WO2000078008A1 - A method and arrangement for providing security through network address translations using tunneling and compensations - Google Patents
A method and arrangement for providing security through network address translations using tunneling and compensations Download PDFInfo
- Publication number
- WO2000078008A1 WO2000078008A1 PCT/FI2000/000537 FI0000537W WO0078008A1 WO 2000078008 A1 WO2000078008 A1 WO 2000078008A1 FI 0000537 W FI0000537 W FI 0000537W WO 0078008 A1 WO0078008 A1 WO 0078008A1
- Authority
- WO
- WIPO (PCT)
- Prior art keywords
- computer device
- packets
- protocol
- packet
- network address
- Prior art date
Links
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/256—NAT traversal
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L12/00—Data switching networks
- H04L12/28—Data switching networks characterised by path configuration, e.g. LAN [Local Area Networks] or WAN [Wide Area Networks]
- H04L12/46—Interconnection of networks
- H04L12/4633—Interconnection of networks using encapsulation techniques, e.g. tunneling
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L45/00—Routing or path finding of packets in data switching networks
- H04L45/02—Topology update or discovery
- H04L45/026—Details of "hello" or keep-alive messages
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/2514—Translation of Internet protocol [IP] addresses between local and global IP addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/255—Maintenance or indexing of mapping tables
- H04L61/2553—Binding renewal aspects, e.g. using keep-alive messages
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/256—NAT traversal
- H04L61/2564—NAT traversal for a higher-layer protocol, e.g. for session initiation protocol [SIP]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/256—NAT traversal
- H04L61/2575—NAT traversal using address mapping retrieval, e.g. simple traversal of user datagram protocol through session traversal utilities for NAT [STUN]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/09—Mapping addresses
- H04L61/25—Mapping addresses of the same type
- H04L61/2503—Translation of Internet protocol [IP] addresses
- H04L61/256—NAT traversal
- H04L61/2578—NAT traversal without involvement of the NAT server
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L61/00—Network arrangements, protocols or services for addressing or naming
- H04L61/50—Address allocation
- H04L61/5007—Internet protocol [IP] addresses
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/029—Firewall traversal, e.g. tunnelling or, creating pinholes
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/04—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks
- H04L63/0428—Network architectures or network communication protocols for network security for providing a confidential data exchange among entities communicating through data packet networks wherein the data content is protected, e.g. by encrypting or encapsulating the payload
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/16—Implementing security features at a particular protocol layer
- H04L63/164—Implementing security features at a particular protocol layer at the network layer
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L67/00—Network arrangements or protocols for supporting network services or applications
- H04L67/50—Network services
- H04L67/56—Provisioning of proxy services
- H04L67/568—Storing data temporarily at an intermediate stage, e.g. caching
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/161—Implementation details of TCP/IP or UDP/IP stack architecture; Specification of modified or new header fields
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
- H04L69/165—Combined use of TCP and UDP protocols; selection criteria therefor
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L2101/00—Indexing scheme associated with group H04L61/00
- H04L2101/60—Types of network addresses
- H04L2101/618—Details of network addresses
- H04L2101/663—Transport layer addresses, e.g. aspects of transmission control protocol [TCP] or user datagram protocol [UDP] ports
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L69/00—Network arrangements, protocols or services independent of the application payload and not provided for in the other groups of this subclass
- H04L69/16—Implementation or adaptation of Internet protocol [IP], of transmission control protocol [TCP] or of user datagram protocol [UDP]
Definitions
- the invention relates in general to the field of secure communications between computers in a packet-switched data transmission networks. More particularly the invention relates to the field of setting up and maintaining secure communication connections through a Network Address Translation or protocol conversion.
- IPSEC Internet Protocol Security
- the IPSEC protocols provide security for the IP or Internet Protocol, which itself has been specified in the RFC document number RFC791.
- IPSEC performs authentication and encryption on packet level by generating a new IP header, adding an Authentication Header (AH) or Encapsulating Security Payload (ESP) header in front of the packet.
- AH Authentication Header
- ESP Encapsulating Security Payload
- the method used to authenticate and possibly encrypt a packet is identified by a security parameter index (SPI) value stored in the AH and ESP headers.
- SPI security parameter index
- the RFC document number RFC2401 specifies a transport mode and a tunnelling mode for packets; the present invention is applicable regardless of which of these modes is used.
- NAT network address translation
- Port NAT 151 also touches the TCP and UDP port numbers (Traffic Control Protocol; User Datagram Protocol) in an incoming packet 152, multiplexing several IP addresses to a single IP address in an outgoing packet 153 and correpondingly demultiplexing a single IP address into several IP addresses for packets travelling in the opposite direction (not shown).
- Port NATs are especially common in the home and small office environment. The physical separation of input and output connections for the NAT devices is only shown in Figs, la and lb for graphical clarity; in practice there are many possible ways for physically connecting a NAT.
- Address translation is most frequently performed at the edge of a local network (i.e., translation between multiple local private addresses on on hand and fewer globally routable public addresses on the other). Most often, port NAT is used and there is only one globally routable address.
- a local network 154 has been schematically illustrated in Fig. lb. Such arrangements are becoming extremely commonplace in the home and small office markets. Some Internet service providers have also started giving private addresses to their customers, and perform address translation in their core networks for such addresses. In general, network address translation has been widely discussed in depth e.g. in the NAT working group within the Internet Engineering Task Force. The operating principles of a NAT device are well known, and there are many implementations available on the market from multiple vendors, including several implementations in freely available source code.
- NAT Network Address Translation
- Fig. lc illustrates an exemplary practical network communication situation where a transmitting node 181 is located in a first local area network (also known as the first private network) 182, which has a port NAT 183 to connect is to a wide-area general packet-switched network 184 like the Internet.
- the latter consists of a very large number of nodes interconnected in an arbitrary way.
- a receiving node 185 is located in a second local area network 186 which is again coupled to the wide-area network through a NAT 187.
- the denominations "transmitting node” and “receiving node” are somewhat misleading, since the communication required to set up network security services is bidirectional.
- the transmitting node is the one that initiates the communication. Also the terms “Initiator” and “Responder” are used for the transmitting node and the receiving node respectively.
- Fig. lc The purpose of Fig. lc is to emphasize the fact that the communicating nodes are aware of neither the number or nature of the intermediate devices through which they communicate nor the nature of transformations that take place.
- NATs there are other types of devices on the Internet that may legally modify packets as they are transmitted.
- a typical example is a protocol converter, whose main job is to convert the packet to a different protocol without disturbing normal operation. Using them leads to problems very similar to the NAT case.
- a fairly simple but important example is converting between IPv4 and IPv6, which are different versions of the Internet Protocol. Such converters will be extremely important and commonplace in the near future.
- a packet may undergo several conversions of this type during its travel, and it is possible that the endpoints of the communication actually use a different protocol.
- protocol conversion is often performed in routers and firewalls.
- a method for securely communicating packets between a first computer device and a second computer device through a packet-switched data transmission network comprising intermediate computer devices, where at least one of said computer devices performs a network address translation and/or a protocol conversion, the method comprising the steps of
- a method for conditionally setting up a secure communication connection between a first computer device and a second computer device through a packet-switched data transmission network comprising intermediate computer devices, where at least one of said computer devices performs a network address translation and/or a protocol conversion, the method comprising the steps of
- a method for tunnelling packets between a first computer device and a second computer device through a packet-switched data transmission network comprising intermediate computer devices, where at least one of said computer devices performs a network address translation and/or a protocol conversion, the method comprising the steps of
- a method for tunnelling packets between a first computer device and a second computer device through a packet-switched data transmission network comprising intermediate computer devices, in which data transmission network there exists a security protocol comprising a key management connection that employs a specific packet format for key management packets, the method comprising the steps of
- a fifth aspect of the invention there is provided a method for securely communicating packets between a first computer device and a second computer device through a packet-switched data transmission network comprising intermediate computer devices, where at least one of said computer devices performs a network address translation and/or a protocol conversion and where a security protocol exists comprising a key management connection, the method comprising the steps of
- a sixth aspect of the invention there is provided a method for securely communicating packets between a first computer device and a second computer device through a packet-switched data transmission network comprising intermediate computer devices, where at least one of said computer devices performs a network address translation and/or a protocol conversion; where a security protocol is acknowledged which determines transport-mode processing of packets for transmission and reception; and where a high-level protocol checksum has been determined for checking the integrity of received packets, the method comprising the steps of
- transport-mode processing for packets received from the first computer device, said transport-mode processing comprising the decapsulation of received packets and
- a seventh aspect of the invention there is provided a method for mamtaining the unchanged form of address translations performed by network address translation devices on encapsulated data transmission packets communicated between a first computer device and a second computer device through a packet-switched data transmission network, the method comprising the steps of
- Fig. la illustrates the known use of a host NAT
- Fig. lb illustrates the known use of a port NAT
- Fig. lc illustrates a known communication connection between nodes through a packet-switched network
- Fig. 2a illustrates a certain Vendor ID payload applicable within the context of the invention
- Fig. 2b illustrates a certain private payload applicable within the context of the invention
- Fig. 2c illustrates a certain combined header structure apphcable within the context of the invention
- Fig. 3 illustrates certain method steps related to the application of the invention
- Fig. 4 illustrates a transformation of header structures according to an aspect of the invention
- Fig. 5 illustrates a simplified block diagram of a network device used to implement the method according to the invention.
- the present invention combines and extends some of the methods of network address translation, tunneling over UDP, IKE, and the IKE extension mechanisms, in a novel and inventive way to produce a method for secure communications across network address translations and protocol conversions.
- the method can be made fully automatic and transparent to the user.
- a key point relating to the apphcability of the invention is that - at the priority date of the present patent application - in general only TCP (described in RFC793) and
- UDP (described in RFC768) work over NAT. This is because most NATs used in practise are port NATs, and this is the form of NAT that provides most benefits with regards to the shortage of globally routable IP addresses.
- the invention is not, however, limited to the use of UDP and TCP as they are known at the priority date of this patent application: in general it may be said that UDP and TCP are examples of protocols that determine that connection identification information (i.e. addressing and port numbering) that is mapped into another form in the address transformation process. We may expect that other kinds of communication protocols and address transformations emerge in the future.
- tunneling The process of encapsulating data packets for transmission over a different logical network is called tunneling.
- tunneling involves adding a new IP header in front of the original packet, setting the protocol field in the new header appropriately, and sending the packet to the desired destination (endpoint of the tunnel).
- Tunneling may also be implemented by modifying the original packet header fields or replacing them with a different header, as long as a sufficient amount of information about the original packet is saved in the process so that it will be possible to reconstruct the packet at the end of the tunnel into a form sufficiently similar to the original packet entering the tunnel.
- RFC 1226, RFC 1234, RFC 1241, RFC 1326, RFC 1701, RFC1853, RFC2003, RFC2004, RFC2107, RFC2344, RFC2401, RFC2406, RFC2473 and RFC2529 relate to the subject of tunneling.
- RFC 1234, RFC 1241, RFC 1326, RFC 1701, RFC1853, RFC2003, RFC2004, RFC2107, RFC2344, RFC2401, RFC2406, RFC2473 and RFC2529 relate to the subject of tunneling.
- RFC 1234 RFC 1241, RFC 1326, RFC 1701, RFC1853, RFC2003, RFC2004, RFC2107, RFC2344, RFC2401, RFC2406, RFC2473 and RFC2529
- the IPSEC protocol mentioned in the background description typically uses the Internet Key Exchange or IKE protocol (known from references RFC2409, RFC2408 and RFC2407) for authenticating the communicating parties to each other, deriving a shared secret known only to the communicating parties, negotiating authentication and encryption methods to be used for the communication, and agreeing on a security parameter index (SPI) value and a set of selectors to be used for the communication.
- IKE protocol was previously known as the ISAKMP/Oakley, where the acronym ISAKMP comes from Internet Security Association Key Management Protocol. Besides said normal negotiation specified in the IKE standard, IKE supports certain mechanisms for extension.
- the Vendor ID payload known from reference RFC2408 allows communicating parties to determine whether the other party supports a particular private extension mechanism.
- the IPSEC DOI (Domain of Interpretation) known as RFC2407 reserves certain numeric values for such private extensions.
- the well-known Vendor ID payload is defined to have the format illustrated in Fig. 2a, where the column numbers co ⁇ espond to bit positions.
- the Vendor ID field 201 is the most important part of the Vendor ID payload.
- the IKE protocol determines the so-called Phase 1 of the mutual exchange of messages between the Initiator (i.e., the node first sending a packet to the other) and the Responder (i.e., the node first receiving a packet).
- Fig. 3 illustrates an exchange of first Phase 1 messages between the Initiator and the Responder.
- both devices include a certain Vendor ID Payload in a certain Phase 1 message which is most advantageously their first Phase 1 message. This payload indicates that they support the method in question.
- Fig. 3 illustrates an exchange of first Phase 1 messages between the Initiator and the Responder.
- both devices include a certain Vendor ID Payload in a certain Phase 1 message which is most advantageously their first Phase 1 message. This payload indicates that they support the method in question.
- the Vendor ID field in the Vendor ID Payload is basically an identification of that method: advantageously it is the MD5 hash of a previously known identification string, e.g. "SSH IPSEC NAT Traversal Version 1", without any trailing zeroes or newlines.
- Producing MD5 hashes of arbitrary character sequences is a technique well known in the art for example from the publication RFC 1321 mentioned in the list of references.
- the LKE protocol determines the so-called Phase 2 of the mutual exchange of messages between the Initiator and the Responder.
- the parties can determine which translations occur by including the IP addresses they see in private payloads of certain Phase 2 Quick Mode messages, which are most advantageously their first Phase 2 Quick Mode messages. Any unused number in the private payload number range can be used to signify such use of the private payload (e.g. 157, which is unused at the priority date of the present patent application).
- Field 211 contains a type code that identifies the types of the addresses that appear in fields 212 and 213.
- Field 212 contains the address of the Initiator as seen by the node sending the message, and field 213 contains the address of the Responder as seen by the node sending the message.
- Fig. 3 shows the exchange of (first) Phase 2 Quick Mode messages between the Initiator and the Responder so that the co ⁇ esponding fields 211', 212' and 213' are included in the message sent by the former and the fields 211", 212" and 213" are included in the message sent by the latter.
- the addresses of the Initiator and Responder are also included in the header of the packet that contains the payload of Fig. 2b. In the header they are susceptible to address translations and other processing whereas in the private payload they are not.
- the addresses contained in it are compared with those seen in the packet header. If they differ, then an address translation occu ⁇ ed on the packet.
- the port numbers of the received packet can also be compared against the standard IKE port number 500 to determine if port translations occu ⁇ ed.
- UDP source port of the packet can be saved for later use. It would usually be saved with the data structures for Phase 1 ISAKMP security associations, and would be used to set up compensation processing for Phase 2 IPSEC security associations.
- the hosts must modify their Phase 2 identification payloads: the payload illustrated in Fig. 2b is not known in the existing standards.
- One possibility is to restrict the payloads to the ID_IPV4_ADDR and ID -PV6 ADDR types, which would be appropriate for host-to-host operation.
- the actual data packets can be tunneled over the same connection which is used to set up the security features of the communication connection, e.g. the UDP connection used for IKE. This ensures that the actual data packets will experience the same translations as the IKE packets did when the translation was determined. Taken that the standard port number 500 has been determined for IKE, this would mean that all packets are sent with source port 500 and destination port 500, and a method is needed to distinguish the real IKE packets from those containing encapsulated data.
- IKE header used for real IKE packets contains an Initiator Cookie field: we may specify that Initiators that support this aspect of the invention never generate cookies that have all zeroes in their four first bytes. The value zero in the co ⁇ esponding four bytes is then used to recognize the packet as a tunneled data packet. In this way, tunneled data packets would have four zero bytes at the beginning of the UDP payload, whereas real IKE packets never would.
- Fig. 4 illustrates the encapsulation of actual IPSEC packets into UDP for transmission.
- a UDP header 403 and a short intermediate header 404 are inserted after the IP header 401 already in the packet (with the protocol field copied to the intermediate header).
- the IP header 401 is slightly modified to produce a modified IP header 401'.
- the IP payload 402 stays the same.
- the simple illustration of the unencapsulated IPSEC packet on the left should not be misinterpreted: this packet is not plaintext but has been processed according to AH or ESP or co ⁇ esponding other transformation protocol in the sending node before its encapsulation into UDP.
- encapsulation according to Fig. 4 is always performed by the same nodes that perform IPSEC processing (either an end node or a VPN device). It should also be noted that instead of encapsulating the IPSEC packets into UDP they could be encapsulated into TCP. This alternative would probably require using fake session starts and ends so that the first packet has the SYN bit and the last packet has the FIN bit, as specified in the TCP protocol.
- the original IP header 401 - defined in RFC791 - is modified to produce the modified IP header 401' as follows:
- Protocol field in the IP header (not separately shown) is replaced by protocol 17 for UDP in accordance with RFC768,
- an UDP header 403 - as defined in RFC768 - and an intermediate header 404 are inserted after the IP header.
- the UDP header is 8 octets and the intermediate header is 8 octets, for a total of 16 octets.
- the Source Port field 221 is set to 500 (same as IKE). If the packet goes through NAT, this may be different when the packet is received.
- the Destination Port field 222 is set to the port number from which the other end appears to be sending packets. If the packet goes through NAT, the recipient may see a different port number here.
- the UDP Length field 223 is the length of the UDP header plus the length of the UDP data field. In this case, it also includes the intermediate header. The value is computed in bytes as 16 plus the length of the original IP packet payload (not including the original LP header, which is included in the Length field in the IP header).
- the UDP Checksum field 224 is most advantageously set to 0.
- the UDP checksum is optional, and we do not wish to calculate or check it with this tunneling mechanism. Integrity of the data is assumed to be protected by an AH or ESP header within the tunneled packet.
- the Must be zero field 225 This field must contain a previously agreed fixed value, which is most advantageously all zeroes.
- the field overlaps with the first four bytes of the Initiator Cookie field in an actual IKE header. Any Initiator that supports this aspect of the invention must not use a cookie where the first four bytes are zero. These zero bytes are used to separate the tunneled packets from real ISAKMP packets. Naturally some other fixed value than "all zeroes" could be chosen, but the value must be fixed for this particular use.
- Protocol field 226 The value of this field is copied from the known Protocol field in the original IP header (not separately shown in Fig. 4).
- the sender inserts this header in any packets tunneled to a destination behind NAT.
- Information about whether NAT is used can be stored on a per SA (Security Association) basis in the policy manager.
- SA Security Association
- the encapsulation refe ⁇ ed to in Fig. 4 can be implemented either as a new transform or as part of the otherwise known AH and ESP transforms.
- the encapsulation operation makes use of the UDP port number and IP address of the remote host, which were determined during the IKE negotiation.
- the receiver decapsulates packets from this encapsulation before doing AH or ESP processing. Decapsulation removes this header and updates the Protocol, Length, and Checksum fields of the IP header. No configuration data (port number etc.) is needed for this operation.
- the decapsulation should be performed only if all of the following selectors match:
- Source port field value indicates the port with which this host has agreed to use this tunneling. (Note that there may be multiple source addresses and ports for which this tunneling is performed; each of them is treated by a separate set of selectors.)
- the source address in the received packet can be replaced by the real source address received during the IKE negotiation. This implements the compensation for AH MAC verification. The address is again changed in the post- processing phase below. Because of this compensation, the standard AH and ESP transforms can be used unmodified.
- AH/ESP processing at the sending node is schematically shown as block 301
- encapsulation of datagrams into UDP is schematically shown as block 302
- co ⁇ esponding decapsulation of datagrams from UDP is schematically shown as block 303
- AH/ESP processing at the receiving node is schematically shown as block 304.
- TCP checksum for internal hosts must be recomputed if host addresses or port numbers changed. TCP checksum computations may also be incremental, as is known from RFC 1071. Port NAT may need to be performed for the source port
- the compensation operation may or may not interact with the TCP/IP stack on the local machine to reserve UDP port numbers.
- this invention does not significantly constrain the method used to compensate for inner packets the NAT occurring for the outer header.
- the optimal method for performing such compensation may be found among the above-given alternatives by experimenting, or some other optimal method could be presented.
- Network address translators cache the information about address mapping, so that they can reverse the mapping for reply packets. If TCP is used, the address translator may look at the FIN bit of the TCP header to determine when it can drop a particular mapping. For UDP, however, there is no explicit termination indication for flows. For this reason, many NATs will time out mappings for UDP quite fast (even as fast as in 30 seconds). Thus, it becomes necessary to force the mapping to be maintained.
- a possible way of ensuring the maintaining of mappings is to send keepalive packets frequently enough that the address translation remains in the cache.
- the appropriate frequency depends on both the period the mappings are kept cached and on the packet loss probability of the network; optimal frequency values for various context may be found through experimenting.
- Keepalive packets do not need to contain any meaningful information other than the necessary headers that are equal to the data packet headers to ensure that the keepalive packets will be handled exactly in the same way as the actual data packets.
- a keepalive packet may contain an indicator that identifies it as a keepalive packet and not a data packet; however it may also be determined that all packets that do not contain meaningful payload information are interpreted to be keepalive packets.
- the transmission of keepalive packets is schematically illustrated by block 306 and the reception and discarding of them is schematically illustrated by block 307.
- keepalive packets are not needed at all if actual data packets are transmitted frequently enough and/or the connection is to remain valid only for such a short time (e.g. a few seconds) that it is improbable that any intermediate device would delete the mapping information from its cache.
- Keepalive packets need to be transmitted in one direction only, although they may be transmitted also bidirectionally; the drawback resulting from their bidirectional transmission is the resulting increase in unnecessary network traffic.
- the invention does not limit the direction(s) in which keepalive packets (if any) are transmitted.
- Fig. 5 is a simplified block diagram of a network device 500 that can act as the Initiator or the Responder according to the method of providing secure communications over network address translations in accordance with the invention.
- Network interface 501 connects the network device 500 physically to the network.
- Address management block 502 keeps track of the co ⁇ ect network addresses, port numbers and other essential public identification information of both the network device 500 itself and its peer (not shown).
- IKE block 503 is responsible for the key management process and other activities related to the exchange of secret information.
- Encryption/decryption block 504 implements the encryption and decryption of data once the secret key has been obtained by the IKE block 503.
- Compensation block 505 is used to compensate for the permissible transformations in the transmitted and/or received packets according to the invention.
- Packet assembler/disassembler block 506 is the intermediator between blocks 502 to 505 and the physical network interface 501. All blocks operate under the supervision of a control block 507 which also takes care of the routing of information between the other blocks and the rest of the network device, for example for displaying information to the user through a display unit (not shown) and obtaining commands from the user through a keyboard (not shown).
- the blocks of Fig. 5 are most advantageously implemented as pre-programmed operational procedures of a microprocessor, which implementation is known as such to the person skilled in the art. Other a ⁇ angements than that shown in Fig. 5 may as well be used to reduce the invention into practice.
- the present invention was presented in the context of IKE, and tunneling using the IKE port, it should be understood that the invention applies to also other analogous cases using different packet formatting methods, different negotiation details, a different key exchange protocol, or a different security protocol.
- the invention may also be applicable to non-IP protocols with suitable characteristics.
- the invention is equally applicable to both IPv4 and IPv6 protocols.
- the invention is also intended to apply to future revisions of the IPSEC and IKE protocols.
- Kantor Internet protocol encapsulation of AX.25 frames, RFC 1226, Internet Engineering Task Force, 1991.
- Rivest The MD5 message-digest algorithm, RFC 1321, Internet Engineering Task Force, 1992.
Abstract
Description
Claims
Priority Applications (6)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
JP2001504140A JP3793083B2 (en) | 1999-06-15 | 2000-06-15 | Method and apparatus for providing security by network address translation using tunneling and compensation |
EP00936931A EP1186146B1 (en) | 1999-06-15 | 2000-06-15 | A method and arrangement for providing security through network address translations using tunneling and compensations |
DK00936931.5T DK1186146T3 (en) | 1999-06-15 | 2000-06-15 | Method and apparatus for providing security through network address translations using tunneling and compensation |
AT00936931T ATE502468T1 (en) | 1999-06-15 | 2000-06-15 | METHOD AND ARRANGEMENT FOR ENSURE SECURITY USING NETWORK ADDRESS TRANSLATION USING TUNNELING AND BALANCE CORRECTIONS |
AU52250/00A AU5225000A (en) | 1999-06-15 | 2000-06-15 | A method and arrangement for providing security through network address translations using tunneling and compensations |
DE60045737T DE60045737D1 (en) | 1999-06-15 | 2000-06-15 | METHOD AND ARRANGEMENT FOR ENSURING SAFETY THROUGH NETWORK ADDRESS TRANSLATION USING TUNNELING AND COMPENSATION CORRECTIONS |
Applications Claiming Priority (2)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US09/333,829 | 1999-06-15 | ||
US09/333,829 US6957346B1 (en) | 1999-06-15 | 1999-06-15 | Method and arrangement for providing security through network address translations using tunneling and compensations |
Publications (1)
Publication Number | Publication Date |
---|---|
WO2000078008A1 true WO2000078008A1 (en) | 2000-12-21 |
Family
ID=23304429
Family Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
PCT/FI2000/000537 WO2000078008A1 (en) | 1999-06-15 | 2000-06-15 | A method and arrangement for providing security through network address translations using tunneling and compensations |
Country Status (10)
Country | Link |
---|---|
US (13) | US6957346B1 (en) |
EP (2) | EP2254311B1 (en) |
JP (1) | JP3793083B2 (en) |
AT (2) | ATE502468T1 (en) |
AU (1) | AU5225000A (en) |
DE (1) | DE60045737D1 (en) |
DK (2) | DK2254311T3 (en) |
ES (2) | ES2369132T3 (en) |
PT (2) | PT2254311E (en) |
WO (1) | WO2000078008A1 (en) |
Cited By (49)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
GB2367222A (en) * | 2000-05-23 | 2002-03-27 | Ibm | Network address translation integration with IP security |
WO2002052798A2 (en) * | 2000-12-22 | 2002-07-04 | Research In Motion Limited | Wireless router system and method |
WO2002078290A1 (en) * | 2001-03-22 | 2002-10-03 | Ssh Communications Security Oyj | Method for setting up communication parameters in upn using hardware token |
WO2002103981A2 (en) * | 2001-06-14 | 2002-12-27 | Nortel Networks Limited | Providing telephony services to terminals behind a firewall and/or network address translator |
WO2003007561A1 (en) * | 2001-07-13 | 2003-01-23 | Ssh Communications Security Corp | Method for forming a secured network |
WO2003021866A2 (en) * | 2001-08-31 | 2003-03-13 | The Boeing Company | Point-to-point protocol over ethernet for mobile platforms |
WO2003063443A1 (en) * | 2002-01-22 | 2003-07-31 | Intrasecure Networks Oy | Method and system for sending a message through a secure connection |
WO2004030306A1 (en) * | 2002-09-25 | 2004-04-08 | Siemens Aktiengesellschaft | Protocol selection method for transmitting data packets |
EP1435152A1 (en) * | 2001-10-09 | 2004-07-07 | Force Computers Inc. | Performance improvement for atm aal2/5 to ip packet processing |
EP1463265A2 (en) * | 2003-03-27 | 2004-09-29 | Avaya Technology Corp. | Method and apparatus for authenticating packet payloads via message authentication codes |
WO2005043848A1 (en) * | 2003-11-03 | 2005-05-12 | Immertec Co., Ltd. | Udp packet communication method and system for private ip terminals |
WO2005048553A1 (en) * | 2003-11-13 | 2005-05-26 | Zte Corporation | A METHOD ON EMBEDDING IPSec PROTOCOL STACK |
US7068655B2 (en) | 2001-06-14 | 2006-06-27 | Nortel Networks Limited | Network address and/or port translation |
US7107614B1 (en) | 1999-01-29 | 2006-09-12 | International Business Machines Corporation | System and method for network address translation integration with IP security |
WO2006104795A2 (en) * | 2005-03-30 | 2006-10-05 | Tellabs Operations, Inc. | Autonomous link discovery in a communications network |
WO2006125383A1 (en) | 2005-05-23 | 2006-11-30 | Huawei Technologies Co., Ltd. | A method for traversing the network address conversion/firewall device |
EP1871044A3 (en) * | 2001-10-03 | 2008-01-02 | QUALCOMM Incorporated | Mehtod and apparatus for data transport in a wireless communication system using an internet protocol |
US7346770B2 (en) | 2002-10-31 | 2008-03-18 | Microsoft Corporation | Method and apparatus for traversing a translation device with a security protocol |
US7386881B2 (en) | 2003-01-21 | 2008-06-10 | Swander Brian D | Method for mapping security associations to clients operating behind a network address translation device |
US7536719B2 (en) | 2003-01-07 | 2009-05-19 | Microsoft Corporation | Method and apparatus for preventing a denial of service attack during key negotiation |
US7684317B2 (en) | 2001-06-14 | 2010-03-23 | Nortel Networks Limited | Protecting a network from unauthorized access |
US7734909B1 (en) | 2003-09-29 | 2010-06-08 | Avaya Inc. | Using voice over IP or instant messaging to connect to customer products |
US8077679B2 (en) | 2001-03-28 | 2011-12-13 | Qualcomm Incorporated | Method and apparatus for providing protocol options in a wireless communication system |
US8098818B2 (en) | 2003-07-07 | 2012-01-17 | Qualcomm Incorporated | Secure registration for a multicast-broadcast-multimedia system (MBMS) |
US8121296B2 (en) | 2001-03-28 | 2012-02-21 | Qualcomm Incorporated | Method and apparatus for security in a data processing system |
US8275989B2 (en) | 2003-11-14 | 2012-09-25 | Microsoft Corporation | Method of negotiating security parameters and authenticating users interconnected to a network |
WO2012150512A1 (en) * | 2011-05-05 | 2012-11-08 | Telefonaktiebolaget L M Ericsson (Publ) | Methods providing public reachability and related systems and devices |
US8365272B2 (en) | 2007-05-30 | 2013-01-29 | Yoggie Security Systems Ltd. | System and method for providing network and computer firewall protection with dynamic address isolation to a device |
US8381297B2 (en) | 2005-12-13 | 2013-02-19 | Yoggie Security Systems Ltd. | System and method for providing network security to mobile devices |
US8631488B2 (en) | 2008-08-04 | 2014-01-14 | Cupp Computing As | Systems and methods for providing security services during power management mode |
US8713400B2 (en) | 2001-10-12 | 2014-04-29 | Qualcomm Incorporated | Method and system for reduction of decoding complexity in a communication system |
US8718279B2 (en) | 2003-07-08 | 2014-05-06 | Qualcomm Incorporated | Apparatus and method for a secure broadcast system |
US8724803B2 (en) | 2003-09-02 | 2014-05-13 | Qualcomm Incorporated | Method and apparatus for providing authenticated challenges for broadcast-multicast communications in a communication system |
US8789202B2 (en) | 2008-11-19 | 2014-07-22 | Cupp Computing As | Systems and methods for providing real time access monitoring of a removable media device |
US8869270B2 (en) | 2008-03-26 | 2014-10-21 | Cupp Computing As | System and method for implementing content and network security inside a chip |
US8971790B2 (en) | 2003-01-02 | 2015-03-03 | Qualcomm Incorporated | Method and apparatus for broadcast services in a communication system |
US8983065B2 (en) | 2001-10-09 | 2015-03-17 | Qualcomm Incorporated | Method and apparatus for security in a data processing system |
US9098279B2 (en) | 2010-09-14 | 2015-08-04 | Google Inc. | Methods and systems for data interchange between a network-connected thermostat and cloud-based management server |
US9100457B2 (en) | 2001-03-28 | 2015-08-04 | Qualcomm Incorporated | Method and apparatus for transmission framing in a wireless communication system |
US9258372B2 (en) | 2007-05-09 | 2016-02-09 | Blackberry Limited | Wireless router system and method |
US9615198B2 (en) | 2008-12-04 | 2017-04-04 | Nokia Technologies Oy | Proprietary extensions in user plane location protocols |
US9667594B2 (en) | 1999-06-15 | 2017-05-30 | Ssh Communications Security Oyj | Maintaining network address translations |
US9762614B2 (en) | 2014-02-13 | 2017-09-12 | Cupp Computing As | Systems and methods for providing network security using a secure digital device |
CN107579932A (en) * | 2017-10-25 | 2018-01-12 | 北京天融信网络安全技术有限公司 | A kind of data transmission method, equipment and storage medium |
EP2285072B1 (en) * | 2002-05-13 | 2018-02-28 | Sony Computer Entertainment America LLC | Peer to peer network communication with network address translation |
US9973501B2 (en) | 2012-10-09 | 2018-05-15 | Cupp Computing As | Transaction security systems and methods |
US10313368B2 (en) | 2005-12-13 | 2019-06-04 | Cupp Computing As | System and method for providing data and device security between external and host devices |
US10732651B2 (en) | 2010-11-19 | 2020-08-04 | Google Llc | Smart-home proxy devices with long-polling |
US11157976B2 (en) | 2013-07-08 | 2021-10-26 | Cupp Computing As | Systems and methods for providing digital content marketplace security |
Families Citing this family (86)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US6629163B1 (en) | 1999-12-29 | 2003-09-30 | Implicit Networks, Inc. | Method and system for demultiplexing a first sequence of packet components to identify specific components wherein subsequent components are processed without re-identifying components |
US7058973B1 (en) * | 2000-03-03 | 2006-06-06 | Symantec Corporation | Network address translation gateway for local area networks using local IP addresses and non-translatable port addresses |
US7757272B1 (en) * | 2000-06-14 | 2010-07-13 | Verizon Corporate Services Group, Inc. | Method and apparatus for dynamic mapping |
US9444785B2 (en) * | 2000-06-23 | 2016-09-13 | Cloudshield Technologies, Inc. | Transparent provisioning of network access to an application |
US7797433B2 (en) * | 2000-06-30 | 2010-09-14 | Net2Phone | System, method, and computer program product for resolving addressing in a network including a network address translator |
JP4365998B2 (en) * | 2000-07-21 | 2009-11-18 | 株式会社日立製作所 | Multicast communication method and communication apparatus |
US7139263B2 (en) * | 2001-10-19 | 2006-11-21 | Sentito Networks, Inc. | Voice over IP architecture |
US7305700B2 (en) * | 2002-01-08 | 2007-12-04 | Seven Networks, Inc. | Secure transport for mobile communication network |
US7181612B1 (en) * | 2002-01-17 | 2007-02-20 | Cisco Technology, Inc. | Facilitating IPsec communications through devices that employ address translation in a telecommunications network |
US7500102B2 (en) * | 2002-01-25 | 2009-03-03 | Microsoft Corporation | Method and apparatus for fragmenting and reassembling internet key exchange data packets |
US7558873B1 (en) | 2002-05-08 | 2009-07-07 | Nvidia Corporation | Method for compressed large send |
US7120930B2 (en) * | 2002-06-13 | 2006-10-10 | Nvidia Corporation | Method and apparatus for control of security protocol negotiation |
US7143137B2 (en) * | 2002-06-13 | 2006-11-28 | Nvidia Corporation | Method and apparatus for security protocol and address translation integration |
US7191331B2 (en) * | 2002-06-13 | 2007-03-13 | Nvidia Corporation | Detection of support for security protocol and address translation integration |
US7437548B1 (en) | 2002-07-11 | 2008-10-14 | Nvidia Corporation | Network level protocol negotiation and operation |
US7370197B2 (en) | 2002-07-12 | 2008-05-06 | Microsoft Corporation | Method and system for authenticating messages |
US7305546B1 (en) * | 2002-08-29 | 2007-12-04 | Sprint Communications Company L.P. | Splicing of TCP/UDP sessions in a firewalled network environment |
US7610487B2 (en) * | 2003-03-27 | 2009-10-27 | Microsoft Corporation | Human input security codes |
US8261062B2 (en) | 2003-03-27 | 2012-09-04 | Microsoft Corporation | Non-cryptographic addressing |
US7624264B2 (en) * | 2003-03-27 | 2009-11-24 | Microsoft Corporation | Using time to determine a hash extension |
US7409544B2 (en) * | 2003-03-27 | 2008-08-05 | Microsoft Corporation | Methods and systems for authenticating messages |
US7577837B1 (en) * | 2003-04-17 | 2009-08-18 | Cisco Technology, Inc. | Method and apparatus for encrypted unicast group communication |
US7913294B1 (en) | 2003-06-24 | 2011-03-22 | Nvidia Corporation | Network protocol processing for filtering packets |
US7620070B1 (en) | 2003-06-24 | 2009-11-17 | Nvidia Corporation | Packet processing with re-insertion into network interface circuitry |
US8015413B2 (en) * | 2003-07-03 | 2011-09-06 | Koninklijke Philips Electronics N.V. | Secure indirect addressing |
JP3783142B2 (en) * | 2003-08-08 | 2006-06-07 | ティー・ティー・ティー株式会社 | Communication system, communication device, communication method, and communication program for realizing the same |
US7441179B2 (en) * | 2003-10-23 | 2008-10-21 | Intel Corporation | Determining a checksum from packet data |
KR100597405B1 (en) * | 2004-05-28 | 2006-07-06 | 삼성전자주식회사 | System and method for relaying data by use of socket applicaton program |
US7929689B2 (en) | 2004-06-30 | 2011-04-19 | Microsoft Corporation | Call signs |
US7962623B2 (en) | 2004-06-30 | 2011-06-14 | Microsoft Corporation | Sustaining session connections |
JP4440056B2 (en) * | 2004-09-27 | 2010-03-24 | パナソニック株式会社 | Information processing apparatus, communication processing apparatus, information processing system, information processing method, and communication processing method |
JP4759382B2 (en) * | 2004-12-21 | 2011-08-31 | 株式会社リコー | COMMUNICATION DEVICE, COMMUNICATION METHOD, COMMUNICATION PROGRAM, AND RECORDING MEDIUM |
JP4826827B2 (en) * | 2005-02-28 | 2011-11-30 | 日本電気株式会社 | COMMUNICATION DEVICE, COMMUNICATION SYSTEM, COMMUNICATION METHOD, AND PROGRAM |
CN100414929C (en) * | 2005-03-15 | 2008-08-27 | 华为技术有限公司 | Text transmission method in protocal network of mobile internet |
US8529517B2 (en) * | 2005-05-02 | 2013-09-10 | Shi Zi Technology, Ltd. | Autoflush syringe |
US8936577B2 (en) | 2005-05-02 | 2015-01-20 | Shi Zi Technology, Ltd. | Methods and devices for autoflush syringes |
JP2006324783A (en) * | 2005-05-17 | 2006-11-30 | Nippon Telegr & Teleph Corp <Ntt> | Connection information exchange method and terminal device |
JP4709583B2 (en) * | 2005-05-31 | 2011-06-22 | 株式会社東芝 | Data transmission apparatus and data transmission method |
US7706371B1 (en) * | 2005-07-07 | 2010-04-27 | Cisco Technology, Inc. | Domain based routing for managing devices operating behind a network address translator |
US8731542B2 (en) | 2005-08-11 | 2014-05-20 | Seven Networks International Oy | Dynamic adjustment of keep-alive message intervals in a mobile network |
US8250229B2 (en) * | 2005-09-29 | 2012-08-21 | International Business Machines Corporation | Internet protocol security (IPSEC) packet processing for multiple clients sharing a single network address |
US7599365B1 (en) * | 2005-10-12 | 2009-10-06 | 2Wire, Inc. | System and method for detecting a network packet handling device |
JP4489008B2 (en) * | 2005-11-16 | 2010-06-23 | 株式会社東芝 | COMMUNICATION DEVICE, COMMUNICATION METHOD, AND COMMUNICATION PROGRAM |
US20070183417A1 (en) * | 2006-02-09 | 2007-08-09 | Maleport Joel J | Data traffic router |
US7962652B2 (en) * | 2006-02-14 | 2011-06-14 | International Business Machines Corporation | Detecting network topology when negotiating IPsec security associations that involve network address translation |
US8086842B2 (en) | 2006-04-21 | 2011-12-27 | Microsoft Corporation | Peer-to-peer contact exchange |
US8543808B2 (en) * | 2006-08-24 | 2013-09-24 | Microsoft Corporation | Trusted intermediary for network data processing |
US20090322874A1 (en) * | 2007-04-23 | 2009-12-31 | Mark Knutson | System and method for remote surveillance |
JP2009111437A (en) * | 2007-10-26 | 2009-05-21 | Hitachi Ltd | Network system |
US8477811B2 (en) | 2008-02-02 | 2013-07-02 | Qualcomm Incorporated | Radio access network (RAN) level keep alive signaling |
US8533465B2 (en) * | 2008-03-05 | 2013-09-10 | The Johns Hopkins University | System and method of encrypting network address for anonymity and preventing data exfiltration |
US20100058082A1 (en) * | 2008-08-27 | 2010-03-04 | Lenovo (Singapore) Ple., Ltd. | Maintaining network link during suspend state |
US8750112B2 (en) * | 2009-03-16 | 2014-06-10 | Echostar Technologies L.L.C. | Method and node for employing network connections over a connectionless transport layer protocol |
SG177771A1 (en) * | 2009-07-31 | 2012-02-28 | Ribbit Corp | Telephonic communications with intelligent protocol switching |
KR101563195B1 (en) * | 2009-08-18 | 2015-10-27 | 삼성전자주식회사 | Host device and slave device controlling method |
KR101144912B1 (en) * | 2010-08-03 | 2012-05-17 | 주식회사 네이블커뮤니케이션즈 | Traffic aware communication system and method |
TWI469570B (en) * | 2011-04-26 | 2015-01-11 | Realtek Semiconductor Corp | Remote wake mechanism for a network system and remote wake method thereof |
US8806033B1 (en) * | 2011-06-30 | 2014-08-12 | Juniper Networks, Inc. | Effective network identity pairing |
US9699274B2 (en) * | 2011-07-25 | 2017-07-04 | Alcatel Lucent | Method and apparatus for reliable session migration |
US9769116B2 (en) * | 2011-09-16 | 2017-09-19 | Wilmerding Communications Llc | Encapsulating traffic while preserving packet characteristics |
TWI484804B (en) * | 2011-11-09 | 2015-05-11 | Quanta Comp Inc | Data management methods for use in a network system and systems thereof |
US8984110B1 (en) * | 2012-02-14 | 2015-03-17 | Sonus Networks, Inc. | Secure media address learning for endpoints behind NAPT devices |
US9008093B2 (en) * | 2012-03-12 | 2015-04-14 | Comcast Cable Communications, Llc | Stateless protocol translation |
US9965972B2 (en) | 2012-04-27 | 2018-05-08 | President And Fellows Of Harvard College | Management of off-task time in a participatory environment |
CN103428690B (en) * | 2012-05-23 | 2016-09-07 | 华为技术有限公司 | The safe method for building up of WLAN and system, equipment |
US20140003322A1 (en) * | 2012-06-29 | 2014-01-02 | Alcatel-Lucent Usa Inc. | Seamless make-before-break transfer of multicast/broadcast sessions |
WO2014066252A1 (en) * | 2012-10-22 | 2014-05-01 | Huawei Technologies Co, Ltd. | Linked identifiers for multiple domains |
US9621685B2 (en) * | 2013-04-21 | 2017-04-11 | Oliver Solutions Ltd. | Architecture for an access network system management protocol control under heterogeneous network management environment |
US9661005B2 (en) | 2014-01-09 | 2017-05-23 | International Business Machines Corporation | Security level and status exchange between TCP/UDP client(s) and server(s) for secure transactions |
US11474767B1 (en) * | 2014-05-28 | 2022-10-18 | Amazon Technologies, Inc. | Print from web services platform to local printer |
US9912649B1 (en) * | 2015-01-05 | 2018-03-06 | Adtran, Inc. | Systems and methods for facilitating communication between an authentication client and an authentication server |
US10142229B2 (en) * | 2015-03-13 | 2018-11-27 | Oracle International Corporation | Concealed datagram-based tunnel for real-time communications |
US20180096938A1 (en) * | 2016-09-30 | 2018-04-05 | Advanced Micro Devices, Inc. | Circuit board with multiple density regions |
US10347825B2 (en) * | 2017-02-17 | 2019-07-09 | International Business Machines Corporation | Selective deposition and nitridization of bottom electrode metal for MRAM applications |
US20190097968A1 (en) * | 2017-09-28 | 2019-03-28 | Unisys Corporation | Scip and ipsec over nat/pat routers |
WO2019094119A1 (en) * | 2017-11-13 | 2019-05-16 | Intel Corporation | Multi-domain message routing with e2e tunnel protection |
US11095617B2 (en) | 2017-12-04 | 2021-08-17 | Nicira, Inc. | Scaling gateway to gateway traffic using flow hash |
CN108494549B (en) * | 2018-02-27 | 2020-10-02 | 北京赛博兴安科技有限公司 | Key index negotiation device, system and method based on FPGA |
CN109088878A (en) * | 2018-09-03 | 2018-12-25 | 中新网络信息安全股份有限公司 | A kind of message processing method for resisting exhausted cloud guard system |
CN109474628B (en) * | 2018-12-27 | 2021-06-08 | 奇安信科技集团股份有限公司 | Data transmission method, system, equipment and medium based on double unidirectional network gates |
US11700241B2 (en) * | 2019-02-27 | 2023-07-11 | Sevitech, Llc | Isolated data processing modules |
CN110519282A (en) * | 2019-08-30 | 2019-11-29 | 新华三信息安全技术有限公司 | A kind of method and device of Message processing |
US11902264B2 (en) * | 2020-06-22 | 2024-02-13 | Vmware, Inc. | Path selection for data packets encrypted based on an IPSEC protocol |
US11792677B2 (en) * | 2021-10-22 | 2023-10-17 | Qualcomm Incorporated | Reflective quality of service for encapsulating security payload packets |
US11863514B2 (en) | 2022-01-14 | 2024-01-02 | Vmware, Inc. | Performance improvement of IPsec traffic using SA-groups and mixed-mode SAs |
US11956213B2 (en) | 2022-05-18 | 2024-04-09 | VMware LLC | Using firewall policies to map data messages to secure tunnels |
Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
WO1998032065A2 (en) * | 1997-01-03 | 1998-07-23 | Fortress Technologies, Inc. | Improved network security device |
US5793763A (en) * | 1995-11-03 | 1998-08-11 | Cisco Technology, Inc. | Security system for network address translation systems |
WO1999035799A2 (en) * | 1997-12-31 | 1999-07-15 | Ssh Communications Security Oy | A method for packet authentication in the presence of network address translations and protocol conversions |
Family Cites Families (162)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5870474A (en) * | 1995-12-04 | 1999-02-09 | Scientific-Atlanta, Inc. | Method and apparatus for providing conditional access in connection-oriented, interactive networks with a multiplicity of service providers |
US5185860A (en) * | 1990-05-03 | 1993-02-09 | Hewlett-Packard Company | Automatic discovery of network elements |
US5251205A (en) * | 1990-09-04 | 1993-10-05 | Digital Equipment Corporation | Multiple protocol routing |
GB9100389D0 (en) * | 1991-01-09 | 1991-02-20 | Digital Equipment Corp | Method and apparatus for transparently bridging traffic across wide area networks |
JP2571655B2 (en) * | 1991-11-27 | 1997-01-16 | インターナショナル・ビジネス・マシーンズ・コーポレイション | Protocol conversion mechanism, switching network and computer system |
US6026452A (en) * | 1997-02-26 | 2000-02-15 | Pitts; William Michael | Network distributed site cache RAM claimed as up/down stream request/reply channel for storing anticipated data and meta data |
US5838894A (en) * | 1992-12-17 | 1998-11-17 | Tandem Computers Incorporated | Logical, fail-functional, dual central processor units formed from three processor units |
US5964835A (en) * | 1992-12-17 | 1999-10-12 | Tandem Computers Incorporated | Storage access validation to data messages using partial storage address data indexed entries containing permissible address range validation for message source |
US6157967A (en) * | 1992-12-17 | 2000-12-05 | Tandem Computer Incorporated | Method of data communication flow control in a data processing system using busy/ready commands |
US5506847A (en) * | 1993-04-26 | 1996-04-09 | Kabushiki Kaisha Toshiba | ATM-lan system using broadcast channel for transferring link setting and chaining requests |
US5490134A (en) * | 1993-06-29 | 1996-02-06 | Southern California Edison Company | Versatile communications controller |
US5377182A (en) * | 1993-08-18 | 1994-12-27 | The United States Of America As Represented By The Administrator Of The National Aeronautics And Space Administration | Non-blocking crossbar permutation engine with constant routing latency |
US5544222A (en) * | 1993-11-12 | 1996-08-06 | Pacific Communication Sciences, Inc. | Cellular digtial packet data mobile data base station |
US5548646A (en) * | 1994-09-15 | 1996-08-20 | Sun Microsystems, Inc. | System for signatureless transmission and reception of data packets between computer networks |
EP0792558A1 (en) * | 1994-11-17 | 1997-09-03 | Nortel Networks Corporation | Intelligent network testing |
US5550984A (en) * | 1994-12-07 | 1996-08-27 | Matsushita Electric Corporation Of America | Security system for preventing unauthorized communications between networks by translating communications received in ip protocol to non-ip protocol to remove address and routing services information |
US5636213A (en) * | 1994-12-28 | 1997-06-03 | Motorola | Method, transceiver, and system for providing wireless communication compatible with 10BASE-T Ethernet |
US5541918A (en) * | 1995-01-31 | 1996-07-30 | Fore Systems, Inc. | Method and apparatus for manipulating an ATM cell |
US5572528A (en) | 1995-03-20 | 1996-11-05 | Novell, Inc. | Mobile networking method and apparatus |
US5640446A (en) * | 1995-05-01 | 1997-06-17 | Mci Corporation | System and method of validating special service calls having different signaling protocols |
US5956342A (en) | 1995-07-19 | 1999-09-21 | Fujitsu Network Communications, Inc. | Priority arbitration for point-to-point and multipoint transmission |
WO1997004665A1 (en) | 1995-07-31 | 1997-02-13 | Alta Spinner Australia Pty. Limited | Surface moisture removal from food products |
US5757924A (en) | 1995-09-18 | 1998-05-26 | Digital Secured Networks Techolognies, Inc. | Network security device which performs MAC address translation without affecting the IP address |
US5815667A (en) * | 1995-11-28 | 1998-09-29 | Ncr Corporation | Circuits and methods for intelligent acknowledgement based flow control in a processing system network |
US8291099B2 (en) * | 1996-01-03 | 2012-10-16 | International Business Machines Corporation | Protocol conversion using facilities and utilities |
US6233623B1 (en) | 1996-01-11 | 2001-05-15 | Cabletron Systems, Inc. | Replicated resource management system for managing resources in a distributed application and maintaining a relativistic view of state |
AU1829897A (en) * | 1996-01-16 | 1997-08-11 | Raptor Systems, Inc. | Transferring encrypted packets over a public network |
JP3464358B2 (en) | 1996-01-17 | 2003-11-10 | 株式会社東芝 | Communication control method, relay device and data packet processing device |
JPH09275414A (en) | 1996-04-05 | 1997-10-21 | Hitachi Ltd | Communication network system |
US6141319A (en) * | 1996-04-10 | 2000-10-31 | Nec Usa, Inc. | Link based alternative routing scheme for network restoration under failure |
KR100317443B1 (en) | 1996-04-24 | 2002-01-16 | 블레이어 에프.모리슨 | Internet protocol filter |
US5923654A (en) * | 1996-04-25 | 1999-07-13 | Compaq Computer Corp. | Network switch that includes a plurality of shared packet buffers |
US5826023A (en) * | 1996-06-03 | 1998-10-20 | International Business Machines Corporation | Communications tunneling |
JPH1011369A (en) | 1996-06-27 | 1998-01-16 | Hitachi Ltd | Communication system and information processor with hot standby switching function |
JP3224745B2 (en) * | 1996-07-09 | 2001-11-05 | 株式会社日立製作所 | High reliability network system and server switching method |
DE19627778A1 (en) | 1996-07-10 | 1998-01-15 | Bayer Ag | Arthropod repellant |
US5940394A (en) * | 1996-08-08 | 1999-08-17 | At&T Corp | Transferring messages in networks made up of subnetworks with different namespaces |
US6023563A (en) * | 1996-08-20 | 2000-02-08 | Shani; Ron | Networking switch having the network presence of a bridge |
US6701361B1 (en) * | 1996-08-22 | 2004-03-02 | Intermec Ip Corp. | Enhanced mobility and address resolution in a wireless premises based network |
US6463477B1 (en) * | 1996-09-27 | 2002-10-08 | Mci Communications Corporation | Detection of presence of multiprotocol encapsulation in a data packet |
US6751221B1 (en) | 1996-10-04 | 2004-06-15 | Kabushiki Kaisha Toshiba | Data transmitting node and network inter-connection node suitable for home network environment |
US6690669B1 (en) * | 1996-11-01 | 2004-02-10 | Hitachi, Ltd. | Communicating method between IPv4 terminal and IPv6 terminal and IPv4-IPv6 converting apparatus |
CA2218218A1 (en) * | 1996-11-08 | 1998-05-08 | At&T Corp. | Promiscuous network monitoring utilizing multicasting within a switch |
US7274662B1 (en) * | 1998-08-04 | 2007-09-25 | At&T Corp. | Method for performing segmented resource reservation |
US6335927B1 (en) * | 1996-11-18 | 2002-01-01 | Mci Communications Corporation | System and method for providing requested quality of service in a hybrid network |
US6909708B1 (en) * | 1996-11-18 | 2005-06-21 | Mci Communications Corporation | System, method and article of manufacture for a communication system architecture including video conferencing |
US7145898B1 (en) * | 1996-11-18 | 2006-12-05 | Mci Communications Corporation | System, method and article of manufacture for selecting a gateway of a hybrid communication system architecture |
US7161937B1 (en) | 1996-12-13 | 2007-01-09 | Intel Corporation | Method and apparatus for routing encoded signals through a network |
US6304546B1 (en) * | 1996-12-19 | 2001-10-16 | Cisco Technology, Inc. | End-to-end bidirectional keep-alive using virtual circuits |
US6201789B1 (en) | 1996-12-30 | 2001-03-13 | Compaq Computer Corporation | Network switch with dynamic backpressure per port |
US6665733B1 (en) * | 1996-12-30 | 2003-12-16 | Hewlett-Packard Development Company, L.P. | Network communication device including bonded ports for increased bandwidth |
US6731625B1 (en) * | 1997-02-10 | 2004-05-04 | Mci Communications Corporation | System, method and article of manufacture for a call back architecture in a hybrid network with support for internet telephony |
US6236654B1 (en) | 1997-02-14 | 2001-05-22 | Advanced Micro Devices, Inc. | Method and apparatus for managing learning in an address table in memory |
US6178505B1 (en) | 1997-03-10 | 2001-01-23 | Internet Dynamics, Inc. | Secure delivery of information in a network |
US8914410B2 (en) | 1999-02-16 | 2014-12-16 | Sonicwall, Inc. | Query interface to policy server |
US7821926B2 (en) | 1997-03-10 | 2010-10-26 | Sonicwall, Inc. | Generalized policy server |
US6408336B1 (en) | 1997-03-10 | 2002-06-18 | David S. Schneider | Distributed administration of access to information |
US6212192B1 (en) * | 1997-03-14 | 2001-04-03 | Itxc, Inc. | Method and apparatus for synchronizing information browsing among multiple systems |
US6199096B1 (en) * | 1997-03-14 | 2001-03-06 | Efusion, Inc. | Method and apparatus for synchronizing information browsing among multiple systems |
JP3430908B2 (en) | 1997-03-27 | 2003-07-28 | 富士通株式会社 | Network connection control system and storage medium |
US6273622B1 (en) | 1997-04-15 | 2001-08-14 | Flash Networks, Ltd. | Data communication protocol for maximizing the performance of IP communication links |
US6212175B1 (en) * | 1997-04-22 | 2001-04-03 | Telxon Corporation | Method to sustain TCP connection |
US6028862A (en) * | 1997-05-08 | 2000-02-22 | 3Com Corporation | Fast path networking |
US6173399B1 (en) * | 1997-06-12 | 2001-01-09 | Vpnet Technologies, Inc. | Apparatus for implementing virtual private networks |
US6098108A (en) | 1997-07-02 | 2000-08-01 | Sitara Networks, Inc. | Distributed directory for enhanced network communication |
US6278697B1 (en) * | 1997-07-29 | 2001-08-21 | Nortel Networks Limited | Method and apparatus for processing multi-protocol communications |
US6111893A (en) * | 1997-07-31 | 2000-08-29 | Cisco Technology, Inc. | Universal protocol conversion |
US6157641A (en) * | 1997-08-22 | 2000-12-05 | Cisco Technology, Inc. | Multiprotocol packet recognition and switching |
US6324161B1 (en) * | 1997-08-27 | 2001-11-27 | Alcatel Usa Sourcing, L.P. | Multiple network configuration with local and remote network redundancy by dual media redirect |
US6006254A (en) | 1997-08-29 | 1999-12-21 | Mitsubishi Electric Information Technology Center America, Inc. | System for the reliable, fast, low-latency communication of object state updates over a computer network by combining lossy and lossless communications |
JP3641112B2 (en) | 1997-09-05 | 2005-04-20 | 株式会社東芝 | Packet relay device, mobile computer device, mobile computer management device, packet relay method, packet transmission method, and mobile computer location registration method |
US6084887A (en) * | 1997-09-10 | 2000-07-04 | Alcatel Usa Sourcing. L.P. | Signaling protocol conversion system |
US6172980B1 (en) * | 1997-09-11 | 2001-01-09 | 3Com Corporation | Multiple protocol support |
US6617879B1 (en) * | 1997-09-17 | 2003-09-09 | Sony Corporation | Transparently partitioned communication bus for multi-port bridge for a local area network |
US6816490B1 (en) * | 1997-09-17 | 2004-11-09 | Sony Corporation | Statistical learning technique in a multi-port bridge for a local area network |
US6076168A (en) * | 1997-10-03 | 2000-06-13 | International Business Machines Corporation | Simplified method of configuring internet protocol security tunnels |
US5974453A (en) * | 1997-10-08 | 1999-10-26 | Intel Corporation | Method and apparatus for translating a static identifier including a telephone number into a dynamically assigned network address |
US6226680B1 (en) * | 1997-10-14 | 2001-05-01 | Alacritech, Inc. | Intelligent network interface system method for protocol processing |
US6047325A (en) * | 1997-10-24 | 2000-04-04 | Jain; Lalit | Network device for supporting construction of virtual local area networks on arbitrary local and wide area computer networks |
US6198751B1 (en) * | 1997-11-19 | 2001-03-06 | Cabletron Systems, Inc. | Multi-protocol packet translator |
US6711166B1 (en) * | 1997-12-10 | 2004-03-23 | Radvision Ltd. | System and method for packet network trunking |
FR2772533B1 (en) * | 1997-12-15 | 2001-09-28 | Inst Nat Rech Inf Automat | DEVICE FOR INTERCONNECTING BETWEEN NETWORK SEGMENTS COMMUNICATING ACCORDING TO DIFFERENT FORMAT PROTOCOLS, AND CORRESPONDING METHOD |
US6339595B1 (en) | 1997-12-23 | 2002-01-15 | Cisco Technology, Inc. | Peer-model support for virtual private networks with potentially overlapping addresses |
US6178160B1 (en) | 1997-12-23 | 2001-01-23 | Cisco Technology, Inc. | Load balancing of client connections across a network using server based algorithms |
DE19800772C2 (en) * | 1998-01-12 | 2000-04-06 | Ericsson Telefon Ab L M | Method and device for connection to a packet exchange network |
FR2773656B1 (en) * | 1998-01-15 | 2000-02-11 | Alsthom Cge Alcatel | INTELLIGENT GATEWAY BETWEEN A SERVICE CONTROL POINT, AND A SIGNALING NETWORK |
US6535493B1 (en) * | 1998-01-15 | 2003-03-18 | Symbol Technologies, Inc. | Mobile internet communication protocol |
AU2331099A (en) * | 1998-01-22 | 1999-08-09 | Intelogis, Inc. | Method and apparatus for universal data exchange gateway |
US6079020A (en) * | 1998-01-27 | 2000-06-20 | Vpnet Technologies, Inc. | Method and apparatus for managing a virtual private network |
US6131163A (en) * | 1998-02-17 | 2000-10-10 | Cisco Technology, Inc. | Network gateway mechanism having a protocol stack proxy |
US7032242B1 (en) * | 1998-03-05 | 2006-04-18 | 3Com Corporation | Method and system for distributed network address translation with network security features |
US6055236A (en) * | 1998-03-05 | 2000-04-25 | 3Com Corporation | Method and system for locating network services with distributed network address translation |
US6353614B1 (en) * | 1998-03-05 | 2002-03-05 | 3Com Corporation | Method and protocol for distributed network address translation |
US6415329B1 (en) * | 1998-03-06 | 2002-07-02 | Massachusetts Institute Of Technology | Method and apparatus for improving efficiency of TCP/IP protocol over high delay-bandwidth network |
WO1999050974A1 (en) * | 1998-03-30 | 1999-10-07 | Motorola Inc. | Method for routing data in a communication system |
US6118785A (en) * | 1998-04-07 | 2000-09-12 | 3Com Corporation | Point-to-point protocol with a signaling channel |
US6343083B1 (en) * | 1998-04-09 | 2002-01-29 | Alcatel Usa Sourcing, L.P. | Method and apparatus for supporting a connectionless communication protocol over an ATM network |
US6226751B1 (en) | 1998-04-17 | 2001-05-01 | Vpnet Technologies, Inc. | Method and apparatus for configuring a virtual private network |
US6377571B1 (en) * | 1998-04-23 | 2002-04-23 | 3Com Corporation | Virtual modem for dialout clients in virtual private network |
US6058431A (en) * | 1998-04-23 | 2000-05-02 | Lucent Technologies Remote Access Business Unit | System and method for network address translation as an external service in the access server of a service provider |
US6154839A (en) * | 1998-04-23 | 2000-11-28 | Vpnet Technologies, Inc. | Translating packet addresses based upon a user identifier |
US7100020B1 (en) | 1998-05-08 | 2006-08-29 | Freescale Semiconductor, Inc. | Digital communications processor |
US6324178B1 (en) | 1998-05-26 | 2001-11-27 | 3Com Corporation | Method for efficient data transfers between domains of differing data formats |
US6556540B1 (en) * | 1998-05-29 | 2003-04-29 | Paradyne Corporation | System and method for non-intrusive measurement of service quality in a communications network |
JP3581251B2 (en) * | 1998-06-16 | 2004-10-27 | 株式会社東芝 | Communication system, data packet transfer method, router device, and packet relay device |
JP3946873B2 (en) | 1998-06-19 | 2007-07-18 | 株式会社日立製作所 | Disk array controller |
US6418476B1 (en) * | 1998-06-29 | 2002-07-09 | Nortel Networks, Limited | Method for synchronizing network address translator (NAT) tables using the open shortest path first opaque link state advertisement option protocol |
US6829242B2 (en) * | 1998-06-30 | 2004-12-07 | Cisco Technology, Inc. | Method and apparatus for associating PVC identifiers with domain names of home gateways |
US6377577B1 (en) * | 1998-06-30 | 2002-04-23 | Cisco Technology, Inc. | Access control list processing in hardware |
GB9814412D0 (en) * | 1998-07-03 | 1998-09-02 | Northern Telecom Ltd | Communications method and apparatus |
US6360265B1 (en) * | 1998-07-08 | 2002-03-19 | Lucent Technologies Inc. | Arrangement of delivering internet protocol datagrams for multimedia services to the same server |
US6363056B1 (en) * | 1998-07-15 | 2002-03-26 | International Business Machines Corporation | Low overhead continuous monitoring of network performance |
US6519248B1 (en) * | 1998-07-24 | 2003-02-11 | Telefonaktiebolaget Lm Ericsson (Publ) | Packet data network having distributed database |
US6282589B1 (en) | 1998-07-30 | 2001-08-28 | Micron Technology, Inc. | System for sharing data buffers from a buffer pool |
US7206397B1 (en) * | 1998-08-04 | 2007-04-17 | At&T Corp. | Method for allocating network resources |
US6757290B1 (en) * | 1998-08-04 | 2004-06-29 | At&T Corp. | Method for performing gate coordination on a per-call basis |
US6870845B1 (en) * | 1998-08-04 | 2005-03-22 | At&T Corp. | Method for providing privacy by network address translation |
US6694429B1 (en) * | 1998-08-04 | 2004-02-17 | At&T Corp. | Method for establishing call state information without maintaining state information at gate controllers |
JP2002522962A (en) | 1998-08-04 | 2002-07-23 | エイ・ティ・アンド・ティ・コーポレーション | Network resource allocation method |
US6331984B1 (en) * | 1998-08-21 | 2001-12-18 | Nortel Networks Limited | Method for synchronizing network address translator (NAT) tables using the server cache synchronization protocol |
CA2341257A1 (en) * | 1998-08-26 | 2000-03-09 | Nortel Networks Limited | Non-broadcast, multiple access inverse next hop resolution protocol (innhrp) |
US6438612B1 (en) * | 1998-09-11 | 2002-08-20 | Ssh Communications Security, Ltd. | Method and arrangement for secure tunneling of data between virtual routers |
US6230191B1 (en) | 1998-10-05 | 2001-05-08 | Alcatel Internetworking (Pe), Inc. | Method and apparatus for regulating the amount of buffer memory requested by a port in a multi-port switching device with shared buffer memory |
US6094437A (en) * | 1998-10-09 | 2000-07-25 | Asc - Advanced Switching Communications | Layer two tunneling protocol (L2TP) merging and management |
US6219706B1 (en) | 1998-10-16 | 2001-04-17 | Cisco Technology, Inc. | Access control for networks |
US6381646B2 (en) * | 1998-11-03 | 2002-04-30 | Cisco Technology, Inc. | Multiple network connections from a single PPP link with partial network address translation |
US6411986B1 (en) * | 1998-11-10 | 2002-06-25 | Netscaler, Inc. | Internet client-server multiplexer |
US6614781B1 (en) * | 1998-11-20 | 2003-09-02 | Level 3 Communications, Inc. | Voice over data telecommunications network architecture |
US6457061B1 (en) | 1998-11-24 | 2002-09-24 | Pmc-Sierra | Method and apparatus for performing internet network address translation |
US6754831B2 (en) * | 1998-12-01 | 2004-06-22 | Sun Microsystems, Inc. | Authenticated firewall tunneling framework |
US8266266B2 (en) * | 1998-12-08 | 2012-09-11 | Nomadix, Inc. | Systems and methods for providing dynamic network authorization, authentication and accounting |
US7194554B1 (en) * | 1998-12-08 | 2007-03-20 | Nomadix, Inc. | Systems and methods for providing dynamic network authorization authentication and accounting |
US6496505B2 (en) * | 1998-12-11 | 2002-12-17 | Lucent Technologies Inc. | Packet tunneling optimization to wireless devices accessing packet-based wired networks |
US6584122B1 (en) * | 1998-12-18 | 2003-06-24 | Integral Access, Inc. | Method and system for providing voice and data service |
US6327267B1 (en) | 1998-12-21 | 2001-12-04 | Ericssoninc | Systems and methods for routing a message through a signaling network associated with a public switched telephone network (PSTN), including a method for performing global title routing on an internet protocol (IP) address |
US6480891B1 (en) * | 1999-01-04 | 2002-11-12 | 3Com Corporation | Embedded code memory size reduction in asynchronous mode transfer devices |
US6724724B1 (en) * | 1999-01-21 | 2004-04-20 | Cisco Technology, Inc. | System and method for resolving an electronic address |
US6330562B1 (en) * | 1999-01-29 | 2001-12-11 | International Business Machines Corporation | System and method for managing security objects |
US6615357B1 (en) * | 1999-01-29 | 2003-09-02 | International Business Machines Corporation | System and method for network address translation integration with IP security |
FI106593B (en) | 1999-02-15 | 2001-02-28 | Valtion Teknillinen | IP multicast service without return connection |
US6507908B1 (en) | 1999-03-04 | 2003-01-14 | Sun Microsystems, Inc. | Secure communication with mobile hosts |
WO2000054470A1 (en) * | 1999-03-12 | 2000-09-14 | Lextron Systems, Inc. | System for controlling processing of data passing through network gateways between two disparate communications networks |
US6512774B1 (en) * | 1999-03-18 | 2003-01-28 | 3Com Corporation | Fail over with multiple network interface cards |
US6590861B1 (en) * | 1999-03-18 | 2003-07-08 | 3Com Corporation | Combining virtual local area networks and load balancing with fault tolerance in a high performance protocol |
US6757250B1 (en) * | 1999-04-12 | 2004-06-29 | Mindspeed Technologies, Inc. | Methods and apparatus for data communications through packet networks |
US6925076B1 (en) * | 1999-04-13 | 2005-08-02 | 3Com Corporation | Method and apparatus for providing a virtual distributed gatekeeper in an H.323 system |
US6888818B1 (en) * | 1999-04-15 | 2005-05-03 | Share Wave, Inc. | Protocol extension scheme for wireless computer networks |
US6563824B1 (en) * | 1999-04-20 | 2003-05-13 | 3Com Corporation | Apparatus and methods for determining the correct workstation within a LAN for a LAN modem to route a packet |
US6785223B1 (en) * | 1999-04-22 | 2004-08-31 | Siemens Information And Communication Networks, Inc. | System and method for restarting of signaling entities in H.323-based realtime communication networks |
US20050038911A1 (en) * | 1999-04-30 | 2005-02-17 | Yoshikuni Watanabe | Cooperative system and method therefor |
US6515997B1 (en) | 1999-05-17 | 2003-02-04 | Ericsson Inc. | Method and system for automatic configuration of a gateway translation function |
US6760343B1 (en) * | 1999-05-20 | 2004-07-06 | Nortel Networks Limited | Method and apparatus for providing a virtual SS7 link in a communications system |
US6393488B1 (en) * | 1999-05-27 | 2002-05-21 | 3Com Corporation | System and method for supporting internet protocol subnets with network address translators |
US6683881B1 (en) * | 1999-05-28 | 2004-01-27 | Ericsson Inc. | Interface between an SS7 gateway and an IP network |
US6965943B1 (en) * | 1999-06-05 | 2005-11-15 | Lucent Technologies Inc. | End-to-end internet control |
US6957346B1 (en) | 1999-06-15 | 2005-10-18 | Ssh Communications Security Ltd. | Method and arrangement for providing security through network address translations using tunneling and compensations |
US6633540B1 (en) * | 1999-07-02 | 2003-10-14 | Nokia Internet Communications, Inc. | Real-time traffic shaper with keep-alive property for best-effort traffic |
US7155740B2 (en) * | 2000-07-13 | 2006-12-26 | Lucent Technologies Inc. | Method and apparatus for robust NAT interoperation with IPSEC'S IKE and ESP tunnel mode |
US20020042875A1 (en) * | 2000-10-11 | 2002-04-11 | Jayant Shukla | Method and apparatus for end-to-end secure data communication |
US20030009561A1 (en) * | 2001-06-14 | 2003-01-09 | Sollee Patrick N. | Providing telephony services to terminals behind a firewall and /or network address translator |
US7346770B2 (en) | 2002-10-31 | 2008-03-18 | Microsoft Corporation | Method and apparatus for traversing a translation device with a security protocol |
CN101546874B (en) | 2008-03-24 | 2012-04-04 | 华为技术有限公司 | Electrical connection module, main distributing frame and a method for cutting over main distributing frame |
-
1999
- 1999-06-15 US US09/333,829 patent/US6957346B1/en not_active Expired - Lifetime
-
2000
- 2000-06-15 PT PT10176040T patent/PT2254311E/en unknown
- 2000-06-15 ES ES10176040T patent/ES2369132T3/en not_active Expired - Lifetime
- 2000-06-15 EP EP10176040A patent/EP2254311B1/en not_active Expired - Lifetime
- 2000-06-15 ES ES00936931T patent/ES2362993T3/en not_active Expired - Lifetime
- 2000-06-15 PT PT00936931T patent/PT1186146E/en unknown
- 2000-06-15 DK DK10176040.3T patent/DK2254311T3/en active
- 2000-06-15 WO PCT/FI2000/000537 patent/WO2000078008A1/en active Application Filing
- 2000-06-15 JP JP2001504140A patent/JP3793083B2/en not_active Expired - Fee Related
- 2000-06-15 AU AU52250/00A patent/AU5225000A/en not_active Abandoned
- 2000-06-15 EP EP00936931A patent/EP1186146B1/en not_active Expired - Lifetime
- 2000-06-15 AT AT00936931T patent/ATE502468T1/en active
- 2000-06-15 AT AT10176040T patent/ATE523030T1/en active
- 2000-06-15 DE DE60045737T patent/DE60045737D1/en not_active Expired - Lifetime
- 2000-06-15 DK DK00936931.5T patent/DK1186146T3/en active
-
2005
- 2005-05-12 US US11/128,933 patent/US8127348B2/en not_active Expired - Fee Related
-
2010
- 2010-01-08 US US12/684,571 patent/US8365273B2/en not_active Expired - Fee Related
- 2010-08-24 US US12/862,305 patent/US8544079B2/en not_active Expired - Fee Related
-
2011
- 2011-09-08 US US13/228,271 patent/US8245288B2/en not_active Expired - Fee Related
-
2013
- 2013-08-26 US US13/975,514 patent/US8973127B2/en not_active Expired - Fee Related
- 2013-08-26 US US13/975,451 patent/US8973126B2/en not_active Expired - Fee Related
- 2013-08-26 US US13/975,492 patent/US8914872B2/en not_active Expired - Fee Related
- 2013-08-28 US US14/012,130 patent/US8918858B2/en not_active Expired - Fee Related
- 2013-08-28 US US14/012,180 patent/US9071578B2/en not_active Expired - Fee Related
- 2013-08-28 US US14/012,074 patent/US8914873B2/en not_active Expired - Fee Related
-
2015
- 2015-05-21 US US14/719,148 patent/US20150271140A1/en not_active Abandoned
-
2016
- 2016-09-02 US US15/255,253 patent/US9667594B2/en not_active Expired - Fee Related
Patent Citations (3)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US5793763A (en) * | 1995-11-03 | 1998-08-11 | Cisco Technology, Inc. | Security system for network address translation systems |
WO1998032065A2 (en) * | 1997-01-03 | 1998-07-23 | Fortress Technologies, Inc. | Improved network security device |
WO1999035799A2 (en) * | 1997-12-31 | 1999-07-15 | Ssh Communications Security Oy | A method for packet authentication in the presence of network address translations and protocol conversions |
Non-Patent Citations (4)
Title |
---|
G. TSIRTIS, AATN COMPONENTS & MECHANISM, Retrieved from the Internet <URL:http://www.alternic.org/drafts/drafts-t-u/draft-tsirtsis-aatn-mech-00.txt> |
R.G. MOSKOWITZ, NETWORK ADDRESS TRANSLATION ISSUES WITH IPSEC, Retrieved from the Internet <URL:http://www.alternic.org/drafts/drafts-m-n/draft-moskowitz-net66-vpn-nat-OO.txt> |
R.G. MOSKOWITZ, NETWORK ADDRESS TRANSLATION ISSUES WITH IPSEC, Retrieved from the Internet <URL:http://www.alternic.org/drafts/drafts-m-n/draft-moskowitz-net66-vpn-OO.txt> |
ROLPH OPPLIGER, SECURITY AT THE INTERNET LAYER, pages 43 - 47 |
Cited By (118)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7107614B1 (en) | 1999-01-29 | 2006-09-12 | International Business Machines Corporation | System and method for network address translation integration with IP security |
US9667594B2 (en) | 1999-06-15 | 2017-05-30 | Ssh Communications Security Oyj | Maintaining network address translations |
GB2367222B (en) * | 2000-05-23 | 2004-01-14 | Ibm | System and method for network address translation integration with IP security |
GB2367222A (en) * | 2000-05-23 | 2002-03-27 | Ibm | Network address translation integration with IP security |
US8693996B2 (en) | 2000-12-22 | 2014-04-08 | Blackberry Limited | Wireless router system and method |
WO2002052798A3 (en) * | 2000-12-22 | 2003-04-10 | Research In Motion Ltd | Wireless router system and method |
WO2002052798A2 (en) * | 2000-12-22 | 2002-07-04 | Research In Motion Limited | Wireless router system and method |
WO2002078290A1 (en) * | 2001-03-22 | 2002-10-03 | Ssh Communications Security Oyj | Method for setting up communication parameters in upn using hardware token |
US8077679B2 (en) | 2001-03-28 | 2011-12-13 | Qualcomm Incorporated | Method and apparatus for providing protocol options in a wireless communication system |
US8121296B2 (en) | 2001-03-28 | 2012-02-21 | Qualcomm Incorporated | Method and apparatus for security in a data processing system |
US9100457B2 (en) | 2001-03-28 | 2015-08-04 | Qualcomm Incorporated | Method and apparatus for transmission framing in a wireless communication system |
US8108553B2 (en) | 2001-06-14 | 2012-01-31 | Rockstar Bidco, LP | Providing network address translation information |
US7940654B2 (en) | 2001-06-14 | 2011-05-10 | Genband Us Llc | Protecting a network from unauthorized access |
US8484359B2 (en) | 2001-06-14 | 2013-07-09 | Rockstar Consortium Us Lp | Providing telephony services to terminals behind a firewall and/or a network address translator |
WO2002103981A3 (en) * | 2001-06-14 | 2004-06-10 | Nortel Networks Ltd | Providing telephony services to terminals behind a firewall and/or network address translator |
US7068655B2 (en) | 2001-06-14 | 2006-06-27 | Nortel Networks Limited | Network address and/or port translation |
US8244876B2 (en) | 2001-06-14 | 2012-08-14 | Rockstar Bidco, LP | Providing telephony services to terminals behind a firewall and/or a network address translator |
WO2002103981A2 (en) * | 2001-06-14 | 2002-12-27 | Nortel Networks Limited | Providing telephony services to terminals behind a firewall and/or network address translator |
US7684317B2 (en) | 2001-06-14 | 2010-03-23 | Nortel Networks Limited | Protecting a network from unauthorized access |
US8397276B2 (en) | 2001-06-14 | 2013-03-12 | Genband Us Llc | Protecting a network from unauthorized access |
WO2003007561A1 (en) * | 2001-07-13 | 2003-01-23 | Ssh Communications Security Corp | Method for forming a secured network |
WO2003021866A3 (en) * | 2001-08-31 | 2003-10-16 | Boeing Co | Point-to-point protocol over ethernet for mobile platforms |
WO2003021866A2 (en) * | 2001-08-31 | 2003-03-13 | The Boeing Company | Point-to-point protocol over ethernet for mobile platforms |
EP1871044A3 (en) * | 2001-10-03 | 2008-01-02 | QUALCOMM Incorporated | Mehtod and apparatus for data transport in a wireless communication system using an internet protocol |
US7697523B2 (en) | 2001-10-03 | 2010-04-13 | Qualcomm Incorporated | Method and apparatus for data packet transport in a wireless communication system using an internet protocol |
EP1435152A4 (en) * | 2001-10-09 | 2007-08-22 | Force Computers Inc | Performance improvement for atm aal2/5 to ip packet processing |
US8983065B2 (en) | 2001-10-09 | 2015-03-17 | Qualcomm Incorporated | Method and apparatus for security in a data processing system |
EP1435152A1 (en) * | 2001-10-09 | 2004-07-07 | Force Computers Inc. | Performance improvement for atm aal2/5 to ip packet processing |
US8713400B2 (en) | 2001-10-12 | 2014-04-29 | Qualcomm Incorporated | Method and system for reduction of decoding complexity in a communication system |
US8730999B2 (en) | 2001-10-12 | 2014-05-20 | Qualcomm Incorporated | Method and system for reduction of decoding complexity in a communication system |
WO2003063443A1 (en) * | 2002-01-22 | 2003-07-31 | Intrasecure Networks Oy | Method and system for sending a message through a secure connection |
EP3576374A1 (en) * | 2002-01-22 | 2019-12-04 | MPH Technologies Oy | Method and system for sending a message through a secure connection |
EP2285072B1 (en) * | 2002-05-13 | 2018-02-28 | Sony Computer Entertainment America LLC | Peer to peer network communication with network address translation |
WO2004030306A1 (en) * | 2002-09-25 | 2004-04-08 | Siemens Aktiengesellschaft | Protocol selection method for transmitting data packets |
US7346770B2 (en) | 2002-10-31 | 2008-03-18 | Microsoft Corporation | Method and apparatus for traversing a translation device with a security protocol |
US8971790B2 (en) | 2003-01-02 | 2015-03-03 | Qualcomm Incorporated | Method and apparatus for broadcast services in a communication system |
US7536719B2 (en) | 2003-01-07 | 2009-05-19 | Microsoft Corporation | Method and apparatus for preventing a denial of service attack during key negotiation |
US7386881B2 (en) | 2003-01-21 | 2008-06-10 | Swander Brian D | Method for mapping security associations to clients operating behind a network address translation device |
CN1536847B (en) * | 2003-03-27 | 2010-06-23 | 阿瓦雅技术公司 | Method for authority discrimination grouping and effective loading |
US8245032B2 (en) | 2003-03-27 | 2012-08-14 | Avaya Inc. | Method to authenticate packet payloads |
EP1463265A2 (en) * | 2003-03-27 | 2004-09-29 | Avaya Technology Corp. | Method and apparatus for authenticating packet payloads via message authentication codes |
EP1463265A3 (en) * | 2003-03-27 | 2004-10-20 | Avaya Technology Corp. | Method and apparatus for authenticating packet payloads via message authentication codes |
US8098818B2 (en) | 2003-07-07 | 2012-01-17 | Qualcomm Incorporated | Secure registration for a multicast-broadcast-multimedia system (MBMS) |
US8718279B2 (en) | 2003-07-08 | 2014-05-06 | Qualcomm Incorporated | Apparatus and method for a secure broadcast system |
US8724803B2 (en) | 2003-09-02 | 2014-05-13 | Qualcomm Incorporated | Method and apparatus for providing authenticated challenges for broadcast-multicast communications in a communication system |
US7734909B1 (en) | 2003-09-29 | 2010-06-08 | Avaya Inc. | Using voice over IP or instant messaging to connect to customer products |
WO2005043848A1 (en) * | 2003-11-03 | 2005-05-12 | Immertec Co., Ltd. | Udp packet communication method and system for private ip terminals |
WO2005048553A1 (en) * | 2003-11-13 | 2005-05-26 | Zte Corporation | A METHOD ON EMBEDDING IPSec PROTOCOL STACK |
US8275989B2 (en) | 2003-11-14 | 2012-09-25 | Microsoft Corporation | Method of negotiating security parameters and authenticating users interconnected to a network |
WO2006104795A3 (en) * | 2005-03-30 | 2006-11-23 | Tellabs Operations Inc | Autonomous link discovery in a communications network |
WO2006104795A2 (en) * | 2005-03-30 | 2006-10-05 | Tellabs Operations, Inc. | Autonomous link discovery in a communications network |
WO2006125383A1 (en) | 2005-05-23 | 2006-11-30 | Huawei Technologies Co., Ltd. | A method for traversing the network address conversion/firewall device |
EP1865681A1 (en) * | 2005-05-23 | 2007-12-12 | Huawei Technologies Co., Ltd. | A method for traversing the network address conversion/firewall device |
EP1865681A4 (en) * | 2005-05-23 | 2008-12-17 | Huawei Tech Co Ltd | A method for traversing the network address conversion/firewall device |
AU2006251686B2 (en) * | 2005-05-23 | 2009-10-01 | Huawei Technologies Co., Ltd. | A method for traversing the network address conversion/firewall device |
US20150215282A1 (en) | 2005-12-13 | 2015-07-30 | Cupp Computing As | System and method for implementing content and network security inside a chip |
US9497622B2 (en) | 2005-12-13 | 2016-11-15 | Cupp Computing As | System and method for providing network security to mobile devices |
US11822653B2 (en) | 2005-12-13 | 2023-11-21 | Cupp Computing As | System and method for providing network security to mobile devices |
US10313368B2 (en) | 2005-12-13 | 2019-06-04 | Cupp Computing As | System and method for providing data and device security between external and host devices |
US11461466B2 (en) | 2005-12-13 | 2022-10-04 | Cupp Computing As | System and method for providing network security to mobile devices |
US8627452B2 (en) | 2005-12-13 | 2014-01-07 | Cupp Computing As | System and method for providing network security to mobile devices |
US9781164B2 (en) | 2005-12-13 | 2017-10-03 | Cupp Computing As | System and method for providing network security to mobile devices |
US10417421B2 (en) | 2005-12-13 | 2019-09-17 | Cupp Computing As | System and method for providing network security to mobile devices |
US10839075B2 (en) | 2005-12-13 | 2020-11-17 | Cupp Computing As | System and method for providing network security to mobile devices |
US10089462B2 (en) | 2005-12-13 | 2018-10-02 | Cupp Computing As | System and method for providing network security to mobile devices |
US10621344B2 (en) | 2005-12-13 | 2020-04-14 | Cupp Computing As | System and method for providing network security to mobile devices |
US9747444B1 (en) | 2005-12-13 | 2017-08-29 | Cupp Computing As | System and method for providing network security to mobile devices |
US10541969B2 (en) | 2005-12-13 | 2020-01-21 | Cupp Computing As | System and method for implementing content and network security inside a chip |
US8381297B2 (en) | 2005-12-13 | 2013-02-19 | Yoggie Security Systems Ltd. | System and method for providing network security to mobile devices |
US10567403B2 (en) | 2007-03-05 | 2020-02-18 | Cupp Computing As | System and method for providing data and device security between external and host devices |
US10419459B2 (en) | 2007-03-05 | 2019-09-17 | Cupp Computing As | System and method for providing data and device security between external and host devices |
US10999302B2 (en) | 2007-03-05 | 2021-05-04 | Cupp Computing As | System and method for providing data and device security between external and host devices |
US11652829B2 (en) | 2007-03-05 | 2023-05-16 | Cupp Computing As | System and method for providing data and device security between external and host devices |
US9258372B2 (en) | 2007-05-09 | 2016-02-09 | Blackberry Limited | Wireless router system and method |
US10904293B2 (en) | 2007-05-30 | 2021-01-26 | Cupp Computing As | System and method for providing network and computer firewall protection with dynamic address isolation to a device |
US9391956B2 (en) | 2007-05-30 | 2016-07-12 | Cupp Computing As | System and method for providing network and computer firewall protection with dynamic address isolation to a device |
US8365272B2 (en) | 2007-05-30 | 2013-01-29 | Yoggie Security Systems Ltd. | System and method for providing network and computer firewall protection with dynamic address isolation to a device |
US11757941B2 (en) | 2007-05-30 | 2023-09-12 | CUPP Computer AS | System and method for providing network and computer firewall protection with dynamic address isolation to a device |
US9756079B2 (en) | 2007-05-30 | 2017-09-05 | Cupp Computing As | System and method for providing network and computer firewall protection with dynamic address isolation to a device |
US10057295B2 (en) | 2007-05-30 | 2018-08-21 | Cupp Computing As | System and method for providing network and computer firewall protection with dynamic address isolation to a device |
US10284603B2 (en) | 2007-05-30 | 2019-05-07 | Cupp Computing As | System and method for providing network and computer firewall protection with dynamic address isolation to a device |
US20180302444A1 (en) | 2007-05-30 | 2018-10-18 | Cupp Computing As | System and method for providing network and computer firewall protection with dynamic address isolation to a device |
US11757835B2 (en) | 2008-03-26 | 2023-09-12 | Cupp Computing As | System and method for implementing content and network security inside a chip |
US11050712B2 (en) | 2008-03-26 | 2021-06-29 | Cupp Computing As | System and method for implementing content and network security inside a chip |
US8869270B2 (en) | 2008-03-26 | 2014-10-21 | Cupp Computing As | System and method for implementing content and network security inside a chip |
US10404722B2 (en) | 2008-08-04 | 2019-09-03 | Cupp Computing As | Systems and methods for providing security services during power management mode |
US9106683B2 (en) | 2008-08-04 | 2015-08-11 | Cupp Computing As | Systems and methods for providing security services during power management mode |
US10084799B2 (en) | 2008-08-04 | 2018-09-25 | Cupp Computing As | Systems and methods for providing security services during power management mode |
US8631488B2 (en) | 2008-08-04 | 2014-01-14 | Cupp Computing As | Systems and methods for providing security services during power management mode |
US11449613B2 (en) | 2008-08-04 | 2022-09-20 | Cupp Computing As | Systems and methods for providing security services during power management mode |
US11775644B2 (en) | 2008-08-04 | 2023-10-03 | Cupp Computing As | Systems and methods for providing security services during power management mode |
US11947674B2 (en) | 2008-08-04 | 2024-04-02 | Cupp Computing As | Systems and methods for providing security services during power management mode |
US9843595B2 (en) | 2008-08-04 | 2017-12-12 | Cupp Computing As | Systems and methods for providing security services during power management mode |
US9516040B2 (en) | 2008-08-04 | 2016-12-06 | Cupp Computing As | Systems and methods for providing security services during power management mode |
US10417400B2 (en) | 2008-11-19 | 2019-09-17 | Cupp Computing As | Systems and methods for providing real time security and access monitoring of a removable media device |
US11036836B2 (en) | 2008-11-19 | 2021-06-15 | Cupp Computing As | Systems and methods for providing real time security and access monitoring of a removable media device |
US8789202B2 (en) | 2008-11-19 | 2014-07-22 | Cupp Computing As | Systems and methods for providing real time access monitoring of a removable media device |
US11604861B2 (en) | 2008-11-19 | 2023-03-14 | Cupp Computing As | Systems and methods for providing real time security and access monitoring of a removable media device |
US9615198B2 (en) | 2008-12-04 | 2017-04-04 | Nokia Technologies Oy | Proprietary extensions in user plane location protocols |
US9846443B2 (en) | 2010-09-14 | 2017-12-19 | Google Inc. | Methods and systems for data interchange between a network-connected thermostat and cloud-based management server |
US9098279B2 (en) | 2010-09-14 | 2015-08-04 | Google Inc. | Methods and systems for data interchange between a network-connected thermostat and cloud-based management server |
US10732651B2 (en) | 2010-11-19 | 2020-08-04 | Google Llc | Smart-home proxy devices with long-polling |
US9515986B2 (en) | 2011-05-05 | 2016-12-06 | Telefonaktiebolaget Lm Ericsson (Publ) | Methods providing public reachability and related systems and devices |
WO2012150512A1 (en) * | 2011-05-05 | 2012-11-08 | Telefonaktiebolaget L M Ericsson (Publ) | Methods providing public reachability and related systems and devices |
US10129208B2 (en) | 2011-05-05 | 2018-11-13 | Telefonaktiebolaget L M Ericsson (Publ) | Methods providing public reachability and related systems and devices |
US11757885B2 (en) | 2012-10-09 | 2023-09-12 | Cupp Computing As | Transaction security systems and methods |
US9973501B2 (en) | 2012-10-09 | 2018-05-15 | Cupp Computing As | Transaction security systems and methods |
US10904254B2 (en) | 2012-10-09 | 2021-01-26 | Cupp Computing As | Transaction security systems and methods |
US10397227B2 (en) | 2012-10-09 | 2019-08-27 | Cupp Computing As | Transaction security systems and methods |
US11157976B2 (en) | 2013-07-08 | 2021-10-26 | Cupp Computing As | Systems and methods for providing digital content marketplace security |
US11316905B2 (en) | 2014-02-13 | 2022-04-26 | Cupp Computing As | Systems and methods for providing network security using a secure digital device |
US11743297B2 (en) | 2014-02-13 | 2023-08-29 | Cupp Computing As | Systems and methods for providing network security using a secure digital device |
US10666688B2 (en) | 2014-02-13 | 2020-05-26 | Cupp Computing As | Systems and methods for providing network security using a secure digital device |
US9762614B2 (en) | 2014-02-13 | 2017-09-12 | Cupp Computing As | Systems and methods for providing network security using a secure digital device |
US10291656B2 (en) | 2014-02-13 | 2019-05-14 | Cupp Computing As | Systems and methods for providing network security using a secure digital device |
US20180205760A1 (en) | 2014-02-13 | 2018-07-19 | Cupp Computing As | Systems and methods for providing network security using a secure digital device |
CN107579932A (en) * | 2017-10-25 | 2018-01-12 | 北京天融信网络安全技术有限公司 | A kind of data transmission method, equipment and storage medium |
CN107579932B (en) * | 2017-10-25 | 2020-06-16 | 北京天融信网络安全技术有限公司 | Data transmission method, equipment and storage medium |
Also Published As
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US9667594B2 (en) | Maintaining network address translations | |
US6795917B1 (en) | Method for packet authentication in the presence of network address translations and protocol conversions | |
US6055236A (en) | Method and system for locating network services with distributed network address translation | |
US7032242B1 (en) | Method and system for distributed network address translation with network security features | |
EP1872562B1 (en) | Preventing duplicate sources from clients served by a network address port translator | |
EP1159815B1 (en) | Method and system for distributed network address translation with network security features | |
Tuexen et al. | UDP encapsulation of Stream Control Transmission Protocol (SCTP) packets for end-host to end-host communication | |
CN112751816B (en) | Tunnel establishment method, device, equipment and computer readable storage medium | |
KR20030062106A (en) | Method for receiving data packet from virtual private network and apparatus thereof | |
Ye et al. | Interworking between IP security and NAT-PT under IPv4/IPv6 co-existent environments | |
Tuexen et al. | RFC 6951: UDP Encapsulation of Stream Control Transmission Protocol (SCTP) Packets for End-Host to End-Host Communication |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
AK | Designated states |
Kind code of ref document: A1 Designated state(s): AE AG AL AM AT AU AZ BA BB BG BR BY CA CH CN CR CU CZ DE DK DM DZ EE ES FI GB GD GE GH GM HR HU ID IL IN IS JP KE KG KP KR KZ LC LK LR LS LT LU LV MA MD MG MK MN MW MX MZ NO NZ PL PT RO RU SD SE SG SI SK SL TJ TM TR TT TZ UA UG US UZ VN YU ZA ZW |
|
AL | Designated countries for regional patents |
Kind code of ref document: A1 Designated state(s): GH GM KE LS MW MZ SD SL SZ TZ UG ZW AM AZ BY KG KZ MD RU TJ TM AT BE CH CY DE DK ES FI FR GB GR IE IT LU MC NL PT SE BF BJ CF CG CI CM GA GN GW ML MR NE SN TD TG |
|
121 | Ep: the epo has been informed by wipo that ep was designated in this application | ||
DFPE | Request for preliminary examination filed prior to expiration of 19th month from priority date (pct application filed before 20040101) | ||
WWE | Wipo information: entry into national phase |
Ref document number: 2000936931 Country of ref document: EP |
|
ENP | Entry into the national phase |
Ref country code: JP Ref document number: 2001 504140 Kind code of ref document: A Format of ref document f/p: F |
|
WWP | Wipo information: published in national office |
Ref document number: 2000936931 Country of ref document: EP |
|
REG | Reference to national code |
Ref country code: DE Ref legal event code: 8642 |