Tunnelling of Information
0 Assignments
0 Petitions
Accused Products
Abstract
This invention provides a method for providing network security services, such as those provided by the IPSEC protocol, through network address translation (NAT). The method is based on determining the transformations that occur on a packet and compensating for the transformations. Because only TCP and UDP protocols work through NATs, the IPSEC AH/ESP packets are encapsulated into UDP packets for transport. Special operations are performed to allow reliable communications in such environments.
8 Citations
42 Claims
-
1-20. -20. (canceled)
-
21. A device comprising:
-
a communication interface configured to communicate meaningful data-carrying User Datagram Protocol (UDP) datagrams with another device, wherein the communication involves at least one network address translation by at least one intermediate network address translator (NAT) arranged to maintain a mapping for the network address translation, wherein the at least one intermediate NAT is configured to reverse the mapping for reply UDP datagrams, and comprises a timer that times out the mapping after a period has passed without the at least one intermediate NAT performing a network address translation for the communication, and a controller configured to force sending of keepalive UDP datagrams from the device to the another device through the at least one intermediate NAT frequently enough to prevent the timer from timing out the mapping for the network address translation when no meaningful data-carrying UDP datagrams are communicated between the device and the another device, thereby forcing the at least one intermediate NAT to maintain the mapping for an additional period. - View Dependent Claims (22, 23, 24, 25, 26, 27, 28, 29, 30)
-
-
31. A method for a communication device, comprising:
-
communicating meaningful data-carrying User Datagram Protocol (UDP) datagrams with another device, wherein the communication involves at least one network address translation by at least one intermediate network address translator (NAT) configured to maintain a mapping for the network address translation so that the at least one intermediate NAT can reverse the mapping for reply UDP datagrams, the intermediate NAT having a timer that times out the mapping after a period has passed without the at least one intermediate NAT performing a network address translation for the communication, and sending keepalive UDP datagrams from the communication device to the another device through the at least one intermediate NAT frequently enough to prevent the timer from timing out the mapping for the network address translation when no meaningful data-carrying UDP datagrams are communicated between the communication device and the another device, thereby forcing the at least one intermediate NAT to maintain the mapping for an additional period. - View Dependent Claims (32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
-
-
42. A non-transitory computer readable media comprising program code for causing an apparatus comprising a processor to perform instructions for:
-
communication of meaningful data-carrying User Datagram Protocol (UDP) datagrams between a device and another device, wherein the communication involves at least one network address translation by at least one intermediate network address translator (NAT) configured to maintain a mapping for the network address translation so that the at least one intermediate NAT can reverse the mapping for reply UDP datagrams, wherein the NAT comprises a timer that times out the mapping after a period has passed without the at least one intermediate NAT performing a network address translation for the communication, and sending keepalive UDP datagrams from the device to the another device through the at least one NAT frequently enough to prevent the timer from timing out the mapping for the at least one network address translation when no meaningful data-carrying UDP datagrams are communicated between the device and the another device, thereby forcing the at least one intermediate NAT to maintain the mapping for an additional period.
-
Specification