Advertisement

Automatic Configuration of Complex IPsec-VPNs and Implications to Higher Layer Network Management

  • Michael Rossberg
  • Günter Schäfer
  • Kai Martius

Abstract

As the Internet emerges to be, not only the most important, but in many areas the only way of efficient communication, it becomes also vital for business and government institutions to securely exchange data via this medium. This led to the development of virtual private networks (VPNs). However, security in this aspect does not only refer to confidentiality, integrity, authentication, and access control, but also availability; a subgoal of increasing importance due to cheap and simple execution of denial-of-service (DoS) attacks.

In order to increase the DoS-resilience of VPNs, the topology of this overlay network must react flexible to circumvent affected network parts and to reintegrate systems, which become available after the DoS attack ended or have been moved to different address ranges. Therefore, we developed a fully distributed IPsec configuration mechanism, which is able to react to failures dynamically and is yet scalable, efficient, and secure.

Nonetheless, the usually required higher layer services do not work in a distributed way. Thus, a failure may still cause availability issues as services like Domain Name System (DNS) may become inaccessible, even though a network connection is still present.

This article introduces distributed VPN auto-configuration and goes into detail on distributed network services.

Keywords

Overlay Network Network Address Translation Transport Layer Security Security Association Address Range 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Stoica, Ion ; Morris, Robert; Karger, David ; Kaashoek, M. F.; Balakrishnan, Hari: Chord: A scalable peer-to-peer lookup service for internet applications. In: ACM SIGCOMM Computer Communication Review 31 (2001), Nr. 4, S. 149–160CrossRefGoogle Scholar
  2. Stoica, Ion ; Adkins, Daniel; Shenker, Scott ; Surana, Sonesh; Zhuang, Shelley: Internet Indirection Infrastructure. In: Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications (SIGCOMM), 2002, S. 73–86Google Scholar
  3. Raghunath, Satish; Ramakrishnan, K. K.; Kalyanaraman, Shivkumar; Chase, Chris; Measurement based characterization and provisioning of IP VPNs, ACM SIGCOMM, 2004.Google Scholar
  4. Tran, Trung: Proactive Multicast-Based IPSEC Discovery Protocol and Multicast Extension, IEEE MILCOM, 2005.Google Scholar
  5. Aura, Tuomas: Cryptographically Generated Addresses (CGA), IETF RFC 3972, 2005.Google Scholar
  6. Fluhrer, Scott: SYSTEM AND METHOD FOR PROTECTED SPOKE TO SPOKE COMMUNICATION USING AN UNPROTECTED COMPUTER NETWORK, United States Patent US 2007/0271451 A1, 2007.Google Scholar
  7. Bhaiji, Yusuf: Network Security Technologies and Solutions, Cisco Press, 2008.Google Scholar
  8. Rossberg, Michael; Schaefer, Guenter: Ciscos Group Encrypted Transport VPN – Eine kritische Analyse, D-A-CH security, 2009.Google Scholar
  9. Golembewski, René: Live Visualisierung virtueller privater IPsec Netzwerke, Student Research Project, Ilmenau University of Technology, April 2009.Google Scholar
  10. Schüttler, Florian: Sichere dezentrale Namensauflösung in IPsec-Infrastrukturen, Bachelor Thesis, Ilmenau University of Technology, January 2010.Google Scholar
  11. Golembewski, René: Sichere, verteilte Zeitsynchronisation in virtuellen privaten Netzwerken, Diploma Thesis, Ilmenau University of Technology, March 2010.Google Scholar
  12. Rossberg, Michael; Schaefer, Guenter; Strufe, Thorsten: Distributed Automatic Configuration of Complex IPsec-Infrastructures, To appear: Journal of Network and Systems Management, Septermber 2010.Google Scholar
  13. Rossberg, Michael; Schaefer, Guenter: A Survey on Automatic Configuration of Virtual Private Networks, Submitted to: Computer Networks, 2010.Google Scholar

Copyright information

© Vieweg+Teubner Verlag | Springer Fachmedien Wiesbaden GmbH 2011

Authors and Affiliations

  • Michael Rossberg
    • 1
  • Günter Schäfer
    • 1
  • Kai Martius
    • 2
  1. 1.Telematics/Computer Networks Research GroupIlmenau University of TechnologyIlmenau
  2. 2.Secunet Security Networks AGBerlin

Personalised recommendations