Uni Göttingen
computer networks group     Computer Networks Group
Institute of Computer Science
Georg-August-Universität Göttingen 		                                                                                               
english deutsch
 Home / Projects / Secure and Fast Re-establishme...
 
Announcements
Information
People
Positions
Publications
Research
Projects
Student Projects
Teaching
Wiki
 
 
    

Secure and Fast Re-establishment of IPsec Sessions in Failover Scenarios

Staff: Xiaoming Fu, Florian Tegeler, Hannes Tschofenig
Project Partners: Nokia Siemens Networks, CheckPoint Inc., Nokia.

IPsec gateways maintaining security associations (SAs) with a large number of remote access clients may take unacceptably long time to recover from gateway or network failures when all the clients were to use a full IKEv2 exchange to re-establish the SAs. This project studies and evaluates systematically a solution for IPsec session resumption to facilitate failover capabilities.
Recovering from failure of IPsec gateways maintaining large numbers of SAs may take several minutes, if they need to re-establish the IPsec SAs by re-running the key management protocol, IKEv2. A similar problem arises in the event of a network outage resulting in the failure of several gateways and servers. The latency involved in this approach is significant, leading to a need for a faster and yet secure failover solution.

There are a number of proprietary solutions for some part of this problem in the industry, however, those solutions do not interoperate. Applications that need IPsec failover capability, such as Mobile IPv6 have solutions under development for interoperable Home Agent (HA) failover. Without interoperable (client to server and server to server) IPsec failover capability, Home Agent failover solutions are incomplete. Thus, there is a need for an interoperable means of performing SA uploads and retrieval so that such IPsec redundancy can be implemented in an interoperable fashion.

This project studies the problem and explores the design, implementation and evaluation aspects of an IPsec/IKEv2 gateway failover approach.


Links:

Publications of this project:

Disclaimer: These papers are made available as a means to ensure timely dissemination of scholarly and technical work on a non-commercial basis. Copyright and all rights therein are maintained by the authors or by other copyright holders, notwithstanding that they have offered their works here electronically. It is understood that all persons copying this information will adhere to the terms and constraints invoked by each author's copyright. These works may not be reposted without the explicit permission of the copyright holder.

2009
Security Analysis of IKEv2 Session Resumption, Florian Tegeler, Technical Report No. IFI-TB-2009-01, Institute of Computer Science, University of Goettingen, ISSN 1611-1044, June 2009.
Read abstract PDF [1112.5 kB]

2008
Security Analysis, Prototype Implementation and Performance Evaluation of a New IPSec Session Resumption Method, Florian Tegeler, Zentrum fuer Informatik, Universitaet Goettingen, Master's Thesis, No. ZFI-BM-2008-01, ISSN 1612-6793, January 2008.
Read abstract PDF [2727.2 kB]


 
Feedback