In the area of secure group communications over the Internet, a problem exists to interconnect network devices that are situated behind network address translators (NAT) distributed across several Internet Service Provider (ISP) networks. Several devices can be served by a single NAT or a NAT may only serve one device. It is also possible for some devices to be connected directly to the Internet without a NAT. Each NAT can also be located in a different ISP network including cellular operators.
Regardless of the NAT configuration, devices connected to the Internet often wish to set-up secure channels between them. An Internet standard IPsec protocol is used to set-up secure IP communications between devices. IPsec is described in the following publication, which is hereby fully incorporated by reference: S. Kent: “Security Architecture for the Internet Protocol”, IETF RFC 2401, November 1998. IPsec requires each device to be accessible through their known IP address. However, in the case of NATs the IP address used by the device is translated by the NAT to another IP address in order to increase the number of devices that can be served by a single IP Address. This issues posses even a bigger problem when several devices are served by a single NAT and scattered across different IP domains that may also served by NATs. The issue of using double or triple NATs limits the capabilities of such devices to securely connect to each other for the purpose of sharing resources.
Virtual Private Network (VPN) is a security solution to connect several devices over the Internet to another network usually a Local Area Network (LAN). It can also be used to secure communications between two individual devices. VPNs are usually implemented using the IPSec protocol and some security mechanism to authenticate the users. A VPN server authenticates the devices using a scheme like SecurIDs providing one-time passwords. After authentication, devices join the other network using some IP tunnelling mechanism. A new IP address is generally assigned by the VPN server in order for remote devices to have compatible IP addresses for the network they are joining. Generally VPNs connect individual devices that might be located behind NATs into a larger network that is owned by a company or an organisation. No specific group structure exists in the standard VPNs. Generally all employees of a particular organisation access the corporate LAN via VPN servers. Current VPN technologies do not support ad-hoc group formations and security mechanisms used in such groups. No mechanism exists to interconnect different VPN servers in different ISP networks. Current VPN technologies do not provide any mechanism to locate members of a group over the Internet and initiate secure communications between. Traditional use of VPN is initiated by the devices that wish to connect to the network that a VPN serves.