New solution for IPSEC passing through NAT
-
摘要: Internet网络层安全协议(IPSEC)和网络地址翻译器(NAT)不兼容,这严重限制了 IPSEC的应用范围.解决方法必须遵循的原则是既能使IPSEC数据流穿越NAT,又不必修改路 由器和NAT,部署方便.目前存在的3种解决方法都具有局限性:"先于IPSEC进行NAT转换 "方法难以实现,"特定域IP通信(RSIP)"方法部署困难,"用户数据包(UDP)封装安 全封装协议(ESP)数据包"方法只能部分地解决IPSEC与NAT不兼容问题.在分析现有方法的 基础上,提出一种新的解决方法,即UDP封装IPSEC数据包方法.该方法通过UDP封装IPSEC数 据包,保护原始IP地址和端口号,消除了NAT对IPSEC影响.详细介绍了该方法的实现思路, 进行了可行性和优缺点分析.通过分析可知,新方法具有明显优点,能够方便、有效地解决 IPSEC和NAT兼容问题.Abstract: The application range of IP security protocol (IPSEC) is badly restric ted due to the incompatibility of IPSEC and network address translator (NAT). Th e rule that must to be followed by the solutions for IPSEC passing through NAT i s that IPSEC pass through NAT without any changes to the routers and NAT on the Internet. There are limits to the current three solutions. It can barely be real ized to execute the NAT ahead of executing the IPSEC. It is difficult to deploy the realm specific IP(RSIP). The incompatibility of IPSEC and NAT can only be solved partially by user data packet(UDP) encapsulation of the IP enca psulating security payload(IPSEC ESP) packets. A new solution, UDP encapsulation of IPSEC packets, was developed. The new solution eliminates the impact from NA T to IPSEC by protecting the origin IP addresses and ports of the IPSEC packets through encapsulating the IPSEC packets with UDP header. The feasibility of this solution was demonstrated. The analyse shows that the new solution has evident advantages over the others and can remove the incompatibilities between IPSEC an d NAT effectively and expediently.
-
Key words:
- IPSEC /
- NAT /
- VPN /
- NAT traversal
-
[1] Srisuresh P, Egevang K.Traditional IP network address translator . 2001-01 . http://www.ietf.org/rfc/rfc3022.txt [2] Aboba B, Dixon W.IPSEC-NAT compatibility requirements . 2004-03 .http://www.ietf.org/rfc/rfc3715.txt [3] Kent S, Atkinson R.Security architecture for the internet protocol . 1998-11 . http://www.ietf.org/rfc/rfc2401.txt [4] Borella M, Grabelsky D.Realm specific IP:protocol specification . 2001-10 .http://tools.ietf.org/html/rfc3103 [5] Huttunen A, DiBurro L.UDP encapsulation of IPSEC packets . 2005-01 .http://www.ietf.org/rfc/rfc3948.txt [6] Kivinen T, Volpe V.Negotiation of NAT- traversal in the IKE . 2005-01 .http://www.ietf.org/rfc/rfc3947.txt [7] Honeynet Project.Know your enemy:passive fingerprinting . 2002-03 .http://project.honeynet.org/papers/finger
点击查看大图
计量
- 文章访问数: 3036
- HTML全文浏览量: 152
- PDF下载量: 1944
- 被引次数: 0