论文信息 - GDS-B: A protocol to support HAIPE® peer discovery server communication

GDS-B: A protocol to support HAIPE® peer discovery server communication

HAIPE® devices provide encrypted tunneling and transporting services for Internet Protocol (IP) datagrams through an unsecured network on behalf of secure Plain Text (PT) enclaves. Traditionally, secure tunnels were established by manually configuring the local HAIPE with information for peer enclaves. When a large number of enclaves are involved, automation of this configuration process improves administrative efficiency and reduces errors. Such automation is known as HAIPE Peer Discovery, or HPD. With the support of the HAIPE Interoperability Specification (HAIPE IS) Generic Discovery Client (GDC) Extension, HAIPEs can communicate with a generic discovery server (GDS) that implements a server-based HPD service. The HAIPE IS GDC Extension specifies only how a HAIPE communicates with a GDS. It does not specify a mechanism for exchanging HAIPE peer information between GDSes. In this paper we describe a protocol mechanism for exchanging discovery information among GDSes. This protocol, which we refer to as the GDS-B protocol, reuses Border Gateway Protocol (BGP) Virtual Private Network (VPN) and Tunnel mechanisms to encode and disseminate HAIPE and enclave routing information among servers. Servers implementing the GDS-B protocol, known as GDS-B Servers, obtain and provide this information to client HAIPEs via the HAIPE IS GDC Extension. We describe the design and implementation of a GDS-B Server using open-source routing software and present the status of this implementation when used in large-scale scenarios.

[1] Gary Scott Malkin,et al. RIP Version 2 , 1998, RFC.

[2] Eric C. Rosen,et al. BGP IPsec Tunnel Encapsulation Attribute , 2009, RFC.

[3] Dave Katz,et al. Multiprotocol Extensions for BGP-4 , 1998, RFC.

[4] Gary Scott Malkin,et al. RIPng for IPv6 , 1997, RFC.

[5] Luyuan Fang,et al. Constrained Route Distribution for Border Gateway Protocol/MultiProtocol Label Switching (BGP/MPLS) Internet Protocol (IP) Virtual Private Networks (VPNs) , 2006, RFC.

[6] Enke Chen,et al. Outbound Route Filtering Capability for BGP-4 , 2008, RFC.

[7] Yakov Rekhter,et al. BGP/MPLS IP Virtual Private Networks (VPNs) , 2006, RFC.

[8] Eric C. Rosen,et al. The BGP Encapsulation Subsequent Address Family Identifier (SAFI) and the BGP Tunnel Encapsulation Attribute", RFC 5512 , 2009 .

[9] Pratik Bose. Secure Layer 3 Virtual Private Networks , 2006 .

[10] Marco Carugi,et al. BGP-MPLS IP Virtual Private Network (VPN) Extension for IPv6 VPN , 2006, RFC.

[11] Enke Chen,et al. BGP Route Reflection: An Alternative to Full Mesh Internal BGP (IBGP) , 2006, RFC.

[12] Yakov Rekhter,et al. A Border Gateway Protocol 4 (BGP-4) , 1994, RFC.