摘要
分析了网络安全协议IPSec和网络地址转换协议NAT之间的冲突问题,并对IETF提出的现有UDP封装草案进行了改进,提出了一种新的封装格式,将主机自身的IP地址一同进行封装,以解决不兼容问题.从NAT网关内部发往NAT网关外部的数据包,在经过UDP解封装后,其源地址被更改为原始IP地址,因此目标主机的IP层以上各层将以原始地址为目的地址进行通信.利用改进后的UDP封装方案,实现了IPSec报文对NAT设备的透明穿越.该方案通过对IPSec协议的扩展,有效地支持了IPSec数据流传输路径中的NAT转换.
The paper analyzed the incompatibilities between IPSec and NAT. Base on the IETF draft, an encapsulation format of UDP was put forward to avoid the conflict between IPSec and NAT. Because the IP address of the sender is necessary to be encapsulated into the packet, the packet′s source address will be changed from a legal address to the original address when it is disposed by the destination host outside. The upper protocol layers above the network layer of the host outside would be thought as communicating with a host with the original IP address. By the amelioration, the data can traverse the NAT Gateway transparently. According to this solution, IPSec protocol suit is extended to support the NAT transform through the transmission path of IPSec data stream effectively.
出处
《华中科技大学学报(自然科学版)》
EI
CAS
CSCD
北大核心
2005年第2期95-98,共4页
Journal of Huazhong University of Science and Technology(Natural Science Edition)
基金
国家科技部创新基金资助项目(01C26224210555).
