Skip to main content
SpringerLink
Log in

Distributed Automatic Configuration of Complex IPsec-Infrastructures

  • Published:
Journal of Network and Systems Management Aims and scope Submit manuscript

Abstract

The Internet Protocol Security Architecture IPsec is hard to deploy in large, nested, or dynamic scenarios. The major reason for this is the need for manual configuration of the cryptographic tunnels, which grows quadratically with the total amount of IPsec gateways. This way of configuration is error-prone, cost-intensive and rather static. When private addresses are used in the protected subnetworks, the problem becomes even worse as the routing cannot rely on public infrastructures. In this article, we present a fully automated approach for the distributed configuration of IPsec domains. Utilizing peer-to-peer technology, our approach scales well with respect to the number of managed IPsec gateways, reacts robust to network failures, and supports the configuration of nested networks with private address spaces. We analyze the security requirements and further desirable properties of IPsec policy negotiation, and show that the distribution of security policy configuration does not impair security of transmitted user data in the resulting virtual private network (VPN). Results of a prototype implementation and simulation study reveal that the approach offers good characteristics for example with respect to quick reconfiguration of all gateways after a central power failure (robustness), or after insertion of new gateways (scalability and agility).

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Similar content being viewed by others

References

  1. Fu, Z., Wu, S.F.: Automatic generation of IPSec/VPN security policies in an intra-domain environment. In: Proceedings of the 12th internation workshop on Distributed System Operation and Management (DSOM), 2001, pp. 279–290

  2. Baltatu, M., Lioy, A., Lombardo, D., Mazzocchi, D.: Towards a policy system for IPsec: issues and an experimental implementation. In: Proceedings of 9th IEEE International Conference on Networks (ICON), 2001, pp. 146–151

  3. Sanchez, L.A., Condell, M.N.: Security policy protocol, Expired Internet-Draft. http://www.tools.ietf.org/html/draft-ietf-ipsp-spp-01(2002)

  4. Fluhrer, S.: Tunnel Endpoint Discovery, Expired Internet-Draft. http://www.tools.ietf.org/html/draft-fluhrer-ted-00 (2000)

  5. Fluhrer, S.: Determining secure endpoints of tunnels in a network that uses internet security protocol, United States Patent US 2007/7207063 B1 (2007)

  6. Tran, T.: Proactive multicast-based IPSEC discovery protocol and multicast extension. In: Proceedings of the IEEE Military Communications Conference MILCOM (2006)

  7. Cisco Systems, Inc.: Dynamic Multipoint VPN (DMVPN). http://www.cisco.com/univercd/cc/td/doc/product/software/ios122/122newft/122t/122t13/ftgreips.pdf(2006)

  8. Fluhrer, S.: System and method for protected spoke to spoke communication using an unprotected computer network, United States Patent US 2007/0271451 A1 (2007)

  9. Bhaiji, Y.: Network security technologies and solutions, 1st Edn. Cisco Press, 2008, Ch. Part III: Data Privacy (2008)

  10. Rossberg, M., Schaefer, G.: Ciscos group encrypted transport VPN—A sceptical analysis. In: Proceedings of D-A-CH security, German, 2009, pp. 351–360 (2009)

  11. Figueiredo, R., Boykin, P.O., Juste, P.S., Wolinsky, D.: Social VPNs: Integrating overlay and social networks for seamless P2P networking. In: 17th IEEE International Workshop on Enabling Technologies: Infrastructures for Collaborative Enterprises (WETICE/COPS), 2008, pp. 93–98 (2008)

  12. Bilge, L., Strufe, T., Balzarotti, D., Kirda, E.: All your contacts are belong to us: Automated identity theft attacks on social networks. In: Proceedings of the 18th International World Wide Web Conference, 2009, pp. 551–560 (2009)

  13. Stoica, I., Morris, R. Karger, D., Kaashoek, M.F., Balakrishnan, H.: Chord: A scalable peer-to-peer lookup service for internet applications, ACM SIGCOMM Comput. Commun. Rev. 31(4), 149–160 (2001)

    Article  Google Scholar 

  14. Cramer, C., Kutzner, K., Fuhrmann, T.: Bootstrapping locality-aware P2P networks. In: Proceedings of 12th IEEE International Conference on Networks (ICON), 2004, pp. 357–361 (2004)

  15. Knoll, M., Wacker, A., Schiele, G., Weis, T.: Decentralized bootstrapping in pervasive applications. In: Proceedings of 5th IEEE International Conference on Pervasive Computing and Communications Workshops (PerCom), pp. 589–592 (2007)

  16. Hu, Z., Li, B.: ZAL: Zero-maintenance address allocation in mobile wireless ad hoc networks. In: Proceedings of the 25th IEEE International Conference on Distributed Computing Systems (ICDCS), 2005, pp. 103–112 (2005)

  17. Mcauley, A.J., Manousakis, K.: Self-configuring networks. In: Proceedings of the IEEE Military Communications Conference (MILCOM), 2000, pp. 315–319 (2000)

  18. Kent, S., Lynn, C., Seo, K.: Secure border gateway protocol (S-BGP). IEEE IEEE J. Sel. Areas Commun. 18(4):582–592 (2000)

    Article  Google Scholar 

  19. Touch, J., Eggert, L., Wang, Y.-S.: Use of IPsec Transport Mode for Dynamic Routing, IETF Request for Comments 3884 (Proposed standard). http://www.ietf.org/rfc/rfc3884.txt (2004)

  20. Cachin, C., Samar, A.: Secure distributed DNS. In: Proceedings of Dependable Systems and Networks (DSN), 2004, pp. 423–432 (2004)

  21. Gupta, R., Gavrilescu, A., Miller, J.L. Wheeler, G. A.: Peer-to-peer name resolution protocol (PNRP) security infrastructure and method, United States Patent 7,051,102 (2001)

  22. Schmidt, H., Guenkova-Luy, T. Hauck, F. J.: A decentral architecture for SIP-based multimedia networks. In: KiVS, Informatik aktuell, Springer Press, pp. 63–74 (2007)

  23. Hu, Y.-C., Perrig, A., Johnson, D. B.: Ariadne: A secure on-demand routing protocol for ad hoc networks. Wirel Networks 11(1-2) 21–38 (2005)

    Article  Google Scholar 

  24. Barbir, A., Murphy, S., Yang, Y.: Generic threats to routing protocols, IETF request for comments 4593 (Proposed standard). http://www.ietf.org/rfc/rfc4593.txt (2006)

  25. Hu, Y.-C. Perrig, A., Johnson, D. B.: Packet leashes: a defense against wormhole attacks in wireless networks. In: Proceeedings of the 22nd Conference of the IEEE Computer and Communications (INFOCOM), vol. 3, 2003, pp. 1976–1986 (2003)

  26. Eronen, P.: IKE v2 mobility and multihoming protocol (MOBIKE), IETF Request for Comments 4555 (Proposed standard). http://www.ietf.org/rfc/rfc4555.txt (2006)

  27. Brinkmeier, M., Rossberg, M., Schaefer, G.: Towards a denial-of-service resilient design of complex IPsec overlays. In: Proceedings of International Conference on Communications (ICC) (2009)

Download references

Author information

Authors and Affiliations

  1. Technische Universität Ilmenau, Telematics and Computer Networks Group, Postfach 100565, 98684, Ilmenau, Germany

    Michael Rossberg & Guenter Schaefer

  2. Technische Universität Darmstadt, Peer-to-Peer Networking Group, Hochschulstraße 10, 64289, Darmstadt, Germany

    Thorsten Strufe

Authors
  1. Michael Rossberg
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Guenter Schaefer
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Thorsten Strufe
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Michael Rossberg.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Rossberg, M., Schaefer, G. & Strufe, T. Distributed Automatic Configuration of Complex IPsec-Infrastructures. J Netw Syst Manage 18, 300–326 (2010). https://doi.org/10.1007/s10922-010-9168-7

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10922-010-9168-7

Keywords

Search

Navigation