Automatic Configuration of Complex IPsec-VPNs and Implications to Higher Layer Network Management
As the Internet emerges to be, not only the most important, but in many areas the only way of efficient communication, it becomes also vital for business and government institutions to securely exchange data via this medium. This led to the development of virtual private networks (VPNs). However, security in this aspect does not only refer to confidentiality, integrity, authentication, and access control, but also availability; a subgoal of increasing importance due to cheap and simple execution of denial-of-service (DoS) attacks.
In order to increase the DoS-resilience of VPNs, the topology of this overlay network must react flexible to circumvent affected network parts and to reintegrate systems, which become available after the DoS attack ended or have been moved to different address ranges. Therefore, we developed a fully distributed IPsec configuration mechanism, which is able to react to failures dynamically and is yet scalable, efficient, and secure.
Nonetheless, the usually required higher layer services do not work in a distributed way. Thus, a failure may still cause availability issues as services like Domain Name System (DNS) may become inaccessible, even though a network connection is still present.
This article introduces distributed VPN auto-configuration and goes into detail on distributed network services.
KeywordsOverlay Network Network Address Translation Transport Layer Security Security Association Address Range
Unable to display preview. Download preview PDF.
- Stoica, Ion ; Adkins, Daniel; Shenker, Scott ; Surana, Sonesh; Zhuang, Shelley: Internet Indirection Infrastructure. In: Proceedings of the 2002 conference on Applications, technologies, architectures, and protocols for computer communications (SIGCOMM), 2002, S. 73–86Google Scholar
- Raghunath, Satish; Ramakrishnan, K. K.; Kalyanaraman, Shivkumar; Chase, Chris; Measurement based characterization and provisioning of IP VPNs, ACM SIGCOMM, 2004.Google Scholar
- Tran, Trung: Proactive Multicast-Based IPSEC Discovery Protocol and Multicast Extension, IEEE MILCOM, 2005.Google Scholar
- Aura, Tuomas: Cryptographically Generated Addresses (CGA), IETF RFC 3972, 2005.Google Scholar
- Fluhrer, Scott: SYSTEM AND METHOD FOR PROTECTED SPOKE TO SPOKE COMMUNICATION USING AN UNPROTECTED COMPUTER NETWORK, United States Patent US 2007/0271451 A1, 2007.Google Scholar
- Bhaiji, Yusuf: Network Security Technologies and Solutions, Cisco Press, 2008.Google Scholar
- Rossberg, Michael; Schaefer, Guenter: Ciscos Group Encrypted Transport VPN – Eine kritische Analyse, D-A-CH security, 2009.Google Scholar
- Golembewski, René: Live Visualisierung virtueller privater IPsec Netzwerke, Student Research Project, Ilmenau University of Technology, April 2009.Google Scholar
- Schüttler, Florian: Sichere dezentrale Namensauflösung in IPsec-Infrastrukturen, Bachelor Thesis, Ilmenau University of Technology, January 2010.Google Scholar
- Golembewski, René: Sichere, verteilte Zeitsynchronisation in virtuellen privaten Netzwerken, Diploma Thesis, Ilmenau University of Technology, March 2010.Google Scholar
- Rossberg, Michael; Schaefer, Guenter; Strufe, Thorsten: Distributed Automatic Configuration of Complex IPsec-Infrastructures, To appear: Journal of Network and Systems Management, Septermber 2010.Google Scholar
- Rossberg, Michael; Schaefer, Guenter: A Survey on Automatic Configuration of Virtual Private Networks, Submitted to: Computer Networks, 2010.Google Scholar