The Research On Security Mechanism Of Translation Network Based On NAT-PT

As a base protocol of the Next Generation Internet (NGI), compared with IPv4, IPv6 has many advantages. First, IPv6 has solved the lacking problem of IP addresses; then, it has covered so many shortages of IPv4 protocol. The most remarkable of all is the integration of IPsec in the protocol.,Since IPsec is used to realize encryption and authentication of network layer, it is inherent in IPv6 protocol.,Thus impenetrating in every application, IPsec does not exist alone any longer. One of the most important purposes of IPv6 is its compatibility with IPv4. It's inevitable that coexistence of both protocols and gradual translation from IPv4 to IPv6 will last quite a long time. IPv6 nodes may inevitably keep communication with IPv4 nodes. Because of the incompatibility of those protocol packets on neither address space nor the head format, it is only through network address translation and protocol translation (NAT-PT) that the node in pure IPv4 area can accomplish communication with its counterpart in pure IPv6. Whereas, researches show that huge security abuses exist in translation network based on NAT-PT, a crucial point of which is that IPsec security mechanism cannot be applied in translation network based on NAT-PT at all. So, to ensure the security during the Next Generation Internet (NGI) interim, it is necessary to study the security mechanism of translation network system based on NAT-PT. This paper firstly analyzes the security characters of IPv6 protocol, advantages of security protocol IPsec and inherent mechanism in realizing security. Combined with requirement in IPv4/IPv6 interim as well as existing security problems, it brings forward an idea integrating IPsec and NAT-PT translation gateways,discovers and analyzes the incompatibility of IPsec and NAT-PT translation gateway, redesigns the IKE protocols, applies it in translation network, and finally puts proposes the NAT-PT translation gateway model integrating IPsec and possessing AH authentication function. At last, the author explains the flow in realizing the whole model on Linux flat and netfilter frame, while presenting part of code and data structure. To sum up, This paper papermainly analyzes and redesigns IKE protocol to solve the incompatibility, introduces user-defined ISAKMP payloads: NATPT-Q, NATPT-R, and two algorithms dealing with input packets and output packets in NAT-PT translation gateway.