宽带VPN：IPSec与NAT协同工作

【作者】 张世雄；

【导师】 江春华；

【作者基本信息】 电子科技大学 ， 计算机应用技术， 2003， 硕士

【摘要】 在TCP／IP协议族中，IPSec(Internet Protocol Security)协议提供的安全服务保证数据在网络传输过程中的机密性、完整性和抗重放保护，以及对网络通信中的通信流分析攻击提供有限的保护，IPSec协议还提供对网络的访问控制能力。网络地址翻译(Network Address Translation，NAT)为了解决IPv4网络地址由于设计缺陷而引起的IP地址短缺问题，同时NAT也具有屏蔽内部网网络拓扑结构的作用，为缺乏全局IP地址的公司提供接入Internet的能力。 IPSec协议保护数据包在网络传输过程中不被修改、重放、替换等非授权的使用，以保护通信数据的安全；而NAT主要通过修改数据包的IP地址、传输控制端口等数据来共享有限的全局IP地址，或者对外部网络隐藏内部网的网络拓扑结构。这种不允许修改数据包和需要修改数据包造成的矛盾，引起了网络中既有IPSec又存在NAT的情况下，网络通信不能正常地进行。 我们用UDP协议头封装IPSec数据包方法解决IPSec和NAT不能共存的问题。因为UDP协议头没有受到IPSec的安全保护，因此，NAT可以修改数据包做网络地址、端口翻译，IPSec也能对数据通信进行安全保护。 我们在一个基于Linux操作系统的IPSec实现上直接修改源代码，采用UDP协议头封装IPSec数据包的方法，实现了IPSec与NAT协同工作。采用这种方式可以减小对系统性能的影响，对系统的安全性影响较小，能满足现有网络环境中的大部分IPSec实现和NAT设备，而且对网络中的NAT设备不要求做任何修改，能不加限制地部署在现今的Internet网络环境中。 采用修改后的IPSec实现，为公司构建VPN提供了更灵活、方便的方式，同时保持了IPSec协议和NAT协议的主要功能，能很好地适应现有的真实网络环境。为公司利用广泛使用的、廉价的Internet，互联公司地理分布的机构提供了坚实的基础。更多还原

【Abstract】 In TCP/IP protocol suite, the IPSec protocol provide interoperable, high quality, cryptographically-based security for IPv4 and IPv6. The set of security services offered includes access control, connectionless integrity, data origin authentication, protection against replays (a form of partial sequence integrity), confidentiality (encryption), and limited traffic flow confidentiality. These services are provided at the IP layer, offering protection for IP and/or upper layer protocols.The need for IP Address translation arises when a network’s internal IP addresses cannot be used outside the network either for privacy reasons or because they are invalid for use outside the network. Today NATs are widely deployed in home gateways, as well as in other locations likely to be used by tele-commuters, such as hotels.However, the IPSec protocol prevents the datagram which carried by it from modifid by others. NAT modifys the header of the datagram which go throuth them to reach the goal. So, there is some incompatibilities between the IPSec and the NAT. Now, the IPsec-NAT incompatibilities have become a major barrier to deployment of IPsec in one of its principal uses. This paper describes how to solve the known incompatibilities between NAT and IPSec.We adapt the method of UDP encapsulation of ESP packets to solve the IPsec-NAT incompatibilities. And we accomplish it under Linux Operation System. This method should be able to be used in all scales where NAT is deployed today to do simple pure address-to-address, or address and port translation. Most importantly, this proposal does not require change to the NAT device itself. The method is used only if the IKE’s initiator and the responder support it, and only used when necessary, since NAT detection is built into the protocol. We do not accomplish the method which support AH over NAT that futher work will make a efford to it.更多还原