New Mechanisms for End-to-End Security Using IPSec in NAT-Based Private Networks

While the transition from IPv4 to IPv6 has been considered to extend the IP address space, the NAT protocol is widely used as an interim solution. Using the NAT protocol with the end-to-end IPSec resulting a conflict due to the address transition operation of the NAT. In this paper, we design two mechanisms which provide the end-to-end security service even if a NAT is used for private networks. The first proposed mechanism defines a notification message to deliver the address translation information in advance. This mechanism uses already defined protocols and does not need additional protocol modification. The second proposed mechanism uses SSL and IPSec to protect user data and IP header. Although this mechanism needs chip redundancy on packet length, it can save duplicated encryptions caused by SSL and IPSec encryptions. Procedures and parameters to support the mechanisms are designed in this paper.