In a large-scale network, manual configuring IPsec tunnels and security policies is labor intensive and difficult to manage. In some cases, a full-mesh IPsec tunnels are required so that all Plain Text (PT) networks behind the IPsec devices can be reachable. Without an IPsec Discovery Protocol (IDP), static routes have to be configured at all PT routers that are connected to the IPsec devices so that a PT packet can be encrypted and sent to a remote PT network. Another disadvantage of not having an IDP is that an IPsec device has no way of knowing if an IPsec peer is down so that security policy (SP) can be updated. As a result, data are sent to IPsec 'dead' peer will be dropped in the Cipher Text (CT) network until the Security Association (SA) timer expires which can take a long period of time. Several IPsec Discovery Protocols with different mechanisms for IPsec discovery have been designed and implemented. The two most common mechanisms are the Multicast-based and the Client-Server. Another mechanism is used in Implicit Peer Enclave Prefix Discovery (IM-PEPD) protocol. While these protocols are reactive, the protocol described in the paper is proactive and well suited for dynamic networks in which IPsec devices are often unreachable and their mobility requires IPsec tunnels and SP to be updated dynamically. This paper presents an IDP called the Proactive Multicast-based IPsec Discovery Protocol (PMIDP) that has been designed, developed, and demonstrated in the multinational Interoperable Networks for Secure Communications (INSC) network - an IPv6 network based on the CT Core Routing Architecture. For PMIDP, at the end of the discovery process, all IPsec devices in the network have full-meshed IPsec tunnels, and SPs are setup and ready for PT traffics. The paper also describes the benefits of the Proactive Discovery Mechanism including support for security gateway, network mobility, PT-to-PT dynamic routing, dead peer detection, and PT/CT address separation. Finally, the paper presents a multicast mechanism of the PMIDP that enables an IPsec to dynamically multicast route PT multicast IP packets in CT network without compromising security protection of PT prefixes and multicast addresses in the CT network.
展开▼
