公开(公告)号：US20030233568A1

公开(公告)日：2003-12-18

申请号：US10172683

申请日：2002-06-13

Applicant: Nvidia Corp.

Inventor： Thomas Albert Maufer ,  Sameer Nanda ,  Paul J. Sidenblad

IPC: H04L009/00

CPC classification number: H04L63/0272 ,  H04L29/12018 ,  H04L29/12216 ,  H04L29/12367 ,  H04L29/12462 ,  H04L29/1249 ,  H04L61/10 ,  H04L61/2015 ,  H04L61/2514 ,  H04L61/255 ,  H04L61/256 ,  H04L63/0428 ,  H04L63/061 ,  H04L63/164 ,  H04L69/24

Abstract: Method and apparatus for enhanced security for communication over a network, and more particularly to control of security protocol negotiation to enable multiple clients to establish a virtual private network connection with a same remote address, is described. A mapping table accessible by a gateway computer is used to form associations between a local address for the client and a destination address for a peer and a Security Parameters Index associated with IPSec-protected traffic from the peer. When a packet is received at the gateway from a client it is checked to determine if it is an Internet Key Exchange (IKE) packet, whether an IKE session has already been recorded from this client in the mapping table for the destination address in the IKE packet, whether a Security Parameters Index has been observed in the clear from a remote computer associated with the destination address.

Abstract translation: 描述了用于通过网络进行通信的增强安全性的方法和装置，更具体地涉及安全协议协商的控制，以使得多个客户端能够建立具有相同远程地址的虚拟专用网络连接。 网关计算机可访问的映射表用于形成客户端的本地地址与对等体的目的地址之间的关联以及与来自对等体的受IPSec保护的流量相关联的安全参数索引。 当从客户端在网关接收到分组时，检查它是否是因特网密钥交换（IKE）分组，在IKE中的目的地址的映射表中是否已经从该客户端记录了IKE会话 分组，是否已经从与目的地址相关联的远程计算机的清除中观察到安全参数索引。

公开(公告)号：US20030233475A1

公开(公告)日：2003-12-18

申请号：US10172046

申请日：2002-06-13

Applicant: Nvidia Corp.

Inventor： Thomas Albert Maufer ,  Sameer Nanda ,  Paul J. Sidenblad

IPC: G06F015/16

CPC classification number: H04L63/0428 ,  H04L29/06 ,  H04L29/12018 ,  H04L29/12216 ,  H04L29/12367 ,  H04L29/125 ,  H04L29/12528 ,  H04L61/10 ,  H04L61/2015 ,  H04L61/2514 ,  H04L61/2564 ,  H04L61/2575 ,  H04L63/164 ,  H04L69/24

Abstract: Method and apparatus for enhanced security for communication over a network, and more particularly to Network Address Translation (NAT) integration Internet Protocol Security (IPSec), is described. A client computer makes a second address request in order to prompt an address server to provide a public address. This address, recorded in a mapping table accessible by a gateway computer. This public address is used as a source address for packets from a client using IPSec. When the gateway computer identifies a packet's source address as one of it's public addresses, NAT is suspended for this packet, and the packet is routed without NAT. Incoming traffic is routed using the mapping table.

Abstract translation: 描述了用于通过网络进行通信的增强安全性的方法和装置，更具体地涉及网络地址转换（NAT）集成因特网协议安全（IPSec）。 客户端计算机作出第二个地址请求，以提示地址服务器提供公共地址。 该地址记录在由网关计算机访问的映射表中。 该公共地址用作来自使用IPSec的客户端的数据包的源地址。 当网关计算机将数据包的源地址标识为其公共地址之一时，该数据包将暂停NAT，并且该数据包不经过NAT路由。 使用映射表路由出站流量。

公开(公告)号：US20030233576A1

公开(公告)日：2003-12-18

申请号：US10172345

申请日：2002-06-13

Applicant: Nvidia Corp.

Inventor： Thomas Albert Maufer ,  Sameer Nanda ,  Paul J. Sidenblad

IPC: H04L009/00

CPC classification number: H04L63/0428 ,  H04L29/06 ,  H04L29/12018 ,  H04L29/12216 ,  H04L29/12301 ,  H04L29/12367 ,  H04L29/125 ,  H04L61/10 ,  H04L61/2015 ,  H04L61/2076 ,  H04L61/2514 ,  H04L61/2564 ,  H04L63/164 ,  H04L69/24

Abstract: Method and apparatus for integration of network address translation and source address security, including, but not limited to, determining whether a gateway computer is integrated for network address translation and source address security, is described. A client computer requests a first address from the gateway computer and then requests a second address from the gateway computer. The latter request is done with a different client identifier that is nearly equivalent, except for one bit, to the client identifier used for the prior address request. If the gateway computer is integrated for network address translation and source address security, in response to the latter request a public address will be provided from the gateway computer to the client computer.

Abstract translation: 描述了用于集成网络地址转换和源地址安全性的方法和装置，包括但不限于确定网关计算机是否被集成用于网络地址转换和源地址安全性。 客户端计算机从网关计算机请求第一地址，然后从网关计算机请求第二地址。 后一个请求使用与用于先前地址请求的客户端标识符几乎相同的除了一位之外的不同的客户端标识符来完成。 如果网关计算机被集成用于网络地址转换和源地址安全性，则响应于后一请求，将从网关计算机向客户端计算机提供公共地址。

公开(公告)号：US20030233452A1

公开(公告)日：2003-12-18

申请号：US10172352

申请日：2002-06-13

Applicant: Nvidia Corp.

Inventor： Thomas Albert Maufer ,  Sameer Nanda ,  Paul J. Sidenblad

IPC: G06F015/173

CPC classification number: H04L63/0428 ,  H04L29/12018 ,  H04L29/12216 ,  H04L29/12367 ,  H04L29/12462 ,  H04L29/12481 ,  H04L29/1249 ,  H04L61/10 ,  H04L61/2015 ,  H04L61/2514 ,  H04L61/255 ,  H04L61/2557 ,  H04L61/256 ,  H04L63/164 ,  H04L69/24

Abstract: Method and apparatus for Internet Protocol Security (IPSec) and Network Address Translation (NAT) integration is described. A client obtains a public address from a gateway for IPSec communication. A mapping table is used to form associations between a local address for the client and a destination address for a peer, an Internet Security Association and Key Management Protocol (ISAKMP) Initiator Cookie and a Security Parameters Index associated with communication between the client and the peer. Incoming and outgoing routing may be done at the gateway using the mapping table.

Abstract translation: 描述了用于因特网协议安全（IPSec）和网络地址转换（NAT）集成的方法和装置。 客户端从网关获取公网地址以进行IPSec通信。 映射表用于形成客户端的本地地址与对等体的目标地址，Internet安全关联和密钥管理协议（ISAKMP）启动器Cookie和与客户端和对等体之间的通信相关联的安全参数索引的关联 。 传入和传出路由可以使用映射表在网关上完成。