Looking for breakthrough ideas for innovation challenges? Try Patsnap Eureka!

IPv4/ IPv6 protocol translation based IPSec crossing interconnection method

A technology of ipv6 protocol and ipsec, which is applied in the direction of network connection, digital transmission system, electrical components, etc., can solve problems such as hidden safety hazards, increase deployment and transformation costs, obstacles, etc., and achieve reduction of transformation costs, good backward compatibility and adaptability Sexuality, smooth transition effect

Inactive Publication Date: 2010-05-12
CHINA TELECOM CORP LTD
View PDF0 Cites 13 Cited by
  • Summary
  • Abstract
  • Description
  • Claims
  • Application Information

AI Technical Summary

Problems solved by technology

But unfortunately, as a network layer security extension mechanism, IPSec is not completely independent of the underlying IP protocol, that is, in the IPv4 / IPv6 transition network, even if the IP protocol translation operation (NAT-PT) is implemented on the network layer , and the interconnection between IPSec entities across IP protocol domains cannot be realized. This key limitation creates a great obstacle for the realization of the above requirements
[0006] NAT-PT is currently the only IPv4 / IPv6 transition mechanism that supports direct interconnection of heterogeneous IP networks, but it cannot interoperate with IPSec
This mechanism compatibility problem is mainly due to the essential contradiction between the two functions: on the one hand, address-protocol translation will cause the integrity verification of IPSec AH / ESP encapsulation to fail, and on the other hand, IPSec packet encapsulation and encryption will also make NAT - The inability of the PT to obtain the necessary information prevents the implementation of its conversion operations
The above problems greatly limit the security service capability of IPSec in the occasion of inter-IP protocol domain transitional interconnection
[0007] At present, there are two basic ideas. One is the dual-stack deployment method, that is, all devices are equipped with dual-stack. This IPSec interconnection implementation method is the most intuitive, but its disadvantage is that it will significantly increase the cost of deployment and transformation. , and double the complexity of network and security management, which is often unacceptable and should be avoided during the IPv4 / IPv6 transition process
[0008] In addition, there is a kind of technical improvement idea represented by IP HTI; let the NAT-PT device passively intervene in the IPSec negotiation process, and then adjust the sending data according to the information provided by NAT-PT, so as to hide the address from the receiving end - Protocol translation details and effective traversal of the IPSec protocol are the basic ideas; such technologies are mostly based on the improvement of the NAT-PT mechanism, which not only needs to upgrade the deployed NAT-PT equipment, but also must be supplemented by some The IPSec protocol stack is modified. At the same time, it can only implement AH transmission mode traversal but cannot realize the tunnel interconnection of different protocol subnets, and cannot traverse port conversion devices. In addition, the NAT-PT device as a "middleman" cannot Knowing the IKE session key, the conversion information can only be sent to the originating end in plain text, thus introducing additional security risks; comprehensively, it can be seen from all aspects of its defects that the realization of IPSec cross-protocol domain interconnection through NAT-PT transformation is in practical application is not sufficiently feasible.

Method used

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
View more

Image

Smart Image Click on the blue labels to locate them in the text.
Viewing Examples
Smart Image
  • IPv4/ IPv6 protocol translation based IPSec crossing interconnection method
  • IPv4/ IPv6 protocol translation based IPSec crossing interconnection method
  • IPv4/ IPv6 protocol translation based IPSec crossing interconnection method

Examples

Experimental program
Comparison scheme
Effect test

Embodiment Construction

[0027] figure 1The IPSec end-to-end transmission traversing interconnection method based on IPv4 / IPv6 protocol translation in the present invention includes IKE SA negotiation and IPSec SA negotiation operation, specifically comprising the following steps:

[0028] In step 101, the IKE message will be sent in the normal UDP-IKE form.

[0029] In the handshake phase, before confirming the existence of NAT or NAT-PT, its IKE message adopts the common UDP-IKE format; only after the confirmation of NAT or NAT-PT along the way, the subsequent signaling will use UDP-non-ESP-IKE format , to achieve unambiguous transport multiplexing.

[0030] In step 102, during the IKE SA negotiation process, the IPSec parties exchange VID loads to detect each other's NAT-PT traversal capabilities.

[0031] In step 103, during the IKE SA negotiation process, the two sides of IPSec exchange TD loads to detect the existence of NAT-PT devices along the transmission route. When NAT or NAT-PT devices e...

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

PUM

No PUM Login to View More

Abstract

The invention provides an IPv4 / IPv6 protocol translation based IPSec crossing interconnection method, comprising IKE SA negotiation and IPSec SA negotiation. The method specifically comprises the following steps: IKE information is transmitted in the form of common UDP-IKE; during IKE SA negotiation, both IPSec parties exchange VID load to detect mutual NAT-PT crossing capabilities; during IKE SA negotiation, both IPSec parties exchange TD load to detect existence of NAP-PT equipment on the way of transmission, when the NAT or NAP-PT equipment exists on the way, the sequential negotiation signal adopts the UDP-non-ESP-IKE encapsulation format; and during IPSec SA negotiation, the IRA load is exchanged to confirm the IP protocol used by the transmitting end and the exact address, and the receiving end corrects the transport layer CRC thereof according to the IRA load. The method realizes safe interconnection of hosts or subnets on the cross protocol boundary in the IPv4 / IPv6 transition network.

Description

technical field [0001] The invention relates to the IPv4 / IPv6 protocol translation and interconnection technology NAT-PT and IPSec protocol, in particular to an improved technology for solving the problem of compatible interconnection between the IPSec protocol and the NAT-PT mechanism. Background technique [0002] The rapid depletion of IPv4 addresses has seriously affected the scalability of the Internet scale. At the same time, its basic protocol mechanism supports emerging services such as IP mobile networks and ad hoc networks. It is imperative to fully adopt IPv6. [0003] However, for a long time, people have accumulated a lot of resources, investment and applications on the basis of IPv4 networks. In view of the scale and cost of transitioning IPv4 facilities and applications to IPv6, the transition process to IPv6 can never be completed overnight, and there is bound to be a gap between the two. There is a long transitional period of coexistence. In this transition...

Claims

the structure of the environmentally friendly knitted fabric provided by the present invention; figure 2 Flow chart of the yarn wrapping machine for environmentally friendly knitted fabrics and storage devices; image 3 Is the parameter map of the yarn covering machine
Login to View More

Application Information

Patent Timeline
no application Login to View More
IPC IPC(8): H04L29/06H04L29/12H04L12/56H04L12/66
Inventor 陆音李实陈怡张届新马钰璐
Owner CHINA TELECOM CORP LTD
Who we serve
  • R&D Engineer
  • R&D Manager
  • IP Professional
Why Patsnap Eureka
  • Industry Leading Data Capabilities
  • Powerful AI technology
  • Patent DNA Extraction
Social media
Patsnap Eureka Blog
Learn More
PatSnap group products