Method and apparatus for security encapsulating IP datagrams

摘要

A method and corresponding apparatus are provided to security encapsulate an original IP datagram received from a network. It is first determined whether an IP payload of the original IP datagram is a TCP segment, UDP datagram or packet of another type of network protocol. Based on this determination, a portion of the IP payload is encrypted resulting in an encrypted payload. A security encapsulated IP packet is then formed with source IP address, destination IP address, and IP protocol field from the original IP datagram, and the encrypted payload. The security encapsulated IP packet is then provided to the network.

主权项

1. A method performed by a network security device for security encapsulating an original IP datagram received from a network, the method comprising:
evaluating an IP payload of the received IP datagram to identify the IP payload as being one of (a) a TCP segment, (b) a UDP datagram or (c) a packet of another type of network; encrypting a portion of the IP payload, an initialization vector, and padding to form an encrypted payload; forming a security encapsulated IP packet with (i) a non-encrypted IP protocol field from the original IP datagram, and (ii) the encrypted payload, the forming further includes computing a TCP/UDP checksum value for the encrypted payload and replacing an original TCP/UDP checksum value of the TCP segment or UDP datagram with the computed TCP/UDP checksum value; and providing the security encapsulated IP packet to the network; in the event that the IP payload is identified as a TCP segment or UDP datagram, encrypting the portion of the IP payload includes encrypting a payload of the TCP segment or UDP datagram, the encrypted TCP or UDP payload being the encrypted payload of the security encapsulated IP packet, and passing a header of the TCP segment or UDP datagram without encrypting the header.