Method and system for distributed network address translation with network security features

Assignee

• 3Com Corporation · US

Inventors

• David Grabelsky · Skokie, US
• Michael Borella · Naperville, US
• Ikhlaq S. Sidhu · Vernon Hills, US
• Danny M. Nessett · Fremont, US

Key dates

Classification

• Technology area (CPC H)Electricity
• CPC primaryH04L63/0428
• WIPO fieldDigital communication
• WIPO sectorElectrical engineering

Abstract

A method and system for distributed network address translation with security features. The method and system allow Internet Protocol security protocol (“IPsec”) to be used with distributed network address translation. The distributed network address translation is accomplished with IPsec by mapping a local Internet Protocol (“IP”) address of a given local network device and a IPsec Security Parameter Index (“SPI”) associated with an inbound IPsec Security Association (“SA”) that terminates at the local network device. A router allocates locally unique security values that are used as the IPsec SPIs. A router used for distributed network address translation is used as a local certificate authority that may vouch for identities of local network devices, allowing local network devices to bind a public key to a security name space that combines a global IP address for the router with a set of locally unique port numbers used for distributed network address translation. The router issues security certificates and may itself be authenticated by a higher certificate authority. Using a security certificate, a local network device may initiate and be a termination point of an IPsec securit…