NAT与IPSec协议兼容性问题及解决方案_祝芝梅

:2003-09-15:(1979-),,,,:;(1951-),,,,,,:.:1001-9081(2004)03-0027-04NATIPSec祝芝梅,李之棠(华中科技大学计算机学院,湖北武汉430074)(zzmconnie@163.com):概要介绍了IPSec协议和网络地址转换(NAT)协议的基本原理,着重介绍了IPSec协议与NAT协议所存在的矛盾,最后介绍了采用UDP封装方式实现IPSec报文穿越NAT的完整方案:IPSec;网络地址转换(NAT);IKE;RSIP;UDP封装;NAT穿越:TP393:ANATandIPSecProtocolCompatibilityProblemandSolutionZHUZh-imei,LIZh-itang(SchoolofComputerScienceandTechnology,HuazhongUniversityofScienceandTechnology,WuhanHubei430074,China)Abstract:ThisarticleintroducesthebasictheoryofIPSecandnetworkaddresstransform(NAT)protocolatfirst,thenintroducestheconflictbetweenIPSecandNATprotocol;atlast,explainsthewaytosolvethisconflictIPSecNAT-traversalbyUDPencapsulation.Keywords:IPSec;NAT;IKE;RSIP;UDPencapsulation;NAT-traversalIPSecIP,IP,Internet(IKE),IPIPSec(VPN)NATInternet,IPv4,(NAT)(IPSec),,NATIPSecIPSecNAT:IPSec,,NAT;,IPSec,NAT,NATIPSec,1IPSec和NAT的工作原理1.1IPSecIPSec(AHESP)(SA),IP,,IKE,IPSec(),VPN:ExtraNetVPNIntraNetVPNVPN1.2NATNAT(addressrealm),/,NAT,IP,IPIP,,,NAT,IP,2NAT与IPSec的不兼容性NATIPSec:第一类不兼容是NAT所固有的,是由NAT协议本身决定的这些不兼容性会在所有的NAT设备上出现1)IPSECAHNATAHIP,NAT,IPSECIP,ESP2)NATIP()TCPUDP,,IPIP,NAT,NATIP,第24卷第3期2004年3月计算机应用ComputerApplicationsVol.24,No.3Mar.,2004NAT,IPIPSec,,IPSec,,,3)IPSECNAPTNAPTNAT,,IPIPSec,,NAPT,IPIPSec4)IKENAPTNAPTIKE,UDP(500),5)IPSecIPSec,,SPD,SPD,,,,,,IPIPSec,IPIPNAT,NAT,NAT,SPDNAT6)NATNATNAT,NATIPSecSA第二类不兼容是某些NAT在实现方面上的弱点这些特殊的处理方式也会引起IPSec与NAT的不兼容,NAPTUDP/TCP,SCTPESPAH;NAPTIP,,UDP/TCPIP/IPSec;NAT,IKE,第三类不兼容是由于有些不完整的IPSec和NAT协同工作的解决方案造成的,这类帮助解决兼容性问题的方法反而引起新的不兼容性,NAT,IKEUDP500,UDP500NAT,IPSecNAT,;ISAKMP:NATIKEcookiesIKE,,re-keying,re-keyscookiesNATISAKMP,ISAKMP,vendor_id,IKE3IPSec和NAT兼容性要求IPSec-NATIPSec:1)IPSec-NATIPv6IPv6,IPSec-NATIPv6,IPSec-NAT,2)IPSec-NATIPSecESPNATIPSecL2PT,IPSec-NATESPIPSec,IPUDP3)IPSec-NATIPSec,NAT,IPSecIPSec-NATIPSec-NAT,NAT,,NAT4)IPSec-NAT,ALGs,IPSec-NATALGs5)IPSec-NAT,IKEIPSec-NAT6)IPSec-NATIKEIPSec,DoS4基于UDP封装的解决方案,NAT,IPSec,NATIPSecIETFRSIPUDPRSIP方案:,IPSecSPIIKEcookieNAT,RSIP,RSIPNAT,UDP方式:NAT,,IPSec,NATNAT;,UDP4.1UDPNAT,NAT,IPSecUDP,NATUDP,IKEUDP,IKE,UDP500,,IKENAT,,IKENATIKENAT,,IKEIKENATIKEIKENAT,,28计算机应用2004年IP4,,IPNAT4.2IKENATNAT;IPSecUDP,,NAT;(keepalive),NATIPSec,UDPIPSec,Internet,IPSec,NAT,12UDPIPSecNAT2IPSecNAT/NAPT(UDP)1IPSecNAT/NAPT(UDP)4.31)NAT-T(NAT):,IKE,,VID(vendorid),NAT-T2)NATNAT-T,IKENAT-D(NATDiscoveryPayload),IPHASH=HASH(CKY-I|CKY-R|IP|Port),NAT-D,IPIP(,NAT-D)NAT-DNAT-D,NAT,,NATIP3)NAT-T(NAT)IKENAT,IPSecSA,,IPSec,:UDPUDP,NAT-OA,IP4)UDP(NAT-T)NAT-TUDP500,IKENAT-T,NAT-T,NAT-TNAT-T,IPSecIPSecIPSec,SAUDPUDP,NAT-T,NAT-TIPSecUDP,UDP5005)NATIPSecIP,Internet,,IPSec,NAT,,NAT-TUDP,IP,NATNAT,IP,VPN,VPNIP,NAT,IP,IPSec6)keepaliveIPSec(NAT)keepalive,NATUDP500IPSeckeepalive,,IPSecxkeepalive,IPSecSA,NAT3IPSecUDP7)UDP500,NAT-T,IPSecIPSec,NAT,IPIP,NAT,IPSec29第3期祝芝梅等:NAT与IPSec协议兼容性问题及解决方案,NAT-TUDP,UDP5004IPSecUDP5安全分析1)UDP(DOS),UDPIPSecUDP,,,UDPIPSec,IPSecUDPIPSecAH2),3)IPsecNAT,NAPT,FTPIRCSNMPLDAPH.3234)IKE,NAT,IKESA,,,IKEIPIP,,IPNAT,,SA6总结NATIP,IPv4,IPSec,NATIPIP,IPSecIP,UDPIPSecNAT,IpsecIKE,,[1][EB/OL],2003-09.[2][EB/OL],2003-09.[3][EB/OL],2003-09.[4][EB/OL],2003-09.[5]KentS,AtkinsonR.RFC2402,IPAuthenticationHeader[S],1998.[6]KentS,AtkinsonR.RFC2406,IPEncapsulatingSecurityPay-load(ESP)[S],1998.[7]HarkinsD,CarrelD.RFC2409,TheInternetKeyExchange(IKE)[S],1998.(上接第26页)Mr;Tr;Ts343,,,,,,,,,,RDMMSHomeAgent,4,1KB4,,HomeAgentMS,,RDMHomeagent5将来的工作RDMMS,,,MA,MA,RDM,,,RDM[1]BaumannJ,HohlF,StraBerM,etal.Mole-conceptsofaMobileAgentSystem[J].(3):123-137.[2]ObjectSpaceInc.VoyagerORB3.0-DveloperGuide[Z],1999.[3]GrayRS.AgentTcl:aflexibleandsecuremobileagentsystem[A].Proceedingsofthe4thAnnualTcl/TkWorkshop[C],1996.[4]BaumannJ,HohlF,RadouniklisN,etal.Communicationcon-ceptsformobileagentsystems[A].PiccoGP,ed.MobileAgents[C].LNCS2240,Springer-Verlag,2001.135-151.30计算机应用2004年