This invention relates generally to network communication and, more particularly, to the communication between a computer on an intranet with another computer on an external network through a network access point of the intranet.
Computers in an organization are often linked together to form a private network so that the computers can communicate with each other and share resources. Such an internal computer network within the control of an organization is commonly referred to as an xe2x80x9cintranet.xe2x80x9d Many intranets are composed of local area networks, although the intranets of some large organizations have grown very large and require the level of sophistication found in the Internet.
For security reasons, an intranet is typically connected to an external network, such as the Internet, through one or more network access points. A network access point (NAP) is generally a server that exerts access control over the incoming communication flow from the external network. To that end, communication packets from a host on the external network for a host on the intranet are routed to go through the NAP, which then decides whether to forward the packets to their intended recipient, i.e., the host on the intranet. There are different ways a NAP can exercise access control. For example, a NAP may be a firewall that decides whether to forward the packets based on a pre-set packet filtering rules or functions as a proxy to apply application-level session-based access control.
One of the tasks often performed by a NAP is address translation. Many intranets have their own private addressing spaces, and the intranet addresses of the hosts on an intranet are often not usable by routers on the external network for routing packets. As a result, the private intranet address cannot be used as a destination address for sending communication packets from an external host across the external network. For this reason, the communication packets have to be sent to the NAP sitting at the border of the private intranet and the external network. The NAP then performs address translation on the packets to provide the intranet address of the receiving host so that the packets can be properly forwarded.
The address translation by a NAP can cause problems when the incoming packets are encrypted. To maintain the confidentiality of communication, many hosts encrypt the data in the communication packets. In order to prevent malicious security attacks by decrypting and modifying the data, many network protocols use an encryption and cryptographic checksum mechanism to guarantee the integrity of the data. While the specifics of the security check differ for each protocol, most protocols require the calculation of a cryptographic hash value using the source address, destination address, and data of the packet as input of the hash function. The inclusion of the destination address in the calculation of the hash value enables the detection of a security attack that alters the destination address. The communication data and the hash value are then encrypted and put in the packet together with the source and destination addresses for the packet.
When the NAP receives such an encrypted packet intended for a host on its intranet, it cannot perform the address translation by simply replacing the original destination address with the intranet address of the receiving host. This is because the original destination address is used to generate the hash value in the packet. When the receiving host receives the modified packet, it decrypts the encrypted portion and authenticates the packet by calculating another hash value based on the addresses and data in the received packet, and comparing this hash value with the hash value included in the packet. Because the destination address of the received packet has been modified by the NAP, the two hash values will not match, and the receiving host will discard the packets as being invalid.
To prevent the packets from failing the authentication check, the NAP has to be able to modify the hash value in the packet to reflect the change to the destination address. This approach, however, presents other problems. First of all, the hash value in the packet is encrypted, and the NAP simply may not know how to undo the encryption of the packet and therefore cannot modify the hash value. Moreover, even if the NAP somehow knows how to decrypt the packet, the modification of the packet is very time consuming. To modify the packet, the NAP has to decrypt the packet, change the destination address, calculate the new hash value based on the modified destination address, and then re-encrypt the data and the new hash value. This process is very calculation-intensive. As a result, the speed at which encrypted packets can pass through the NAP can be prohibitively slow for many types of communications. For example, sending live video signals through the Internet requires the transmission of a data stream at a relatively high rate. Performing the xe2x80x9caddress translationxe2x80x9d on encrypted packets as described above can cause unacceptable delay of data transmission for such video applications.
In view of the foregoing, the present invention provides a method and system for efficiently transmitting encrypted packets between a sending host on an external network and a receiving host on an intranet through a network access point (NAP) of the intranet. An encrypted packet to be sent by the sending host on the external network is formed with the external network address of the NAP as the destination address of the packet. The intranet address of the receiving host is also included in the packet in the non-encrypted form. The intranet address of the receiving host is also used in places where the packet destination address would normally be used for security checking purposes, such as generating a cryptographic hash, under the network protocol used. The packet is then routed to the NAP through the external network.
When the NAP receives the encrypted packet, it strips the field containing the intranet address of the receiving host and substitutes the original destination address in the packet with the intranet address of the receiving host. The NAP then forwards the modified packet to the receiving host. Because the NAP does not have to decrypt the packet, encrypted packets can go through the NAP at a high rate. When the receiving host receives the modified packet, it decrypts the packet and authenticates it. Because the destination address in the modified packet is the same intranet address of the receiving host used in calculating the cryptographic hash or the like, the packet should pass the security check by the receiving host.
Additional features and advantages of the invention will be made apparent from the following detailed description of illustrative embodiments which proceeds with reference to the accompanying figures.