| In TCP/IP protocol suite, the IPSec protocol provide interoperable, high quality, cryptographically-based security for IPv4 and IPv6. The set of security services offered includes access control, connectionless integrity, data origin authentication, protection against replays (a form of partial sequence integrity), confidentiality (encryption), and limited traffic flow confidentiality. These services are provided at the IP layer, offering protection for IP and/or upper layer protocols.The need for IP Address translation arises when a network's internal IP addresses cannot be used outside the network either for privacy reasons or because they are invalid for use outside the network. Today NATs are widely deployed in home gateways, as well as in other locations likely to be used by tele-commuters, such as hotels.However, the IPSec protocol prevents the datagram which carried by it from modifid by others. NAT modifys the header of the datagram which go throuth them to reach the goal. So, there is some incompatibilities between the IPSec and the NAT. Now, the IPsec-NAT incompatibilities have become a major barrier to deployment of IPsec in one of its principal uses. This paper describes how to solve the known incompatibilities between NAT and IPSec.We adapt the method of UDP encapsulation of ESP packets to solve the IPsec-NAT incompatibilities. And we accomplish it under Linux Operation System. This method should be able to be used in all scales where NAT is deployed today to do simple pure address-to-address, or address and port translation. Most importantly, this proposal does not require change to the NAT device itself. The method is used only if the IKE's initiator and the responder support it, and only used when necessary, since NAT detection is built into the protocol. We do not accomplish the method which support AH over NAT that futher work will make a efford to it. |
PDF Full Text Request