An End-to-end IPSec Security Mechanism considering NAT-PT

NAT-PT를 고려한 단대단 IPSec 보안 메커니즘

  • 현정식 (충북대학교 전자계산학과) ;
  • 황윤철 (충북대학교 전자계산학과) ;
  • 정윤수 (충북대학교 전자계산학과) ;
  • 이상호 (충북대학교 전기전자컴퓨터공학부)
  • Published : 2003.10.01

Abstract

Network Address Translation-Protocol Translation(NAT-PT) is an IPv4/IPv6 translation mechanism, as defined in RFC2766, allowing IPv6-only devices to communicate with IPv4-only devices and vice versa. But NAT-PT has the restriction that applies to IPv4 NAT where NAT-PT does not provide end-to-end security, which is a major goal of IPSec. Therefore it cannot support security services such as confidentiality, authentication, and integrity. In this paper, we propose secure NAT-PT(SNAT-PT) and the corresponding secure host architecture to support IPSec security service. And also tunneling scheme using dummy IP header is presented to show the valid operation of end-to-end IPSec protocol on the proposed architectures.

References

  1. Piper, D., 'The Internet IP Security Domain of Interpretation for ISAKMP,' RFC 2407, November 1998
  2. Maughan, D., Schertler, M., Schneider, M., and J. Turner, 'Internet Security Association and Key Management Protocol(ISAKMP),' RFC 2408, November 1998
  3. Bernard Aboba, William Dixon, 'IPSec-NAT Compatibility Requirments,' draft-ieft-ipsec-nat-reqts-02.txt, August 2002
  4. Kent, S., and R. Atkinson, 'IP Encapsulating Security Payioad (ESP),' RFC2406, November 1998
  5. Egevang, K. and P. Francis, 'The IP Network Address Translator (NAT),' RFC1631, 1994. 5
  6. Nordmark, E., 'Stateless IP/ICMP Translator(SIIT),' RFC2765, 2000. 2
  7. Srisurech, P. and M. Holdrege, 'IP Network Address Translator (NAT) Teriminology and Considerations,' RFC2663, 1999. 8
  8. Kent, S., and R. Atkinson, 'IP Authentication Header,' RFC2402, November 1998
  9. M. Borella, J. Lo, D. Grabelsky, G. Montenegro, 'Realm Specific IP: Framework,' RFC3102, October 2001
  10. Harkins, D., and D. Carrel, D., 'The Inernet Key Exchange(IKE),' RFC2409, November 1998
  11. S. Deering, R. Hinden, 'Internet Protocol, Version 6(IPv6) Specification,' RFC1883, 1995. 12
  12. G. Tsirtsis, P. Srisuresh, 'Network Address Translation Protocol Translation(NAT-PT),' RFC2766, 2000. 2