Journal of Network and Systems Management

, Volume 18, Issue 3, pp 300–326

Distributed Automatic Configuration of Complex IPsec-Infrastructures

  • Michael Rossberg
  • Guenter Schaefer
  • Thorsten Strufe
Article

DOI: 10.1007/s10922-010-9168-7

Cite this article as:
Rossberg, M., Schaefer, G. & Strufe, T. J Netw Syst Manage (2010) 18: 300. doi:10.1007/s10922-010-9168-7

Abstract

The Internet Protocol Security Architecture IPsec is hard to deploy in large, nested, or dynamic scenarios. The major reason for this is the need for manual configuration of the cryptographic tunnels, which grows quadratically with the total amount of IPsec gateways. This way of configuration is error-prone, cost-intensive and rather static. When private addresses are used in the protected subnetworks, the problem becomes even worse as the routing cannot rely on public infrastructures. In this article, we present a fully automated approach for the distributed configuration of IPsec domains. Utilizing peer-to-peer technology, our approach scales well with respect to the number of managed IPsec gateways, reacts robust to network failures, and supports the configuration of nested networks with private address spaces. We analyze the security requirements and further desirable properties of IPsec policy negotiation, and show that the distribution of security policy configuration does not impair security of transmitted user data in the resulting virtual private network (VPN). Results of a prototype implementation and simulation study reveal that the approach offers good characteristics for example with respect to quick reconfiguration of all gateways after a central power failure (robustness), or after insertion of new gateways (scalability and agility).

Keywords

Computer network reliability Computer network security Robustness 

Copyright information

© Springer Science+Business Media, LLC 2010

Authors and Affiliations

  • Michael Rossberg
    • 1
  • Guenter Schaefer
    • 1
  • Thorsten Strufe
    • 2
  1. 1.Technische Universität IlmenauTelematics and Computer Networks GroupIlmenauGermany
  2. 2.Technische Universität DarmstadtPeer-to-Peer Networking GroupDarmstadtGermany

Personalised recommendations