A prefix space partitioning approach to scalable peer gateway discovery in secure virtual private networks

Abstract

Virtual private networks (VPNs) are the used by enterprises to secure sensitive traffic going over public network infrastructure like the Internet. In VPNs, geographically separated networks belonging to the same community of interest (COI) are connected through virtual links (security associations) between VPN gateways. VPN gateways authenticate traffic, encrypt packets, and decrypt packets so that only encrypted packets from VPN customers travel the public network infrastructure. Each of these encrypted packets has the entire original IP packet encrypted and has a new IP header added to route the packet from the source gateway to the destination gateway. Of course, this implies that the source gateway needs to map the destination network prefix to the plain and cipher text addresses of the destination gateway. This mapping is used to create a security association between VPN gateways when the first packet carrying the destination network prefix arrives at the source gateway. In the currently deployed VPNs, each VPN gateway is configured manually with a table containing mapping from each network prefix to the IP address(es) of the VPN gateway that fronts that prefix. Manual configuration process cannot scale to VPNs with large number of plain text (trusted) networks and cannot handle situations where entire (trusted) networks move frequently and attach to different VPN gateways. In particular, the Global Information Grid (GIG) vision of the future network for DoD communities indicates the need for VPNs with several tens of thousands to a million gateways and similar number of trusted networks. For such networks, we need discovery mechanism for a VPN gateway to automatically find out which peer VPN gateway currently fronts for a given network (prefix) so a security association can be established for transmitting encrypted packets to that prefix. We would like this discovery mechanism to require minimal information transfer from plain text (PT) to cipher text (CT) side. Several discovery approaches have been proposed and investigated. In this paper, we discuss key elements and organization of a new discovery mechanism, which uses a system of servers. The server organization is based on partitioning the space of prefixes and is designed to allow scalability and mobility support while keeping communication between these servers simple. We describe key ideas and key information exchange, and show how the solution scales to millions of prefixes. We also discuss how these ideas can be extended to add hierarchies and take advantage of sub communities of interest. Hierarchies may also be useful in dealing with multiple levels of cipher text networks separated by CT-PT-CT gateways.