UDP封装实现IPSec的NAT穿越应用研究
摘要
IPSec是构建VPN(Virtual Private Network虚拟专用网)的常用技术,它可以较好地解决目前Internet上面临的各种安全威胁,有效地保证数据的安全传输。但在实际的应用中,IPSec技术与用于解决IPv4地址匮乏的NAT技术存在严重的不兼容性。因为IPSec协议在VPN中用于保护传输数据的完整性,传输过程中,任何对IP地址及传输标志位的修改,都被视作对该协议的违背,并导致数据包不能通过安全检查而被丢弃。但在VPN中运用NAT技术,则不可避免地要对私有地址映射为公有地址,即对IP地址要进行修改。这一不兼容性已经严重地限制了NAT和IPSec的应用范围,特别是对远程用户访问VPN服务器造成很大的不便。
在网络安全应用领域,往往需要NAT网关和IPSec网关能够协同工作。为此,本人提出的基于X.509证书的UDP封装方案穿越NAT的技术,在IKE协商SA的过程中增加载荷以探测网关之间的VPN是否支持NAT穿越以及网关之间是否存在NAT;增加了对ESP报文进行UDP封装和解封装的处理;并对整个过程进行了详细地测试与分析;同时也分析了采用UDP封装穿越NAT方案中有待解决的问题。
本文结合目前我院校园网络的实际需求,在不需要对现有NAT设备进行重新部署的前提下,提出了使用UDP数据封装穿越NAT的方法来完成VPN和NAT技术的融合。以NAT穿越方案的总体架构为基础,对数据封装格式进行改进和相关协议的功能进行扩充,可以形成一套完整的NAT穿越解决方案。
IPSec is a common technique which is an important part of VPN (Virtual Private Network). It can help us not only deal with various security threats on Internet, but also ensure effectively safe data transmissions. However, in applications the technique of IPSec is not compatible with the technique of NAT, which is used to solve problems of IPv4 address lack. The agreement of IPSec in VPN is used to keep the data integrality in transmissions, but any change to IP address or transmission tags in transmissions will be regarded as a violation to this agreement and cause the result that data packages can not be passed by security checks and will be lost. The application of NAT in VPN is inevitable to map private addresses to public addresses, which changes IP address. The incompatibility has limited the application scope of NAT and IPSec, and especially is inconvenient for remote users to visit VPN servers.
The cooperation between NAT gateway and IPSec gateway is necessary in the application field of network security. Therefore, I put forward the technique of UDP Encapsulation across NAT based on the X.509 Certificate and increasing loads to explore if VPN between gateways can support NAT traversal and NAT can exist between gateways during the negotiation of IKE to SA. I also bring forward increasing control to UDP Encapsulation and Free Encapsulation from ESP message, and testing and analyzing the whole process. I analyze some unsolved problems about passing NAT by using UDP Encapsulation.
I consider demands from own university’s network and come up with traveling NAT by using UDP Encapsulation to achieve the compatibility between VPN and NAT, not redeploying NAT equipments in existence. I plan out a complete project of NAT traversal based on the whole structure by improving data encapsulation formats and expanding relative agreement functions.
在网络安全应用领域,往往需要NAT网关和IPSec网关能够协同工作。为此,本人提出的基于X.509证书的UDP封装方案穿越NAT的技术,在IKE协商SA的过程中增加载荷以探测网关之间的VPN是否支持NAT穿越以及网关之间是否存在NAT;增加了对ESP报文进行UDP封装和解封装的处理;并对整个过程进行了详细地测试与分析;同时也分析了采用UDP封装穿越NAT方案中有待解决的问题。
本文结合目前我院校园网络的实际需求,在不需要对现有NAT设备进行重新部署的前提下,提出了使用UDP数据封装穿越NAT的方法来完成VPN和NAT技术的融合。以NAT穿越方案的总体架构为基础,对数据封装格式进行改进和相关协议的功能进行扩充,可以形成一套完整的NAT穿越解决方案。
IPSec is a common technique which is an important part of VPN (Virtual Private Network). It can help us not only deal with various security threats on Internet, but also ensure effectively safe data transmissions. However, in applications the technique of IPSec is not compatible with the technique of NAT, which is used to solve problems of IPv4 address lack. The agreement of IPSec in VPN is used to keep the data integrality in transmissions, but any change to IP address or transmission tags in transmissions will be regarded as a violation to this agreement and cause the result that data packages can not be passed by security checks and will be lost. The application of NAT in VPN is inevitable to map private addresses to public addresses, which changes IP address. The incompatibility has limited the application scope of NAT and IPSec, and especially is inconvenient for remote users to visit VPN servers.
The cooperation between NAT gateway and IPSec gateway is necessary in the application field of network security. Therefore, I put forward the technique of UDP Encapsulation across NAT based on the X.509 Certificate and increasing loads to explore if VPN between gateways can support NAT traversal and NAT can exist between gateways during the negotiation of IKE to SA. I also bring forward increasing control to UDP Encapsulation and Free Encapsulation from ESP message, and testing and analyzing the whole process. I analyze some unsolved problems about passing NAT by using UDP Encapsulation.
I consider demands from own university’s network and come up with traveling NAT by using UDP Encapsulation to achieve the compatibility between VPN and NAT, not redeploying NAT equipments in existence. I plan out a complete project of NAT traversal based on the whole structure by improving data encapsulation formats and expanding relative agreement functions.
引文
[1] William Stallings 著.刘玉珍, 王丽娜等译.密码编码学与网络安全.电子工业出版社.2004,1.P258-263
[2] 蔡乐才, 张仕斌等. 应用密码学.中国电力出版社.2005,2.P166-170
[3] W. Richard Stevens著. 范建华, 胥光辉等译. TCP/IP详解.机械工业出版社.2007,1.P107-109
[4] William Stallings 著.网络安全基础教程.第 2 版影印版.清华大学出版社.2004,1.P167-211
[5] Paul Wouters 等著.Building and Integrating Virtual Private Networks with Openswan.PACKT publishing.2006.P1-358
[6] 施威铭研究室著.LINUX 7 指令参考手册.人民邮电出版社.2001,10.P1-763
[7] Aron Hsiao 著.史兴华译.LINUX 安全基础.人民邮电出版社.2002.P33-78
[8] Markus Feilner 著.OpenVPN Building and integrating Virtual Private Networks. PACKT publishing.2006.P155-186
[9] 祝之梅, 李之棠. NAT 与 IPSec 协议兼容性问题及解决方案.计算机应用,2004,4.第 24 卷第 3 期.P1-4
[10] 欧阳星明, 朱尚文. IPSec 与 NAT 的冲突问题及其解决方案研究.华中科技大学学报.2005,2.第 33 卷第 2 期.P1-4
[11] 刘雅辉, 张全林, 祝跃飞. IPSec 穿越 NAT 方案研究与改进.计算机工程与设计.2005,7.第26 卷第 7 期.P1-4
[12] 许梅维. IKE 密钥交换.上海工程技术大学学报.2003,3.第 17 卷第 1 期.P1-6
[13] 刘海静, 王力. 支持 NAT 穿越的 IKE 协商.微机发展.2003,12.第 13 卷第 12 期.P1-4
[14] 钦炜.IPSec VPN 与 SSL VPN 的特点与应用比较.福建电脑.2005,10.第 10 期.P1-2
[15] P. Srisuresh.RFC 2709. October 1999.Security Model with Tunnel-mode IPsec for NAT Domains.IETF.P1-7
[16] M. Borella, J. Lo. RFC 3102.October 2001. Realm Specific IP: Framework.IETF.P1-29
[17] M.Borella, D.Grabelsky, J.Lo, K.Taniguchi.RFC 3103. October 2001. Realm Specific IP:Protocol Specification.IETF.P1-34
[18] G.Montenegro, M.Borella.RFC 3104. October 2001.RSIP Support for End-to-end IPsec. IETF. P1-18
[19] 洪帆,王岭. 利用 RSIP 解决 IPSEC 和 NAT 的不兼容问题.计算机应用.2003,12.第 23卷.P1-3
[20] 王健,李涛. 基于 IPSec 的 VPN 的实现——RSIP 隧道机.四川大学学报.2003,12.第 40 卷第 6 期. P1-4
[21] 邢飞,伍卫国. IP 安全协议与网络地址转换间的不兼容问题.计算机工程.2003,11.第 29 卷第 19 期.P1-3
[22] 杜根远,谭水木. IPSec 和 NAT 协议的兼容性分析.许昌学院学报.2006,3.第 25 卷第 3期.P1-4
[23] B. Aboba, W. Dixon.RFC 3715. March 2004. IPsec Network Address Translation (NAT) Compatibility Requirements.IETF.P1-18
[24] T. Kivinen, B. Swander.RFC 3947. January 2005. Negotiation of NAT-Traversal in the IKE.IETF.P1-16
[25] A. Huttunen, B. Swander, V. Volpe.RFC 3948. January 2005.UDP Encapsulation of IPsec ESP Packets.IETF.P1-15
[26] D. Harkins, D. Carrel.RFC 2409. November 1998.The Internet Key Exchange (IKE). IETF.P1-40
[27] R. Housley, W. Polk.RFC 2528. March 1999.Internet X.509 Public Key Infrastructure. IETF.P1-9
[28] S. Kent, R. Atkinson.RFC 2406. November 1998.IP Encapsulating Security Payload (ESP). IETF.P1-21
[29] S. Kent.RFC 4303. December 2005. IP Encapsulating Security Payload (ESP) .IETF.P1-43
[30] 潘登, 徐佩霞. 一种新的 IPSec 穿越 NAT 方案.小型微型计算机系统.2005,2.第 26 卷第 2期.P1-4
[31] 魏臻, 杨海潮. 一种改进的 IPSec 穿越 NAT 方案.计算机技术与发展.2006,8.第 16 卷第 8期.P1-3
[32] 陈熊贵, 曹珍富, 郭圣. IPSec 穿越 NAT 多用户的一种实现方案.计算机工程.2006,10.第 32卷第 20 期.P1-3
[2] 蔡乐才, 张仕斌等. 应用密码学.中国电力出版社.2005,2.P166-170
[3] W. Richard Stevens著. 范建华, 胥光辉等译. TCP/IP详解.机械工业出版社.2007,1.P107-109
[4] William Stallings 著.网络安全基础教程.第 2 版影印版.清华大学出版社.2004,1.P167-211
[5] Paul Wouters 等著.Building and Integrating Virtual Private Networks with Openswan.PACKT publishing.2006.P1-358
[6] 施威铭研究室著.LINUX 7 指令参考手册.人民邮电出版社.2001,10.P1-763
[7] Aron Hsiao 著.史兴华译.LINUX 安全基础.人民邮电出版社.2002.P33-78
[8] Markus Feilner 著.OpenVPN Building and integrating Virtual Private Networks. PACKT publishing.2006.P155-186
[9] 祝之梅, 李之棠. NAT 与 IPSec 协议兼容性问题及解决方案.计算机应用,2004,4.第 24 卷第 3 期.P1-4
[10] 欧阳星明, 朱尚文. IPSec 与 NAT 的冲突问题及其解决方案研究.华中科技大学学报.2005,2.第 33 卷第 2 期.P1-4
[11] 刘雅辉, 张全林, 祝跃飞. IPSec 穿越 NAT 方案研究与改进.计算机工程与设计.2005,7.第26 卷第 7 期.P1-4
[12] 许梅维. IKE 密钥交换.上海工程技术大学学报.2003,3.第 17 卷第 1 期.P1-6
[13] 刘海静, 王力. 支持 NAT 穿越的 IKE 协商.微机发展.2003,12.第 13 卷第 12 期.P1-4
[14] 钦炜.IPSec VPN 与 SSL VPN 的特点与应用比较.福建电脑.2005,10.第 10 期.P1-2
[15] P. Srisuresh.RFC 2709. October 1999.Security Model with Tunnel-mode IPsec for NAT Domains.IETF.P1-7
[16] M. Borella, J. Lo. RFC 3102.October 2001. Realm Specific IP: Framework.IETF.P1-29
[17] M.Borella, D.Grabelsky, J.Lo, K.Taniguchi.RFC 3103. October 2001. Realm Specific IP:Protocol Specification.IETF.P1-34
[18] G.Montenegro, M.Borella.RFC 3104. October 2001.RSIP Support for End-to-end IPsec. IETF. P1-18
[19] 洪帆,王岭. 利用 RSIP 解决 IPSEC 和 NAT 的不兼容问题.计算机应用.2003,12.第 23卷.P1-3
[20] 王健,李涛. 基于 IPSec 的 VPN 的实现——RSIP 隧道机.四川大学学报.2003,12.第 40 卷第 6 期. P1-4
[21] 邢飞,伍卫国. IP 安全协议与网络地址转换间的不兼容问题.计算机工程.2003,11.第 29 卷第 19 期.P1-3
[22] 杜根远,谭水木. IPSec 和 NAT 协议的兼容性分析.许昌学院学报.2006,3.第 25 卷第 3期.P1-4
[23] B. Aboba, W. Dixon.RFC 3715. March 2004. IPsec Network Address Translation (NAT) Compatibility Requirements.IETF.P1-18
[24] T. Kivinen, B. Swander.RFC 3947. January 2005. Negotiation of NAT-Traversal in the IKE.IETF.P1-16
[25] A. Huttunen, B. Swander, V. Volpe.RFC 3948. January 2005.UDP Encapsulation of IPsec ESP Packets.IETF.P1-15
[26] D. Harkins, D. Carrel.RFC 2409. November 1998.The Internet Key Exchange (IKE). IETF.P1-40
[27] R. Housley, W. Polk.RFC 2528. March 1999.Internet X.509 Public Key Infrastructure. IETF.P1-9
[28] S. Kent, R. Atkinson.RFC 2406. November 1998.IP Encapsulating Security Payload (ESP). IETF.P1-21
[29] S. Kent.RFC 4303. December 2005. IP Encapsulating Security Payload (ESP) .IETF.P1-43
[30] 潘登, 徐佩霞. 一种新的 IPSec 穿越 NAT 方案.小型微型计算机系统.2005,2.第 26 卷第 2期.P1-4
[31] 魏臻, 杨海潮. 一种改进的 IPSec 穿越 NAT 方案.计算机技术与发展.2006,8.第 16 卷第 8期.P1-3
[32] 陈熊贵, 曹珍富, 郭圣. IPSec 穿越 NAT 多用户的一种实现方案.计算机工程.2006,10.第 32卷第 20 期.P1-3