Proposal for a Practical Cipher Communication Protocol That Can Coexist with NAT and Firewalls
Threats to network security have become a serious problem, and encryption technologies for communications are an important issue these days. Although the security of IPsec ESP (, that is a typical existing cipher communication technology) is strong, it has such problems that it can not be used in the environment where it coexists with NAT and firewalls, and that there also exists some degradation of throughput. For such reasons, ESP is used only for some limited applications such as VPN (Virtual Private Network). In this paper, we propose a new cipher communication protocol, called PCCOM (Practical Cipher COMmunication), that can verify the identity of the corresponding counterpart and assure the integrity of packets in the environment where it coexists with NAT and firewalls, without changing the format of the original packets. To confirm the effectiveness of PCCOM, we installed a trial system in FreeBSD, and confirmed the coexistibility with NAT and firewalls. We also measured its throughput, and good performance was confirmed, which is attributable to “no change” of the packet format.
KeywordsPort Number Trial System Virtual Private Network Network Address Translator Tunnel Mode
Unable to display preview. Download preview PDF.
- 1.Kent, S., Atkinson, R.: Security Architecture for the Internet Protocol, RFC2401 (August 1998)Google Scholar
- 2.Atkinson, R.: IP Encapsulation Security Payload (ESP), RFC2406 (December 1998)Google Scholar
- 3.Harkins, D., Carrel, D.: The internet key exchange (IKE), RFC2409, (December 1998)Google Scholar
- 4.Watanabe, A., Koui, Y., Ideguchi, T., Yokoyama, Y., Seno, S.: Realization Method of Secure Communication Groups Using Encryptions and Its Implementation. Trans. IPS Japan 38(4), 904–914 (1997)Google Scholar
- 5.Braden, R., Borman, D., Partridge, C.: Computing the Internet Checksum”, RFC1071 (September 1988)Google Scholar
- 6.Mallory, T., Kullberg, A.: Incremental Updating of the Internet Checksum”, RFC1141 (January 1990)Google Scholar
- 7.Rijsinghani, A.: Computation of the Internet Checksum via Incremental Update, RFC1624 (May 1994)Google Scholar
- 8.Huttunen, A., Swander, B., Volpe, V., Diburro, L., Stenberg, M.: UDP Encapsulation of IPsec Packets, RFC3948 (January 2005)Google Scholar
- 9.Egevang, K., Francis, P.: The IP Network Address Translator (NAT), RFC1631 (May 1994)Google Scholar
- 10.Netperf, http://www.netperf.org