摘要
Internet网络层安全协议(IPSEC)和网络地址翻译器(NAT)不兼容,这严重限制了IPSEC的应用范围.解决方法必须遵循的原则是既能使IPSEC数据流穿越NAT,又不必修改路由器和NAT,部署方便.目前存在的3种解决方法都具有局限性:“先于IPSEC进行NAT转换”方法难以实现,“特定域IP通信(RSIP)”方法部署困难,“用户数据包(UDP)封装安全封装协议(ESP)数据包”方法只能部分地解决IPSEC与NAT不兼容问题.在分析现有方法的基础上,提出一种新的解决方法,即UDP封装IPSEC数据包方法.该方法通过UDP封装IPSEC数据包,保护原始IP地址和端口号,消除了NAT对IPSEC影响.详细介绍了该方法的实现思路,进行了可行性和优缺点分析.通过分析可知,新方法具有明显优点,能够方便、有效地解决IPSEC和NAT兼容问题.
The application range of IP security protocol ( IPSEC ) is badly restricted due to the incompatibility of IPSEC and network address translator (NAT). The rule that must to be followed by the solutions for IPSEC passing through NAT is that IPSEC pass through NAT without any changes to the routers and NAT on the Internet. There are limits to the current three solutions. It can barely be realized to execute the NAT ahead of executing the IPSEC. It is difficult to deploy the realm specific IP (RSIP). The incompatibility of IPSEC and NAT can only be solved partially by user data packet(UDP) encapsulation of the IP encapsulating security payload(IPSEC ESP) packets. A new solution, UDP encapsulation of IPSEC packets, was developed. The new solution eliminates the impact from NAT to IPSEC by protecting the origin IP addresses and ports of the IPSEC packets through encapsulating the IPSEC packets with UDP header. The feasibility of this solution was demonstrated. The analyse shows that the new solution has evident advantages over the others and can remove the incompatibilities between IPSEC and NAT effectively and expediently.
出处
《北京航空航天大学学报》
EI
CAS
CSCD
北大核心
2007年第1期63-66,共4页
Journal of Beijing University of Aeronautics and Astronautics
作者简介
彭近兵(1968-),男,安徽庐江人,博士生,pengjinbing@les.buaa.edu.cn.
