Method and system for distributed network address translation with network security features
First Claim
1. A method for distributed network address translation with security, comprising the following steps:
- at a first network device on a first computer network, requesting with a first protocol, one or more locally unique security values from a second network device on the first computer network, wherein the second network device has a publicly routable address, and wherein the second network device'"'"'s publicly routable address in combination with the one or more locally unique security values are used to uniquely identify the first network device during secure communications with a third network device on a second external network;
receiving the one or more locally unique security values on the first network device from the second network device with the first protocol; and
storing the one or more locally unique security values on the first network device, wherein the one or more locally unique security values are used to create a secure virtual connection for secure communications between the first network device and the third network device, wherein the secure communications include the one or more locally unique secure values, and wherein the second network device routes secure communication data from the third network device to the first network device in response to the one or more locally unique security values.
7 Assignments
0 Petitions
Accused Products
Abstract
A method and system for distributed network address translation with security features. The method and system allow Internet Protocol security protocol (“IPsec”) to be used with distributed network address translation. The distributed network address translation is accomplished with IPsec by mapping a local Internet Protocol (“IP”) address of a given local network device and a IPsec Security Parameter Index (“SPI”) associated with an inbound IPsec Security Association (“SA”) that terminates at the local network device. A router allocates locally unique security values that are used as the IPsec SPIs. A router used for distributed network address translation is used as a local certificate authority that may vouch for identities of local network devices, allowing local network devices to bind a public key to a security name space that combines a global IP address for the router with a set of locally unique port numbers used for distributed network address translation. The router issues security certificates and may itself be authenticated by a higher certificate authority. Using a security certificate, a local network device may initiate and be a termination point of an IPsec security association to virtually any other network device on an IP network like the Internet or an intranet. The method and system may also allow distributed network address translation with security features to be used with Mobile IP or other protocols in the Internet Protocol suite.
386 Citations
33 Claims
-
1. A method for distributed network address translation with security, comprising the following steps:
-
at a first network device on a first computer network, requesting with a first protocol, one or more locally unique security values from a second network device on the first computer network, wherein the second network device has a publicly routable address, and wherein the second network device'"'"'s publicly routable address in combination with the one or more locally unique security values are used to uniquely identify the first network device during secure communications with a third network device on a second external network; receiving the one or more locally unique security values on the first network device from the second network device with the first protocol; and storing the one or more locally unique security values on the first network device, wherein the one or more locally unique security values are used to create a secure virtual connection for secure communications between the first network device and the third network device, wherein the secure communications include the one or more locally unique secure values, and wherein the second network device routes secure communication data from the third network device to the first network device in response to the one or more locally unique security values. - View Dependent Claims (3, 4, 5, 6, 7)
-
-
2. A computer readable medium having stored therein instructions for causing a central processing unit to execute the steps of:
-
at a first network device on a first computer network, requesting with a first protocol, one or more locally unique security values from a second network device on the first computer network, wherein the second network device has a publicly routable address, and wherein the second network device'"'"'s publicly routable address in combination with the one or more locally unique security values are used to uniquely identify the first network device during secure communications with a third network device on a second external network; receiving the one or more locally unique security values on the first network device from the second network device with the first protocol; and storing the one or more locally unique security values on the first network device, wherein the one or more locally unique security values are used to create a secure virtual connection for secure communications between the first network device and the third network device, wherein the secure communications include the one or more locally unique secure values, and wherein the second network device routes secure communication data from the third network device to the first network device in response to the one or more locally unique security values.
-
-
8. A method for distributed network address translation with security, comprising the following steps:
-
receiving a request message with a first protocol on a second network device for one or more locally unique security values from a first network device; allocating one of more locally unique security values on the second network device; storing a locally unique network address for the first network device with the one or more locally unique security values in a table associated with the second network device, wherein the table is used to maintain a mapping between a network device and one or more locally unique security values for distributed network address translation; and sending the one or more locally unique security values in a response message with the first protocol to the first network device, wherein the second network device has a publicly routable address, and wherein the second network device'"'"'s publicly routable address in combination with the one or more locally unique security values are used to uniquely identify the first network device during secure communications with a third network device on a second external network, and wherein the secure communications include the one or more locally unique secure values, and wherein the second network device routes secure communication data from the third network device to the first network device in response to the one or more locally unique security values. - View Dependent Claims (9, 10, 11)
-
-
12. A method for distributed network address translation using security, comprising the following steps:
-
receiving a first message in a second secure protocol on a first network device on a first network to establish a secure virtual connection to the first network device from a third network device on a second external network; selecting a locally unique security value to use for the secure virtual connection from a list of locally unique security values, wherein the list of locally unique security values was received from a second network device on the first network with a first protocol; and sending a second message with second secure protocol to establish a secure virtual connection to the first network device on the first network from the third network device on the second external network wherein the second message includes the selected locally unique security value and security certificate sent to the first network device by the second network device, wherein the second network device has a publicly routable address, and wherein the second network device'"'"'s publicly routable address in combination with the locally unique security value are used to uniquely identify the first network device during secure communications with the third network device on the second external network, and wherein the secure communications include the one or more locally unique secure values, and wherein the second network device routes secure communication data from the third network device to the first network device in response to the one or more locally unique security values. - View Dependent Claims (13, 14, 15, 16, 17)
-
-
18. A method for distributed network address translation with security, comprising the following steps:
-
sending a request message in a second secure protocol from a first network device on a first network to a second network device on the first network, wherein the request message in the second secure protocol includes security information; routing the request message from the second network device to a third network device on a second external network over a secure virtual connection between the first network device and the third network device; receiving a reply message in the second secure protocol from the third network device on the second network device on the first network for the first network device, wherein the reply message in the second secure protocol includes security information from the request message allocated by the second network device, wherein the second network device has a publicly routable address, and wherein the second network device'"'"'s publicly routable address in combination with the security information are used to uniquely identify the first network device during secure communications with the third network device on the second external network; and routing the reply message from the second network device to the first network device on the first network using one or more locally unique ports associated with the security information and used for distributed network address translation. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25)
-
-
26. A method for distributed network address translation with security, comprising the following steps:
-
requesting one or more locally unique ports with a first message from a first protocol on a first network device from a second network device, wherein the one or more locally unique ports are used for distributed network address translation; requesting one or more locally unique security values with a first message from the first protocol from the second network device, wherein the one or more locally unique security values are used with a second secure protocol to establish a secure virtual connection between the first network device and a third network device on a second external computer network, wherein the second network device has a publicly routable address, and wherein the second network device'"'"'s publicly routable address in combination with the one or more locally unique security values are used to uniquely identify the first network device during secure communications with the third network, and wherein the secure communications include the one or more locally unique secure values, and wherein the second network device routes secure communication data from the third network device to the first network device in response to the one or more locally unique security values; requesting a security certificate on the first network device from the second network device, wherein the security certificate includes a binding between a public encryption key and a combination of a network address for the first network device and the one or more locally unique ports. - View Dependent Claims (27, 28, 29, 30, 31)
-
-
32. A method for distributed network address translation with security features comprising the following steps:
-
sending one or more locally unique ports allocated on a second network device on a first computer network to a first network device on the first computer network with a second message in a first protocol wherein the one or more locally unique ports are used for distributed network address translation; sending one or more locally unique security values allocated on the second network device to the first network device with a second message from the first protocol wherein the one or more locally unique security values are used with a second secure protocol to establish a secure virtual connection between the first network device and a third network device on a second external computer network and are used for distributed network address translation with security, wherein the second network device has a publicly routable address, and wherein the second network device'"'"'s publicly routable address in combination with the one or more locally unique security values are used to uniquely identify the first network device during secure communications with the third network device on the second external network, and wherein the secure communications include the one or more locally unique secure values, and wherein the second network device routes secure communication data from the third network device to the first network device in response to the one or more locally unique security values; sending a security certificate created on the second network device to the first network device, wherein the second network device provides local security certificate services on the first computer network and wherein the security certificate includes a binding for a public encryption key for the first network device and a combination of a network address for the first network device and the one or more locally unique ports allocated to the first network device to authenticate an identity for the first network device for a secure virtual connection between the first network device and a third network device on a second external computer network. - View Dependent Claims (33)
-
Specification