Abstract
While the transition from IPv4 to IPv6 has been considered to extend the IP address space, the NAT protocol is widely used as an interim solution. Using the NAT protocol with the end-to-end IPSec resulting a conflict due to the address transition operation of the NAT. In this paper, we design two mechanisms which provide the end-to-end security service even if a NAT is used for private networks. The first proposed mechanism defines a notification message to deliver the address translation information in advance. This mechanism uses already defined protocols and does not need additional protocol modification. The second proposed mechanism uses SSL and IPSec to protect user data and IP header. Although this mechanism needs chip redundancy on packet length, it can save duplicated encryptions caused by SSL and IPSec encryptions. Procedures and parameters to support the mechanisms are designed in this paper.
This is a preview of subscription content, log in via an institution to check access.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Preview
Unable to display preview. Download preview PDF.
References
K. Egevang, P. Francis, The IP Network Address Translator (NAT). RFC 1631, May. 1994.
Kent, Stephen and Atakinson, Randall, The Security Architecture for the Internet Protocol. RFC 2401, 1998.
John D., Linux VPN Masquerade HOWTO.
B. Sivasubramanian, M. K. Sundareshan, “Management of end-to-end security in collaborative IP network environments,” Integrated Network Management Proceedings. IEEE/IFIP International Symposium, pp. 639–655, 2001.
A. Huttunen et al., “UDP Encapsulation of IPSec Packets,” draft-ietf-ipsecudp-encaps-01.txt, Internet draft, June 2001.
Ivan Wallis, “Solving the Incompatibility between NAT and IPSec,” SSH Communications Security, March 6, 2002.
A. Huttunen et al., “IPSec over NAT Justification for UDP Encapsulation,” draft-ietf-ipsec-udp-encaps-justification-00.txt, Internet draft, June 2001.
Y. Rekhter, B. Moskowitz, D. Karrenberg, G. J. de Groot, E. Lear, Address Allocation for Private Internets. RFC 1918, Feb. 1996.
Kent, Stephen, Atakinson, Randall, IP Authentication Header. RFC 2402, 1998.
Kent, Stephen, Atakinson, Randall, IP Encapsulating Payload. RFC 2406, 1998.
D. Maughan, M. Schneider, J. Turner, Internet Security Association and Key Management Protocol (ISAKMP). RFC 2408, 1998.
T. Dierks, C. Allen, The TLS Protocol Version 1.0. RFC 2246, Jan. 1999.
Y. Zhang, E. Singh, “A Multi-Layer IPsec Protocol,” USENIX Security Symposium, vol 9, Aug. 2000.
J. C. Brustoloni, “Application-Independent End-to-End Security in Shared-Link Access Networks,” Proceedings of the Networking Conference, pp. 608–619, 2000.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2003 Springer-Verlag Berlin Heidelberg
About this paper
Cite this paper
Kim, S.Y., Shin, J.W., Sim, S.Y., Park, D.S. (2003). New Mechanisms for End-to-End Security Using IPSec in NAT-Based Private Networks. In: Chung, CW., Kim, CK., Kim, W., Ling, TW., Song, KH. (eds) Web and Communication Technologies and Internet-Related Social Issues — HSI 2003. HSI 2003. Lecture Notes in Computer Science, vol 2713. Springer, Berlin, Heidelberg. https://doi.org/10.1007/3-540-45036-X_55
Download citation
DOI: https://doi.org/10.1007/3-540-45036-X_55
Published:
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-540-40456-9
Online ISBN: 978-3-540-45036-8
eBook Packages: Springer Book Archive