IPsec scalability : network design -

Abstract

IPsec is a point-to-point protocol that provides security between IP nodes and solves many network security problems by providing authentication, integrity and confidentiality. However, the point-to-point nature of IPsec does not allow the formation of a scalable IPsec network. Our aim is to design and implement an algorithm, k-Constrained Connected Dominating Set (k-CCDS), that constructs a scalable IPsec network, by creating a backbone which reduces the total number of Security Associations (SAs) needed to maintain a secure network, while satisfying the following three constraints: k-connected dominating set providing alternate disjoint paths, degree-constrained paths by limiting the number simultaneous SAs allowed on each node, and a shortest path by upper-bounding the cost of a path between two nodes (number of SAs a packet has to travel). The algorithm will form a backbone of IPsec gateways, where an SA exists between any two gate- ways that are directly connected and are part of the shortest path. When a node wants to communicate with another node (backbone or non-backbone), rather than forming an SA with the target node it will form an SA with the backbone IPsec gateway it is connected to which in turn will forward the packets securely through the backbone. Furthermore, k-CCDS can be used not only to form IPsec scalable networks, but also to construct any network architecture that requires the satisfaction of the provided three constraints. Our experimental results have shown that k-CCDS reduces the number of SAs required to construct scalable IPsec networks and the number of links needed to efficiently route packets in general scalable networks by 67percent to 99.8percent depending on the size of the network. Additionally, the proposed algorithm is proven to find a relaxed solution when a solution with the provided constraints does not exist.