange standard (IKE) key management packet is received from the first device according to Uniform Datagram Protocol (UDP) as a part of IKE negotiations and the first device has set a destination port field in the IKE key management packet to a standard port number for IKE to determine and save an UDP source port of the IKE key management packet; and
  
  send a data packet using the UDP port number and Internet Protocol (IP) address of the other device determined during the IKE negotiations, wherein the destination port field of the data packet is set to the port number from which the other device appears to be sending packets.
- View Dependent Claims (10, 11, 12)
- - 10. The apparatus according to claim 9, wherein the first device comprises an initiator and the second device comprises a responder of the IKE negotiations.
  - 11. The apparatus as claimed in claim 9, configured to use a port number of a network address translator in response to reception of the IKE key management packet via the network address translator.
  - 12. The apparatus as claimed in claim 9, configured to detect a network address translator between the devices, and in response thereto cause use of UDP encapsulation for encapsulation of security payload.

13. An apparatus comprising:
- at least one memory including computer program code; and
  
  at least one processor, wherein the at least one memory and the computer program code are configured to, with the at least one processor, cause the apparatus at least toinitiate negotiations in accordance with the Internet Key Exchange standard (IKE) by sending an IKE key management packet between a first device and a second device using Uniform Datagram Protocol (UDP) for establishing secure communications between the first device and the second device in a packet-based data communications system where a network address translation is possible between the first device and the second device, wherein a destination port field in the IKE key management packet is set to a standard port number for IKE;
  
  determine and save an UDP source port of a IKE key management packet received from the second device; and
  
  send a data packet using the UDP port number and Internet Protocol (IP) address of the second device determined during the IKE negotiations, wherein the destination port field of the packet is set to the port number from which the second device appears to be sending packets.
- View Dependent Claims (14, 15, 16)
- - 14. The apparatus according to claim 13, wherein the first device comprises an initiator and the second device comprises a responder of the IKE negotiations.
  - 15. The apparatus as claimed in claim 13, configured to use a port number of a network address translator in response to reception of the IKE key management packet via the network address translator.
  - 16. The method as claimed in claim 13, configured to detect a network address translator between the devices, and in response thereto to cause use of UDP encapsulation for encapsulation of security payload.

17. A non-transitory computer readable medium for secure communications between devices in a data communications system, comprising program code for causing a processor to perform instructions for:
- communication of an Internet Key Exchange standard (IKE) key management packet according to Uniform Datagram Protocol (UDP) as a part of IKE negotiations for establishing secure communications between the devices in a packet-based data communications system where a network address translation is possible between the devices and a destination port field in the IKE key management packet is set to a standard port number for IKE;
  
  determining and saving of a UDP source port of an IKE key management packet received from the other device; and
  
  sending of a data packet using the UDP port number and Internet Protocol (IP) address determined during the IKE negotiations, wherein the destination port field of the data packet is set to the port number from which the other device appears to be sending packets.
- View Dependent Claims (18, 19)
- - 18. The non-transitory computer readable medium as claimed in claim 17, comprising program code for causing use of a port number of a network address translator in response to reception of the IKE key management packet via the network address translator.
  - 19. The non-transitory computer readable medium as claimed in claim 17, comprising program code for causing detection of a network address translator between the devices, and in response thereto use of UDP encapsulation for encapsulation of security payload.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SSH Communications Security Oyj
Original Assignee
Tectia Oyj
Inventors
Kivinen, Tero, Ylonen, Tatu
Primary Examiner(s)
Cervetti, David Garcia

Application Number

US13/228,271
Publication Number

US 20110320623A1
Time in Patent Office

341 Days
Field of Search

726/15
US Class Current

726/15
CPC Class Codes

H04L 12/4633   Interconnection of networks...

H04L 2101/663   Transport layer addresses, ...

H04L 45/026   Details of "hello" or keep-...

H04L 61/00   Network arrangements, proto...

H04L 61/25   of the same type

H04L 61/2514   between local and global IP...

H04L 61/2553   Binding renewal aspects, e....

H04L 61/256   NAT traversal

H04L 61/2564   for a higher-layer protocol...

H04L 61/2575   using address mapping retri...

H04L 61/2578   without involvement of the ...

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/0272   Virtual private networks

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/04   for providing a confidentia...

H04L 63/0428   wherein the data content is...

H04L 63/164   at the network layer

H04L 67/568   Storing data temporarily at...

H04L 69/16   Implementation or adaptatio...

H04L 69/161   Implementation details of T...

H04L 69/165 : Combined use of TCP and UDP...

View All

Method and arrangement for providing security through network address translations using tunneling and compensations

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Method and arrangement for providing security through network address translations using tunneling and compensations

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links