Method and arrangement for providing security through network address translations using tunneling and compensations

US 8,127,348 B2
Filed: 05/12/2005
Issued: 02/28/2012
Est. Priority Date: 06/15/1999
Status: Expired due to Fees

First Claim

Patent Images

1. A method for tunneling packets between a first computer device and a second computer device through a packet-switched data transmission network including intermediate computer devices, where at least one of said computer devices may perform a network address translation and/or a protocol conversion and in which data transmission network there exists a security protocol comprising a key management connection that employs a specific packet format for key management packets, the method comprising the steps of:

determining, by one of said first or second computer devices, what network address translations or protocol conversions, if any, occur on packets received from said first computer device in a data path between said first computer device and said second computer device;

if it is found that network address translations or protocol conversions occur in the data path, said first computer device encapsulating data packets that are not key management packets into said specific packet format for key management packets;

transmitting said data packets encapsulated into the specific packet format from said first computer device to said second computer device;

discriminating by said second computer device the data packets encapsulated into the specific packet format from actual key management packets; and

decapsulating by said second computer device the data packets encapsulated into the specific packet format.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

This invention provides a method for providing network security services, such as those provided by the IPSEC protocol, through network address translation (NAT). The method is based on determining the transformations that occur on a packet and compensating for the transformations. Because only TCP and UDP protocols work through NATs, the IPSEC AH/ESP packets are encapsulated into UDP packets for transport. Special operations are performed to allow reliable communications in such environments.

11 Citations

View as Search Results

9 Claims

1. A method for tunneling packets between a first computer device and a second computer device through a packet-switched data transmission network including intermediate computer devices, where at least one of said computer devices may perform a network address translation and/or a protocol conversion and in which data transmission network there exists a security protocol comprising a key management connection that employs a specific packet format for key management packets, the method comprising the steps of:
- determining, by one of said first or second computer devices, what network address translations or protocol conversions, if any, occur on packets received from said first computer device in a data path between said first computer device and said second computer device;
  
  if it is found that network address translations or protocol conversions occur in the data path, said first computer device encapsulating data packets that are not key management packets into said specific packet format for key management packets;
  
  transmitting said data packets encapsulated into the specific packet format from said first computer device to said second computer device;
  
  discriminating by said second computer device the data packets encapsulated into the specific packet format from actual key management packets; and
  
  decapsulating by said second computer device the data packets encapsulated into the specific packet format.
- View Dependent Claims (2)
- - 2. The method according to claim 1, wherein the step of encapsulating data packets that are not key management packets comprises the substeps of:
    - encapsulating data packets that are not key management packets into a key management packet format specified by the Internet Key Exchange protocol which defines a certain Initiator Cookie field; and
      
      inserting into said-Initiator Cookie field of an encapsulated data packet a value indicating that the encapsulated packet is a data packet and not a key management packet.

3. A method for securely communicating packets between a first computer device and a second computer device through a packet-switched data transmission network including intermediate computer devices, where at least one of said computer devices may perform a network address translation and/or a protocol conversion, wherein a security protocol is employed which determines transport-mode processing of packets for transmission and reception, and wherein a high-level protocol checksum has been determined for checking the integrity of received packets, the method comprising the steps of:
- determining , by one of said first or second computer devices, what network address translations or protocol conversions, if any, occur on packets received from said first computer device in a data path between said first computer device and said second computer device;
  
  performing, by said first computer device, transport-mode processing for packets to be transmitted to said second computer device;
  
  performing, by said second computer device, transport-mode processing for packets received from the first computer device, said transport-mode processing comprising the decapsulation of received packets, andif it was found that network address translations or protocol conversions occur in the data path, updating said high-level protocol checksum for decapsulated packets by said second computer device for compensating for changes, if any, caused by network address translations or protocol conversions.
- View Dependent Claims (4, 5, 6, 7)
- - 4. The method according to claim 3, whereinthe step of performing transport-mode processing at the first computer device for packets transmitted to the second computer device takes the form of performing transport-mode processing as determined in the IPSEC protocol suite, andthe step of performing transport-mode processing at the second computer device for packets received from the first computer device takes the form of performing transport-mode processing as determined in the IPSEC protocol suite.
  - 5. The method according to claim 3, additionally comprising the steps of:
    - at the first computer device, after performing transport-mode processing for a packet to be transmitted to the second computer device, encapsulating the processed packet into a packet conforming to a certain second protocol, which second protocol is capable of traversing network address translations, andat the second computer device, before performing transport-mode processing for a packet received from the first computer device, decapsulating the received packet from the packet conforming to said second protocol and replacing a number of network addresses in the decapsulated packet with a corresponding number of network addresses taken from the received packet before decapsulation.
  - 6. The method according to claim 3, wherein the step of updating the high-level protocol checksum takes the form of recomputing the checksum for the transport -mode-processed packets.
  - 7. The method according to claim 3, wherein the method additionally comprises the step of obtaining information about the network addresses of the first and second computer devices before and after .network address translations, and the step of updating the high-level protocol checksum takes the form of incrementally updating the checksum based on the obtained information about the network addresses of the first and second computer devices before and after network address translations.

8. A method for maintaining a connection between a first computer device and a second computer device through a packet-switched data transmission network, where a network address translation and/or a protocol conversion may be performed on packets transmitted on a data path between said first computer device and said second computer device, the method comprising the steps of:
- determining, by one of said first or second computer devices, what network address translations or protocol conversions, if any, occur on packets received from said first computer device in the data path between said first computer device and said second computer device; and
  
  if it is found that network address translations or protocol conversions occur in the data path, forcing at least one of said first computer device and said second computer device to transmit to the other computer device keep alive packets with address information identical to that of actual data packets at a high enough frequency so that any network address translation devices in said data path constantly maintain the mappings used for network address translation, even when a certain fraction of the packets communicated between the first computer device and the second computer device are lost in the network.

9. A method for receiving data transmitted in tunneled, secure packets sent from a first computer device to a second computer device through a packet-switched data transmission network comprising intermediate computer devices, where at least one of said intermediate computer devices may perform a network address translation or a protocol conversion resulting in alteration of a packet propagating therethrough, and wherein said tunneled, secure packets may comprise packets of a first secure protocol encapsulated in packets of a second protocol which can pass through network address translations or protocol conversions, the method comprising the steps of:
- determining, by one of said first or second computer devices, what network address translations or protocol conversions, if any, occur on packets received from said first computer device in a .data path between said first computer device and said second computer device,if it is found that network address translations or protocol conversions occur in the data path, decapsulating, by said second computer device, packets received from said first, computer device and conforming to said second protocol to recover packets conforming to said first protocol; and
  
  said second computer device using said first secure protocol to recover data transmitted in said first secure protocol packets.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
SSH Communications Security Oyj
Original Assignee
Tectia Oyj
Inventors
Kivinen, Tero, Ylonen, Tatu
Primary Examiner(s)
Cervetti, David Garcia

Application Number

US11/128,933
Publication Number

US 20060256815A1
Time in Patent Office

2,483 Days
Field of Search

726/14
US Class Current

726/14
CPC Class Codes

H04L 12/4633   Interconnection of networks...

H04L 2101/663   Transport layer addresses, ...

H04L 45/026   Details of "hello" or keep-...

H04L 61/00   Network arrangements, proto...

H04L 61/25   of the same type

H04L 61/2514   between local and global IP...

H04L 61/2553   Binding renewal aspects, e....

H04L 61/256   NAT traversal

H04L 61/2564   for a higher-layer protocol...

H04L 61/2575   using address mapping retri...

H04L 61/2578   without involvement of the ...

H04L 61/5007   Internet protocol [IP] addr...

H04L 63/0272   Virtual private networks

H04L 63/029   Firewall traversal, e.g. tu...

H04L 63/04   for providing a confidentia...

H04L 63/0428   wherein the data content is...

H04L 63/164   at the network layer

H04L 67/568   Storing data temporarily at...

H04L 69/16   Implementation or adaptatio...

H04L 69/161   Implementation details of T...

H04L 69/165 : Combined use of TCP and UDP...

View All

Method and arrangement for providing security through network address translations using tunneling and compensations

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

11 Citations

9 Claims

Specification

Solutions

Use Cases

Quick Links

Method and arrangement for providing security through network address translations using tunneling and compensations

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

11 Citations

9 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links