宽带VPN:IPSec与NAT协同工作
|
摘要
在TCP/IP协议族中,IPSec(Internet Protocol Security)协议提供的安全服务保证数据在网络传输过程中的机密性、完整性和抗重放保护,以及对网络通信中的通信流分析攻击提供有限的保护,IPSec协议还提供对网络的访问控制能力。网络地址翻译(Network Address Translation,NAT)为了解决IPv4网络地址由于设计缺陷而引起的IP地址短缺问题,同时NAT也具有屏蔽内部网网络拓扑结构的作用,为缺乏全局IP地址的公司提供接入Internet的能力。
IPSec协议保护数据包在网络传输过程中不被修改、重放、替换等非授权的使用,以保护通信数据的安全;而NAT主要通过修改数据包的IP地址、传输控制端口等数据来共享有限的全局IP地址,或者对外部网络隐藏内部网的网络拓扑结构。这种不允许修改数据包和需要修改数据包造成的矛盾,引起了网络中既有IPSec又存在NAT的情况下,网络通信不能正常地进行。
我们用UDP协议头封装IPSec数据包方法解决IPSec和NAT不能共存的问题。因为UDP协议头没有受到IPSec的安全保护,因此,NAT可以修改数据包做网络地址、端口翻译,IPSec也能对数据通信进行安全保护。
我们在一个基于Linux操作系统的IPSec实现上直接修改源代码,采用UDP协议头封装IPSec数据包的方法,实现了IPSec与NAT协同工作。采用这种方式可以减小对系统性能的影响,对系统的安全性影响较小,能满足现有网络环境中的大部分IPSec实现和NAT设备,而且对网络中的NAT设备不要求做任何修改,能不加限制地部署在现今的Internet网络环境中。
采用修改后的IPSec实现,为公司构建VPN提供了更灵活、方便的方式,同时保持了IPSec协议和NAT协议的主要功能,能很好地适应现有的真实网络环境。为公司利用广泛使用的、廉价的Internet,互联公司地理分布的机构提供了坚实的基础。
In TCP/IP protocol suite, the IPSec protocol provide interoperable, high quality, cryptographically-based security for IPv4 and IPv6. The set of security services offered includes access control, connectionless integrity, data origin authentication, protection against replays (a form of partial sequence integrity), confidentiality (encryption), and limited traffic flow confidentiality. These services are provided at the IP layer, offering protection for IP and/or upper layer protocols.
The need for IP Address translation arises when a network's internal IP addresses cannot be used outside the network either for privacy reasons or because they are invalid for use outside the network. Today NATs are widely deployed in home gateways, as well as in other locations likely to be used by tele-commuters, such as hotels.
However, the IPSec protocol prevents the datagram which carried by it from modifid by others. NAT modifys the header of the datagram which go throuth them to reach the goal. So, there is some incompatibilities between the IPSec and the NAT. Now, the IPsec-NAT incompatibilities have become a major barrier to deployment of IPsec in one of its principal uses. This paper describes how to solve the known incompatibilities between NAT and IPSec.
We adapt the method of UDP encapsulation of ESP packets to solve the IPsec-NAT incompatibilities. And we accomplish it under Linux Operation System. This method should be able to be used in all scales where NAT is deployed today to do simple pure address-to-address, or address and port translation. Most importantly, this proposal does not require change to the NAT device itself. The method is used only if the IKE's initiator and the responder support it, and only used when necessary, since NAT detection is built into the protocol. We do not accomplish the method which support AH over NAT that futher work will make a efford to it.
IPSec协议保护数据包在网络传输过程中不被修改、重放、替换等非授权的使用,以保护通信数据的安全;而NAT主要通过修改数据包的IP地址、传输控制端口等数据来共享有限的全局IP地址,或者对外部网络隐藏内部网的网络拓扑结构。这种不允许修改数据包和需要修改数据包造成的矛盾,引起了网络中既有IPSec又存在NAT的情况下,网络通信不能正常地进行。
我们用UDP协议头封装IPSec数据包方法解决IPSec和NAT不能共存的问题。因为UDP协议头没有受到IPSec的安全保护,因此,NAT可以修改数据包做网络地址、端口翻译,IPSec也能对数据通信进行安全保护。
我们在一个基于Linux操作系统的IPSec实现上直接修改源代码,采用UDP协议头封装IPSec数据包的方法,实现了IPSec与NAT协同工作。采用这种方式可以减小对系统性能的影响,对系统的安全性影响较小,能满足现有网络环境中的大部分IPSec实现和NAT设备,而且对网络中的NAT设备不要求做任何修改,能不加限制地部署在现今的Internet网络环境中。
采用修改后的IPSec实现,为公司构建VPN提供了更灵活、方便的方式,同时保持了IPSec协议和NAT协议的主要功能,能很好地适应现有的真实网络环境。为公司利用广泛使用的、廉价的Internet,互联公司地理分布的机构提供了坚实的基础。
In TCP/IP protocol suite, the IPSec protocol provide interoperable, high quality, cryptographically-based security for IPv4 and IPv6. The set of security services offered includes access control, connectionless integrity, data origin authentication, protection against replays (a form of partial sequence integrity), confidentiality (encryption), and limited traffic flow confidentiality. These services are provided at the IP layer, offering protection for IP and/or upper layer protocols.
The need for IP Address translation arises when a network's internal IP addresses cannot be used outside the network either for privacy reasons or because they are invalid for use outside the network. Today NATs are widely deployed in home gateways, as well as in other locations likely to be used by tele-commuters, such as hotels.
However, the IPSec protocol prevents the datagram which carried by it from modifid by others. NAT modifys the header of the datagram which go throuth them to reach the goal. So, there is some incompatibilities between the IPSec and the NAT. Now, the IPsec-NAT incompatibilities have become a major barrier to deployment of IPsec in one of its principal uses. This paper describes how to solve the known incompatibilities between NAT and IPSec.
We adapt the method of UDP encapsulation of ESP packets to solve the IPsec-NAT incompatibilities. And we accomplish it under Linux Operation System. This method should be able to be used in all scales where NAT is deployed today to do simple pure address-to-address, or address and port translation. Most importantly, this proposal does not require change to the NAT device itself. The method is used only if the IKE's initiator and the responder support it, and only used when necessary, since NAT detection is built into the protocol. We do not accomplish the method which support AH over NAT that futher work will make a efford to it.
引文
1、Kent. S., and R. Atkinson. Security Architecture for the Internet Protocol. RFC 2401, November 1998.
2、Kent. S, and R. Atkinson. IP Authentication Header. RFC 2402, November 1998
3、Madson. C., and R. Glenn. The Use of HMAC-MD5-96 within ESP and AH. RFC 2403,November 1998
4、Madson. C., and R. Glenn. The Use of HMAC-SHA-1-96 within ESP and AH. RFC 2404, November 1998
5、Madson. C., and N. Doraswamy. The ESP DES-CBC Cipher Algorithm With Explicit Ⅳ.RFC 2405, November 1998
6、D. Harkins, and D. Carrel, The Internet Key Exchange(IKE). RFC 2409 November 1998
7、D. Piper, and D. Carrel. The Internet IP Securitty Domain Of Interpretation for ISAKMP. RFC 2407, November 1998
8、D. Maughan, and M. Schertler, and M. Schneider, and J. Turner. Internet Security Association and Key Management Protocol(ISAKMP). RFC2408, November 1998
9、Reynolds. J, and J. Postel. Assigned Numbers. STD 2, RFC1700, October 1994
10、P. Srisuresh, ande M. holdtrege. IP Network Address Translator(NAT)Terminology and Cosideratons. RFC 2663, August 1999
11、Dixon. W, et. al. IPSec over NAT Justification for UDP Encapsulation.draft-ietf-ipsec-udp-encaps-justification-00. txt, June 2001
12、Kivinen. T, et. al. Negotiation of NAT-Traversal in the IKE.draft-ietf-ipsec-nat-t-ike-02. txt, April 2002
13、Aboba. B. Ipsec-NAT Compatibility Requirements. draft-aboba-nat-ipsec-04. txt,30 May 2001
14、Huttunen. A, et. al. UDP Encapsulation of Ipsec Packets. draft-ietf-ipsec-udp-encaps-02. txt, April 2002
15、B. Carpenter, and K. Moore. Connection of IPv6 Domains via IPv4 Clouds. RFC3056,February 2001
16、K. Egevang, et. al. The IP Network Address Translator(NAT). RFC1631, May 1994
17、戴宗坤,唐三平.VPN与网络安全.金城出版社,2000,9
18、Brue Schneier.吴世忠,祝世雄等译.应用密码学.机械工业出版社,2000,1
19、Carlton R.Dayis.周永彬,冯登国,徐震,李德全等译.IPSec VPN的安全实施.清华大学出版社,2002,1
20、Steve Burnett,Stephen Paine.冯登国,周永彬,张振峰,李德全等译.密码工程实践指南.清华大学出版社,2001,10
21、谢希仁.计算机网络(第二版).电子工业出版社,1999,4
22、吴鸿钟,罗慧,张世雄,谭兴烈.密钥交换与密钥管理协议-IKE研究.计算机科学与应用,2002,Vol.38,No.21:P150~P152
23、Titz, Olaf. why TCP over TCP is a bad idea. http://sites.inka.de/sites/bigred/debel/tcp-tcp.html
24、e-Border Solution Series 1: Solving NAT and Private IP Problems. Permeo Techaologies, Inc, July, 2001
2、Kent. S, and R. Atkinson. IP Authentication Header. RFC 2402, November 1998
3、Madson. C., and R. Glenn. The Use of HMAC-MD5-96 within ESP and AH. RFC 2403,November 1998
4、Madson. C., and R. Glenn. The Use of HMAC-SHA-1-96 within ESP and AH. RFC 2404, November 1998
5、Madson. C., and N. Doraswamy. The ESP DES-CBC Cipher Algorithm With Explicit Ⅳ.RFC 2405, November 1998
6、D. Harkins, and D. Carrel, The Internet Key Exchange(IKE). RFC 2409 November 1998
7、D. Piper, and D. Carrel. The Internet IP Securitty Domain Of Interpretation for ISAKMP. RFC 2407, November 1998
8、D. Maughan, and M. Schertler, and M. Schneider, and J. Turner. Internet Security Association and Key Management Protocol(ISAKMP). RFC2408, November 1998
9、Reynolds. J, and J. Postel. Assigned Numbers. STD 2, RFC1700, October 1994
10、P. Srisuresh, ande M. holdtrege. IP Network Address Translator(NAT)Terminology and Cosideratons. RFC 2663, August 1999
11、Dixon. W, et. al. IPSec over NAT Justification for UDP Encapsulation.draft-ietf-ipsec-udp-encaps-justification-00. txt, June 2001
12、Kivinen. T, et. al. Negotiation of NAT-Traversal in the IKE.draft-ietf-ipsec-nat-t-ike-02. txt, April 2002
13、Aboba. B. Ipsec-NAT Compatibility Requirements. draft-aboba-nat-ipsec-04. txt,30 May 2001
14、Huttunen. A, et. al. UDP Encapsulation of Ipsec Packets. draft-ietf-ipsec-udp-encaps-02. txt, April 2002
15、B. Carpenter, and K. Moore. Connection of IPv6 Domains via IPv4 Clouds. RFC3056,February 2001
16、K. Egevang, et. al. The IP Network Address Translator(NAT). RFC1631, May 1994
17、戴宗坤,唐三平.VPN与网络安全.金城出版社,2000,9
18、Brue Schneier.吴世忠,祝世雄等译.应用密码学.机械工业出版社,2000,1
19、Carlton R.Dayis.周永彬,冯登国,徐震,李德全等译.IPSec VPN的安全实施.清华大学出版社,2002,1
20、Steve Burnett,Stephen Paine.冯登国,周永彬,张振峰,李德全等译.密码工程实践指南.清华大学出版社,2001,10
21、谢希仁.计算机网络(第二版).电子工业出版社,1999,4
22、吴鸿钟,罗慧,张世雄,谭兴烈.密钥交换与密钥管理协议-IKE研究.计算机科学与应用,2002,Vol.38,No.21:P150~P152
23、Titz, Olaf. why TCP over TCP is a bad idea. http://sites.inka.de/sites/bigred/debel/tcp-tcp.html
24、e-Border Solution Series 1: Solving NAT and Private IP Problems. Permeo Techaologies, Inc, July, 2001