论文信息 - Security Model with Tunnel-mode IPsec for NAT Domains

Security Model with Tunnel-mode IPsec for NAT Domains

There are a variety of NAT flavors, as described in [Ref 1]. Of the domains supported by NATs, only Realm-Specific IP clients are able to pursue end-to-end IPsec secure sessions. However, all flavors of NAT are capable of offering tunnel-mode IPsec security to private domain hosts peering with nodes in external realm. This document describes a security model by which tunnel-mode IPsec security can be architected on NAT devices. A section is devoted to describing how security policies may be transparently communicated to IKE (for automated KEY exchange) during Quick Mode. Also outlined are applications that can benefit from the Security Model described.

Pyda Srisuresh | P. Srisuresh

[1] Yakov Rekhter,et al. Address Allocation for Private Internets , 1994, RFC.

[2] Derrell Piper,et al. The Internet IP Security Domain of Interpretation for ISAKMP , 1998, RFC.

[3] Hugo Krawczyk,et al. A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[4] Randall J. Atkinson,et al. IP Encapsulating Security Payload (ESP) , 1995, RFC.

[5] Stephen T. Kent,et al. Security Architecture for the Internet Protocol , 1998, RFC.

[6] Matt Holdrege,et al. IP Network Address Translator (NAT) Terminology and Considerations , 1999, RFC.

[7] Brian E. Carpenter,et al. IPv4 Address Behaviour Today , 1997, RFC.

[8] Dan Harkins,et al. The Internet Key Exchange (IKE) , 1998, RFC.