The invention relates in general to the field of communications between computers in packet-switched data transmission networks. More particularly the invention relates to the field of setting up and maintaining communication connections through a Network Address Translation.
The Internet Engineering Task Force (IETF) has standardized the IPSEC (Internet Protocol Security) protocol suite; the standards are well known from the Request For Comments or RFC documents number RFC2401, RFC2402, RFC2406, RFC2407, RFC2408 and RFC2409 mentioned in the appended list of references, all of which are hereby incorporated by reference. The IPSEC protocols provide security for the IP or Internet Protocol, which itself has been specified in the RFC document number RFC791. IPSEC performs authentication and encryption on packet level by generating a new IP header, adding an Authentication Header (AH) or Encapsulating Security Payload (ESP) header in front of the packet. The original packet is cryptographically authenticated and optionally encrypted. The method used to authenticate and possibly encrypt a packet is identified by a security parameter index (SPI) value stored in the AH and ESP headers. The RFC document number RFC2401 specifies a transport mode and a tunnelling mode for packets; the present invention is applicable regardless of which of these modes is used.
In recent years, more and more vendors and Internet service providers have started performing network address translation (NAT). References to NAT are found at least in the RFC document number RFC1631 as well as the documents which are identified in the appended list of references as Srisuresh98Terminology, SrisureshEgevang98, Srisuresh98Security, HoldregeSrisuresh99, TYS99, Rekhter99, LoBorella99 and BorellaLo99. There are two main forms of address translation, illustrated schematically in
Address translation is most frequently performed at the edge of a local network (i.e., translation between multiple local private addresses on one hand and fewer globally routable public addresses on the other). Most often, port NAT is used and there is only one globally routable address. A local network 154 has been schematically illustrated in
c illustrates an exemplary practical network communication situation where a transmitting node 181 is located in a first local area network (also known as the first private network) 182, which has a port NAT 183 to connect it to a wide-area general packet-switched network 184 like the Internet. The latter consists of a very large number of nodes interconnected in an arbitrary way. A receiving node 185 is located in a second local area network 186 which is again coupled to the wide-area network through a NAT 187. The denominations “transmitting node” and “receiving node” are somewhat misleading, since the communication required to set up network security services is bidirectional. The transmitting node is the one that initiates the communication. Also the terms “Initiator” and “Responder” are used for the transmitting node and the receiving node respectively.
The purpose of
It is well known in the IPSEC community that the IPSEC protocol does not work well across network address translations. The problem has been discussed at least in the references given as HoldregeSrisuresh99 and Rekhter99.
In the Finnish patent application number 974665 and the corresponding PCT application number FI98/01 032, which are incorporated herein by reference, we have presented a certain method for performing IPSEC address translations and a method for packet authentication that is insensitive to address transformations and protocol conversions en route of the packet. Additionally in said applications we have presented a transmitting network device and a receiving network device that are able to take advantage of the aforementioned method. However, some problems related to the provision of network security services over network address translation remain unsolved in said previous patent applications.
It is an object of the present invention to present a method and the corresponding devices for providing network services over network address translation in a reliable and advantageous way.
According to a first aspect of the invention, there is provided a method that includes communicating, by a device, packets from and/or to another device, wherein the communication involves a network address translation, and maintaining the network address translation by transmitting, by the device, packets using the network address translation frequently enough to prevent any intermediate device from deleting a mapping for the network address translation from a cache of the intermediate device.
According to a second aspect of the invention, there is provided an apparatus that includes at least one processor, and at least one memory including computer program code, the at least one memory and the computer program code being configured to, with the at least one processor, cause the apparatus to communicate packets, wherein the communication involves a network address translation, and maintain the network address translation by transmitting packets using the network address translation frequently enough to prevent any intermediate device from deleting a mapping for the network address translation from a cache of the intermediate device.
According to a third aspect of the invention, there is provided non-transitory computer readable media comprising program code for causing a processor to perform instructions for communicating, by a device, packets from and/or to another device, wherein the communication involves a network address translation, and maintaining the network address translation by transmitting, by the device, packets using the network address translation frequently enough to prevent any intermediate device from deleting a mapping for the network address translation from a cache of the intermediate device.
a illustrates the known use of a host NAT,
b illustrates the known use of a port NAT,
c illustrates a known communication connection between nodes through a packet-switched network,
a illustrates a certain Vendor ID payload applicable within the context of the invention,
b illustrates a certain private payload applicable within the context of the invention,
c illustrates a certain combined header structure applicable within the context of the invention,
The present invention combines and extends some of the methods of network address translation, tunneling over UDP, IKE, and the IKE extension mechanisms, in a novel and inventive way to produce a method for secure communications across network address translations and protocol conversions. The method can be made fully automatic and transparent to the user.
A key point relating to the applicability of the invention is that—at the priority date of the present patent application—in general only TCP (described in RFC793, which is hereby incorporated by reference) and UDP (described in RFC768, which is hereby incorporated by reference) work over NAT. This is because most NATs used in practise are port NATs, and this is the form of NAT that provides most benefits with regards to the shortage of globally routable IP addresses. The invention is not, however, limited to the use of UDP and TCP as they are known at the priority date of this patent application: in general it may be said that UDP and TCP are examples of protocols that determine that connection identification information (i.e. addressing and port numbering) that is mapped into another form in the address transformation process. We may expect that other kinds of communication protocols and address transformations emerge in the future.
The various aspects of the invention are related to
The process of encapsulating data packets for transmission over a different logical network is called tunneling. Typically, in the case of the IP protocol, tunneling involves adding a new IP header in front of the original packet, setting the protocol field in the new header appropriately, and sending the packet to the desired destination (endpoint of the tunnel). Tunneling may also be implemented by modifying the original packet header fields or replacing them with a different header, as long as a sufficient amount of information about the original packet is saved in the process so that it will be possible to reconstruct the packet at the end of the tunnel into a form sufficiently similar to the original packet entering the tunnel. The exact amount of information that needs to be passed with the packet depends on the network protocols, and information may be passed either explicitly (as part of the tunnelled packet) or implicitly (by the context, as determined e.g. by previously transmitted packets or a context identifier in the tunneled packet).
It is well known in the art how to tunnel packets over a network. At least the references given as RFC1226, RFC1234, RFC1241, RFC1326, RFC1701, RFC1853, RFC2003, RFC2004, RFC2107, RFC2344, RFC2401, RFC2406, RFC2473 and RFC2529 (all of which are hereby incorporated by reference) relate to the subject of tunneling. For example, RFC1234 presents a method of tunneling IPX frames over UDP. In that method, packets are tunneled to a fixed UDP port and to the decapsulator's IP address.
The IPSEC protocol mentioned in the background description typically uses the Internet Key Exchange or IKE protocol (known from references RFC2409, RFC2408 and RFC2407, all of which are hereby incorporated by reference) for authenticating the communicating parties to each other, deriving a shared secret known only to the communicating parties, negotiating authentication and encryption methods to be used for the communication, and agreeing on a security parameter index (SPI) value and a set of selectors to be used for the communication. The IKE protocol was previously known as the ISAKMP/Oakley, where the acronym ISAKMP comes from Internet Security Association Key Management Protocol. Besides said normal negotiation specified in the IKE standard, IKE supports certain mechanisms for extension. The Vendor ID payload known from reference RFC2408, which is hereby incorporated by reference, allows communicating parties to determine whether the other party supports a particular private extension mechanism. The IPSEC DOI (Domain of Interpretation) known as RFC2407, which is hereby incorporated by reference, reserves certain numeric values for such private extensions.
Currently, the well-known Vendor ID payload is defined to have the format illustrated in
The IKE protocol determines the so-called Phase 1 of the mutual exchange of messages between the Initiator (i.e., the node first sending a packet to the other) and the Responder (i.e., the node first receiving a packet).
In
Next we will address the “occurring translations” aspect of the invention. In addition to the above-mentioned Phase 1, the IKE protocol determines the so-called Phase 2 of the mutual exchange of messages between the Initiator and the Responder. According to the “occurring translations” aspect of the invention the parties can determine which translations occur by including the IP addresses they see in private payloads of certain Phase 2 Quick Mode messages, which are most advantageously their first Phase 2 Quick Mode messages. Any unused number in the private payload number range can be used to signify such use of the private payload (e.g. 157, which is unused at the priority date of the present patent application).
The private payload used to reveal the occurring translations can have e.g. the format illustrated in
According to known practice the addresses of the Initiator and Responder are also included in the header of the packet that contains the payload of
An aspect of some importance when handling the addresses is that the UDP source port of the packet can be saved for later use. It would usually be saved with the data structures for Phase 1 ISAKMP security associations, and would be used to set up compensation processing for Phase 2 IPSEC security associations.
To use the method described above to implement the “occurred translations” aspect of the invention, the hosts must modify their Phase 2 identification payloads: the payload illustrated in
Next we will address the “selected tunnelling”, “compensation/authentication” and “compensation/mapping” aspects of the invention. According to this aspect of the invention the actual data packets can be tunneled over the same connection which is used to set up the security features of the communication connection, e.g. the UDP connection used for IKE. This ensures that the actual data packets will experience the same translations as the IKE packets did when the translation was determined. Taken that the standard port number 500 has been determined for IKE, this would mean that all packets are sent with source port 500 and destination port 500, and a method is needed to distinguish the real IKE packets from those containing encapsulated data. One possible way of doing this takes advantage of the fact that the IKE header used for real IKE packets contains an Initiator Cookie field: we may specify that Initiators that support this aspect of the invention never generate cookies that have all zeroes in their four first bytes. The value zero in the corresponding four bytes is then used to recognize the packet as a tunneled data packet. In this way, tunneled data packets would have four zero bytes at the beginning of the UDP payload, whereas real IKE packets never would.
Without limiting the generality, it is assumed in the presentation here that the encapsulation according to
In encapsulating an actual data packet or a “datagram” according to
As seen from
The sender inserts this header in any packets tunneled to a destination behind NAT. Information about whether NAT is used can be stored on a per SA (Security Association) basis in the policy manager. The encapsulation referred to in
The encapsulation operation makes use of the UDP port number and IP address of the remote host, which were determined during the IKE negotiation.
The receiver decapsulates packets from this encapsulation before doing AH or ESP processing. Decapsulation removes this header and updates the Protocol, Length, and Checksum fields of the IP header. No configuration data (port number etc.) is needed for this operation.
The decapsulation should be performed only if all of the following selectors match:
During decapsulation the source address in the received packet can be replaced by the real source address received during the IKE negotiation. This implements the compensation for AH MAC verification. The address is again changed in the post-processing phase below. Because of this compensation, the standard AH and ESP transforms can be used unmodified.
In
Additional compensation must be done after the packet has been decapsulated from AH or ESP. This additional decapsulation must deal with the fact that the outer packet actually went through NAT (illustrated schematically in
There are several alternatives for this additional compensation for various special cases (the best compensation depends on the particular application):
In general, this invention does not significantly constrain the method used to compensate for inner packets the NAT occurring for the outer header. The optimal method for performing such compensation may be found among the above-given alternatives by experimenting, or some other optimal method could be presented.
Next we will address the “keepalive” aspect of the invention, i.e. ensuring that the network address translations performed in the network do not change after the translations that occur have been determined. Network address translators cache the information about address mapping, so that they can reverse the mapping for reply packets. If TCP is used, the address translator may look at the FIN bit of the TCP header to determine when it can drop a particular mapping. For UDP, however, there is no explicit termination indication for flows. For this reason, many NATs will time out mappings for UDP quite fast (even as fast as in 30 seconds). Thus, it becomes necessary to force the mapping to be maintained.
A possible way of ensuring the maintaining of mappings is to send keepalive packets frequently enough that the address translation remains in the cache. When computing the required frequency, one must take into account that packets may be lost in the network, and thus multiple keepalives must be sent within the estimated shortest period in which NATs may forget the mapping. The appropriate frequency depends on both the period the mappings are kept cached and on the packet loss probability of the network; optimal frequency values for various context may be found through experimenting.
Keepalive packets do not need to contain any meaningful information other than the necessary headers that are equal to the data packet headers to ensure that the keepalive packets will be handled exactly in the same way as the actual data packets. A keepalive packet may contain an indicator that identifies it as a keepalive packet and not a data packet; however it may also be determined that all packets that do not contain meaningful payload information are interpreted to be keepalive packets. In
Encryption/decryption block 504 implements the encryption and decryption of data once the secret key has been obtained by the IKE block 503. Compensation block 505 is used to compensate for the permissible transformations in the transmitted and/or received packets according to the invention. Either one of blocks 504 and 505 may be used to transmit, receive and discard keepalive packets. Packet assembler/disassembler block 506 is the intermediator between blocks 502 to 505 and the physical network interface 501. All blocks operate under the supervision of a control block 507 which also takes care of the routing of information between the other blocks and the rest of the network device, for example for displaying information to the user through a display unit (not shown) and obtaining commands from the user through a keyboard (not shown). The blocks of
Even though the present invention was presented in the context of IKE, and tunneling using the IKE port, it should be understood that the invention applies to also other analogous cases using different packet formatting methods, different negotiation details, a different key exchange protocol, or a different security protocol. The invention may also be applicable to non-IP protocols with suitable characteristics. The invention is equally applicable to both IPv4 and IPv6 protocols. The invention is also intended to apply to future revisions of the IPSEC and IKE protocols.
It should also be understood that the invention can also be applied to protocol translations in addition to just address translations. Adapting the present invention to protocol translations should be well within the capabilities of a person skilled in the art given the description here and the discussions regarding protocol translation in the former patent applications of the same applicant mentioned above and incorporated herein by reference.
All of the following references are hereby incorporated by reference.
This application is a continuation of U.S. application Ser. No. 12/862,305, filed Aug. 24, 2010, now U.S. Pat. No. 8,544,079, which is a continuation of U.S. application Ser. No. 11/128,933, filed May 12, 2005, now U.S. Pat. No. 8,127,348, which is a continuation of U.S. application Ser. No. 09/333,829, filed Jun. 15, 1999, now U.S. Pat. No. 6,957,346. The entire contents of all applications are incorporated herein by reference in their entireties.
Number | Name | Date | Kind |
---|---|---|---|
5377182 | Monacos | Dec 1994 | A |
5490134 | Fernandes et al. | Feb 1996 | A |
5506847 | Shobatake | Apr 1996 | A |
5757795 | Schnell | May 1998 | A |
5757924 | Friedman et al. | May 1998 | A |
5793763 | Mayers et al. | Aug 1998 | A |
5914953 | Krause et al. | Jun 1999 | A |
5933429 | Bubenik et al. | Aug 1999 | A |
5964835 | Fowler et al. | Oct 1999 | A |
5974453 | Andersen et al. | Oct 1999 | A |
5983360 | Ugajin | Nov 1999 | A |
6006254 | Waters et al. | Dec 1999 | A |
6023563 | Shani | Feb 2000 | A |
6028862 | Russell et al. | Feb 2000 | A |
6055236 | Nessett et al. | Apr 2000 | A |
6058431 | Srisuresh et al. | May 2000 | A |
6122669 | Crayford | Sep 2000 | A |
6128298 | Wootton et al. | Oct 2000 | A |
6137781 | Goto et al. | Oct 2000 | A |
6154839 | Arrow et al. | Nov 2000 | A |
6157967 | Horst et al. | Dec 2000 | A |
6173312 | Atarashi et al. | Jan 2001 | B1 |
6178160 | Bolton et al. | Jan 2001 | B1 |
6178505 | Schneider et al. | Jan 2001 | B1 |
6201789 | Witkowski et al. | Mar 2001 | B1 |
6230191 | Walker | May 2001 | B1 |
6233623 | Jeffords et al. | May 2001 | B1 |
6273622 | Ben-David | Aug 2001 | B1 |
6278711 | Ganmukhi et al. | Aug 2001 | B1 |
6282589 | Porterfield et al. | Aug 2001 | B1 |
6324178 | Lo et al. | Nov 2001 | B1 |
6324582 | Sridhar et al. | Nov 2001 | B1 |
6324590 | Jeffords et al. | Nov 2001 | B1 |
6327267 | Valentine et al. | Dec 2001 | B1 |
6330562 | Boden et al. | Dec 2001 | B1 |
6331984 | Luciani | Dec 2001 | B1 |
6339595 | Rekhter et al. | Jan 2002 | B1 |
6356551 | Egbert | Mar 2002 | B1 |
6360265 | Falck et al. | Mar 2002 | B1 |
6377577 | Bechtolsheim et al. | Apr 2002 | B1 |
6381646 | Zhang et al. | Apr 2002 | B2 |
6393488 | Araujo | May 2002 | B1 |
6408336 | Schneider et al. | Jun 2002 | B1 |
6411986 | Susai et al. | Jun 2002 | B1 |
6418476 | Luciani | Jul 2002 | B1 |
6457061 | Bal et al. | Sep 2002 | B1 |
6463061 | Rekhter et al. | Oct 2002 | B1 |
6480891 | Chernyak et al. | Nov 2002 | B1 |
6484236 | Fujimoto et al. | Nov 2002 | B2 |
6487218 | Ludwig et al. | Nov 2002 | B1 |
6501767 | Inoue et al. | Dec 2002 | B1 |
6507908 | Caronni | Jan 2003 | B1 |
6512774 | Vepa et al. | Jan 2003 | B1 |
6515974 | Inoue et al. | Feb 2003 | B1 |
6515997 | Feltner et al. | Feb 2003 | B1 |
6519248 | Valko | Feb 2003 | B1 |
6526056 | Rekhter et al. | Feb 2003 | B1 |
6563824 | Bhatia et al. | May 2003 | B1 |
6590861 | Vepa et al. | Jul 2003 | B1 |
6614781 | Elliott et al. | Sep 2003 | B1 |
6615357 | Boden et al. | Sep 2003 | B1 |
6617879 | Chung | Sep 2003 | B1 |
6633540 | Raisanen et al. | Oct 2003 | B1 |
6694429 | Kalmanek et al. | Feb 2004 | B1 |
6697354 | Borella et al. | Feb 2004 | B1 |
6701437 | Hoke et al. | Mar 2004 | B1 |
6731625 | Eastep et al. | May 2004 | B1 |
6738384 | Chung | May 2004 | B1 |
6744728 | Chung | Jun 2004 | B1 |
6751221 | Saito et al. | Jun 2004 | B1 |
6751225 | Chung | Jun 2004 | B1 |
6757290 | Kalmanek et al. | Jun 2004 | B1 |
6785223 | Korpi et al. | Aug 2004 | B1 |
6795917 | Ylonen | Sep 2004 | B1 |
6816490 | Chung | Nov 2004 | B1 |
6870845 | Bellovin et al. | Mar 2005 | B1 |
6888818 | Gubbi | May 2005 | B1 |
6909708 | Krishnaswamy et al. | Jun 2005 | B1 |
6925076 | Dalgic et al. | Aug 2005 | B1 |
6957346 | Kivinen et al. | Oct 2005 | B1 |
7032242 | Grabelsky et al. | Apr 2006 | B1 |
RE39360 | Aziz et al. | Oct 2006 | E |
7145898 | Elliott | Dec 2006 | B1 |
7151772 | Kalmanek et al. | Dec 2006 | B1 |
7161937 | Dunning et al. | Jan 2007 | B1 |
7221666 | Inoue et al. | May 2007 | B2 |
7274662 | Kalmanek et al. | Sep 2007 | B1 |
7305081 | Kalmanek et al. | Dec 2007 | B1 |
7346770 | Swander et al. | Mar 2008 | B2 |
7492886 | Kalmanek et al. | Feb 2009 | B1 |
7742467 | Kalmanek et al. | Jun 2010 | B1 |
7778240 | Kalmanek et al. | Aug 2010 | B1 |
7957369 | Fayad et al. | Jun 2011 | B2 |
8675647 | Luciani | Mar 2014 | B1 |
20020019933 | Friedman et al. | Feb 2002 | A1 |
20020034179 | Ollikainen et al. | Mar 2002 | A1 |
20020042875 | Shukla | Apr 2002 | A1 |
20020059428 | Susai et al. | May 2002 | A1 |
20020094084 | Wasilewski et al. | Jul 2002 | A1 |
20030009561 | Sollee | Jan 2003 | A1 |
20040088537 | Swander et al. | May 2004 | A1 |
20060292292 | Brightman et al. | Dec 2006 | A1 |
20070192508 | Sollee | Aug 2007 | A1 |
20080028436 | Hannel et al. | Jan 2008 | A1 |
20100138560 | Kivinen et al. | Jun 2010 | A1 |
20100318682 | Kivinen et al. | Dec 2010 | A1 |
20110231443 | Hannel et al. | Sep 2011 | A1 |
Number | Date | Country |
---|---|---|
9-261265 | Oct 1997 | JP |
WO 9832065 | Jul 1998 | WO |
WO 9935799 | Jul 1999 | WO |
Entry |
---|
BorellaLo99; M. Borella, J. Lo: Realm Specific IP: Protocol Specification, draft-ietf-nat-rsip-protocol-00.txt, Work in Progress, Internet Engineering Task Force, 1999. |
HoldregeSrisuresh99; M. Holdrege, P. Srisuresh: Protocol Complications with the IP Network Address Translator (NAT), draft-ietf-nat-protocol-complications-00.txt, Work in Progress, Internet Engineering Task Force, 1999. |
LoBorella99; J. Lo, M. Borella: Real Specific IP: A Framework, draft-ietf-nat-rsip-framework-00.txt, Work in Progress, Internet Engineering Task Force, 1999. |
Rekhter99; Y. Rekhter: Implications of NATs on the TCP/IP architecture, draft-ietf-nat-arch-implications-00.txt, Internet Engineering Task Force, 1999. |
RFC768; J. Postel: User Datagram Protocol, RFC 768, Internet Engineering Task Force, 1980. |
RFC791 J. Postel: Internet Protocol, RFC 791, Internet Engineering Task Force, 1981. |
RFC793; J. Postel: Transmission Control Protocol, RFC 793, Internet Engineering Task Force, 1981. |
RFC959; J. Postel, J. Reynolds: File Transfer Protocol, RFC 959, Internet Engineering Task Force, 1985. |
RFC1071; R. Braden, D. Borman, C. Partridge: Computing the Internet checksum, RFC 1071, Internet Engineering Task Force, 1988. |
RFC1226; B. Kantor: Internet protocol encapsulation of AX.25 frames, RFC 1226, Internet Engineering Task Force, 1991. |
RFC1234; D. Proven: Tunneling IPX traffic through IP networks, RFC 1234, Internet Engineering Task Force, 1991. |
RFC1241; R. Woodburn, D. Mills: Scheme for an internet encapsulation protocol: Version 101, RFC 1241, Internet Engineering Task Force, 1991. |
RFC1321; R. Rivest: The MD5 message-digest algorithm, RFC 1321, Internet Engineering Task Force, 1992. |
RFC1326; P. Tsuchiya: Mutual Encapsulation Considered Dangerous, RFC 1326, Internet Engineering Task Force, 1992. |
RFC1631; K. Egevang, P. Francis: The IP Network Address Translator (NAT), RFC 1631, Internet Engineering Task Force, 1994. |
RFC1701; S. Hanks, T. Li, D Farinacci, P. Traina: Generic Routing Encapsulation, RFC 1701, Internet Engineering Task Force, 1994. |
RFC1702; S. Hanks, T. U, D. Farinacci, P. Traina: Generic Routing Encapsulation over IPv4 networks, RFC 1702, Internet Engineering Task Force, 1994. |
RFC1853; W. Simpson: IP in IP Tunneling, RFC 1853, Internet Engineering Task Force, 1995. |
RFC2003; C. Perkins: IP Encapsulation within IP, RFC 2003, Internet Engineering Task Force, 1996. |
RFC2004; C. Perkins: Minimal Encapsulation within IP, RFC 2004, Internet Engineering Task Force, 1996. |
RFC2107; K. Hamzeh: Ascend Tunnel Management Protocol, RFC 2107, Internet Engineering Task Force, 1997. |
RFC2344; G. Montenegro: Reverse Tunneling for Mobile IP, FC 2344, Internet Engineering Task Force, 1998. |
RFC2391; P. Srisuresh, D. Gan: Load Sharing using IP Network Address Translation (LSNAT), RFC 2391, Internet Engineering Task Force, 1998. |
RFC2401; S. Kent, R. Atkinson: Security Architecture for the Internet Protocol, RFC 2401, Internet Engineering Task Force, 1998. |
RFC2402; S. Kent, R. Atkinson: IP Authentication Header, RFC 2402, Internet Engineering Task Force, 1998. |
RFC2406; S. Kent, R. Atkinson: IP Encapsulating Security Payload, RFC 2406, Internet Engineering Task Force, 1998. |
RFC2407; D. Piper: The Internet IP Security Domain of Interpretation for ISAKMP. RFC 2407, Internet Engineering Task Force, 1998. |
RFC2408; D. Maughan, M. Schertler, M. Schneider, J. Turner: Internet Security Association and Key Management Protocol (ISAKMP), RFC 2408, Internet Engineering Task Force, 1998. |
RFC2409; D. Hakins, D, Carrel: The Internet Key Exchange (IKE), RFC 2409, Internet Engineering Task Force, 1998. |
RFC2473; A. Conta, S. Deering: Generic Packet Tunneling in IPv6 Specification, RFC 2473, Internet Engineering Task Force, 1998. |
RFC2529; B Carpenter, C. Jung: Transmission of IPv6 over IPv4 Domains without Explicit Tunnels, RFC 2529, Internet Engineering Task Force, 1999. |
Srisuresh98Terminology; P. Srisuresh: IP Network Address Translator (NAT) Terminology and Considerations, draft-ietf-nat-terminology-01.txt, Work in Progress, Internet Engineering Task Force, 1998. |
Sdsuresh98Security; P. Srisuresh: Security Model for Network Address Translator (NAT) Domains, draft-ietf-nat-security-01.txt, Work in Progress, Internet Engineering Task Force, 1998. |
Srisuresh98Security; P. Srisuresh: Security Model for Network Address Translator (NAT) Domains, draft-ietf-nat-security-01.txt, Work in Progress, Internet Engineering Task Force, 1999. |
SrisureshEgevang98; P. Srisuresh, K. Egevang: Traditional IP Network Address Translator (Traditional NAT), draft-ietf-nat-traditional-01.txt, Work in Progress, Internet Engineering Task Force, 1998. |
TYS99; W. Teo, S. Yeow, R. Singh: IP Relocation through twice Network Address Translators (RAT), draft-ieft-nat-rnat-00.txt, Work in Progress, Internet Engineering Task Force, 1999. |
Data Communications, McGraw Hill, New York, U.S. Journal Article, vol. 26. Nr. 16, Nov. 1997, pp. 55-59. Rodney Thayer: “Bulletproof IP with authentication and encryption, IPSec adds a layer of armor to IP”. |
IEEE, Computer. vol. 31, Issue 9. Sep. 1998, pp. 43-47. Rolph Opplinger: “Security at the Internet Layer”. ISSN: 0018-9162. |
IETF, Internet Draft, Jun. 2, 1998. R.G. Moskowitz: “Network Address Translation Issues with IPSec”, Retrieved from Internet: <URL:http://www.alternic.org/drafts/draftsm-n/draftmoskowitz-net66-vpn-00.txt. |
IETF, Internet Draft, Aug. 22, 1997, R.G. Moskowitz: “Network Address Translation Issues with IPSec”. Retrieved from Internet: <URL:http://www.alternic.org/drafts/draftsm-n/draft moskowitz-ipsec-vpn-nat-00.txt. |
IETF, Internet Draft, Apr. 1998, G. Tsirtis: “AATN Components & Mechanisms”, Retrieved from Internet: <URL: http://www.—alternic.—org/drafts/drafts-t-u/draft-tsirtsis-aatn-mech-00.txt. |
IETF, Internet Draft, Feb. 1999, W.T. Teo et al: “IP Relocation through twice Network Address Translators (RAT)”, Retrieved from Internet: <URL: http://tools.ietf.org/id/draft-ietf-nat-rnat-00.txt. |
V. Paxson, et al. “Known TCP Implementation Problems”; Network Working Group, Informational, Mar. 1999, pp. 1-61. |
D. Newman Data Communications, “Benchmarking Terminology for Firewall Performance; draft-ietf-bmwg-secperf-07.txt”, May 1999. |
Bova & Krivoruchka “Reliable UDP Protocol”, Internet Draft, Cisco Systems, Feb. 25, 1999; pp. 1-16. |
D. Presotto, et al. “The IL Protocol”, 1995, Lucent Technologies, http://doc.cat-v.org/plan—9/2nd—edition/papers/il/ printed from website Apr. 4, 2011; pp. 1-10. |
R. Braden, et al. “Resource ReSerVation Protocol (RSVP)”; Version 1 Functional Specification, Network Working Group; Standard Track, Sep. 1997; pp. 1-112. |
U.S. Notice of Allowance for U.S. Appl. No. 13/975,492 dated Sep. 16, 2014. |
U.S. Notice of Allowance dated Oct. 7, 2014 for U.S. Appl. No. 14/012,074. |
U.S. Notice of Allowance dated Oct. 1, 2014 for U.S. Appl. No. 14/012,130. |
U.S. Notice of Allowance dated Nov. 7, 2014 for U.S. Appl. No. 13/975,514. |
U.S. Notice of Allowance dated Nov. 12, 2014 for U.S. Appl. No. 13/975,451. |
IETF NAT WG meeting minutes of Dec. 9, 1998; pp. 1-12; http://www.livingston.com/tech/ietf/nat. |
Number | Date | Country | |
---|---|---|---|
20130346556 A1 | Dec 2013 | US |
Number | Date | Country | |
---|---|---|---|
Parent | 12862305 | Aug 2010 | US |
Child | 14012180 | US | |
Parent | 11128933 | May 2005 | US |
Child | 12862305 | US | |
Parent | 09333829 | Jun 1999 | US |
Child | 11128933 | US |