Study On Cooperation Of IPSec And Existing Network Equipments In Hybrid Network

IPSec, NAT, NAT-PT and firewall each has an indispensable role in specific application field. IPSec provides data origin authentication, integrity protection and other security services, and makes IP packet in transmission secure; NAT eases greatly pressure of IPv4 address serious shortage so that these enterprises who possess one or a small number of public IPv4 addresses can make fully use of Internet resource; NAT-PT makes pure IPv4 hosts communicate with pure IPv6 hosts each other; Firewall makes interior private network and public network separate, and effectively protects private network security.IP packet which has been protected by IPSec goes through NAT, NAT-PT and firewall that make their coexistence inevitable. However, when they co-exist, there are some fundamental contradictions: the basic idea of IPSec is to prevent intermediate node fabricating, falsifying and eavesdropping IP packet; NAT and NAT-PT must translate IP address or port; firewall also need to read these fields.Through expanding NAT-D payload and ISAKMP header which are included in the UDP header encapsulation, and inserting a UDP header and a "Non-IKE marker" between IP header and AH/ESP header, this paper brings forward the improved UDP encapsulation and the UDP_NAT_PT encapsulation, which are used respectively to solve the problems that IPSec and NAT, IPSec and NAT-PT can not cooperate. In addition, this paper also brings forward the UDP_Firewall encapsulation,which is used to solve the problem that IPSec and firewall can not cooperate through inserting a UDP header and a "Non-IKE marker" between IP header and AH/ESP header.In order to realistically close to network reality in hybrid network, this paper also makes a in-depth study on the possibility that IPSec and NAT and NAT-PT, IPSec and NAT and firewall, and IPSec and NAT-PT and firewall cooperate respectively. The results show that the above three combinations are fully able to cooperate on the basis of the earlier chapters.As the UDP_NAT_PT encapsulation and the UDP_Firewall encapsulation are all based on the improved UDP encapsulation, so this paper only realizes it. The result shows that it is effective and feasible.