高级搜索

留言板

尊敬的读者、作者、审稿人, 关于本刊的投稿、审稿、编辑和出版的任何问题, 您可以本页添加留言。我们将尽快给您答复。谢谢您的支持!

姓名
邮箱
手机号码
标题
留言内容
验证码

一种新的IPSEC穿越NAT方法

彭近兵 龙翔 高小鹏 陈贤钦

downloadPDF
文章导航 > 北京航空航天大学学报  > 2007 >  33(01): 63-66.
彭近兵, 龙翔, 高小鹏, 等 . 一种新的IPSEC穿越NAT方法[J]. 北京航空航天大学学报, 2007, 33(01): 63-66.
引用本文: 彭近兵, 龙翔, 高小鹏, 等 . 一种新的IPSEC穿越NAT方法[J]. 北京航空航天大学学报, 2007, 33(01): 63-66.
shu
Peng Jinbing, Long Xiang, Gao Xiaopeng, et al. New solution for IPSEC passing through NAT[J]. Journal of Beijing University of Aeronautics and Astronautics, 2007, 33(01): 63-66. (in Chinese)
Citation: Peng Jinbing, Long Xiang, Gao Xiaopeng, et al. New solution for IPSEC passing through NAT[J]. Journal of Beijing University of Aeronautics and Astronautics, 2007, 33(01): 63-66. (in Chinese)
shu

一种新的IPSEC穿越NAT方法

  • 北京航空航天大学 计算机学院, 北京 100083

详细信息
    作者简介:

    彭近兵(1968-),男,安徽庐江人,博士生,pengjinbing@les.buaa.edu.cn.

  • 中图分类号: TP 393

New solution for IPSEC passing through NAT

  • School of Computer Science and Technology, Beijing University of Aeronautics and Astronautics, Beijing 100083, China

    摘要
  • 摘要: Internet网络层安全协议(IPSEC)和网络地址翻译器(NAT)不兼容,这严重限制了 IPSEC的应用范围.解决方法必须遵循的原则是既能使IPSEC数据流穿越NAT,又不必修改路 由器和NAT,部署方便.目前存在的3种解决方法都具有局限性:"先于IPSEC进行NAT转换 "方法难以实现,"特定域IP通信(RSIP)"方法部署困难,"用户数据包(UDP)封装安 全封装协议(ESP)数据包"方法只能部分地解决IPSEC与NAT不兼容问题.在分析现有方法的 基础上,提出一种新的解决方法,即UDP封装IPSEC数据包方法.该方法通过UDP封装IPSEC数 据包,保护原始IP地址和端口号,消除了NAT对IPSEC影响.详细介绍了该方法的实现思路, 进行了可行性和优缺点分析.通过分析可知,新方法具有明显优点,能够方便、有效地解决 IPSEC和NAT兼容问题.

     

    Abstract: The application range of IP security protocol (IPSEC) is badly restric ted due to the incompatibility of IPSEC and network address translator (NAT). Th e rule that must to be followed by the solutions for IPSEC passing through NAT i s that IPSEC pass through NAT without any changes to the routers and NAT on the Internet. There are limits to the current three solutions. It can barely be real ized to execute the NAT ahead of executing the IPSEC. It is difficult to deploy the realm specific IP(RSIP). The incompatibility of IPSEC and NAT can only be solved partially by user data packet(UDP) encapsulation of the IP enca psulating security payload(IPSEC ESP) packets. A new solution, UDP encapsulation of IPSEC packets, was developed. The new solution eliminates the impact from NA T to IPSEC by protecting the origin IP addresses and ports of the IPSEC packets through encapsulating the IPSEC packets with UDP header. The feasibility of this solution was demonstrated. The analyse shows that the new solution has evident advantages over the others and can remove the incompatibilities between IPSEC an d NAT effectively and expediently.

     

    • HTML全文
    • 参考文献(1)
  • [1] Srisuresh P, Egevang K.Traditional IP network address translator . 2001-01 . http://www.ietf.org/rfc/rfc3022.txt  [2] Aboba B, Dixon W.IPSEC-NAT compatibility requirements . 2004-03 .http://www.ietf.org/rfc/rfc3715.txt  [3] Kent S, Atkinson R.Security architecture for the internet protocol . 1998-11 . http://www.ietf.org/rfc/rfc2401.txt  [4] Borella M, Grabelsky D.Realm specific IP:protocol specification . 2001-10 .http://tools.ietf.org/html/rfc3103  [5] Huttunen A, DiBurro L.UDP encapsulation of IPSEC packets . 2005-01 .http://www.ietf.org/rfc/rfc3948.txt  [6] Kivinen T, Volpe V.Negotiation of NAT- traversal in the IKE . 2005-01 .http://www.ietf.org/rfc/rfc3947.txt  [7] Honeynet Project.Know your enemy:passive fingerprinting . 2002-03 .http://project.honeynet.org/papers/finger
    • 相关文章
    • 施引文献
  • 资源附件(0)
  • 加载中
WeChat 点击查看大图
计量
  • 文章访问数:  3031
  • HTML全文浏览量:  152
  • PDF下载量:  1944
  • 被引次数: 0
出版历程
  • 收稿日期:  2006-01-10
  • 网络出版日期:  2007-01-31

目录

    /

    返回文章
    返回
    常见问答

    版权所有 © 《北京航空航天大学学报》编辑部

    通讯地址:北京市海淀区学院路37号 《北京航空航天大学学报》编辑部  邮编:100191 邮箱:jbuaa@buaa.edu.cn

    本系统由 北京仁和汇智信息技术有限公司 开发    百度统计