[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

ISAKMP control messages



Hi!
This is the first time that I'm posting a message to this list, so excuse me
if these issues have already been commented here.
I've been working on an implementation of VPN based on IPsec (OpenBSD) for
my Masters degree. I tried to resolve scaling problem in big IPsec VPNs, and
to enable remote monitoring (for example, getting the status of all IPsec or
IKE security associations on one remote VPN gateway), management (restart,
stop or start key exchange on any VLL on remote VPN gateway, or some other
control functions, like new quick mode exchange) and configuration of VPN
gateways, from one, central server.
My idea is to extend ISAKMP in such a way to make it a full signaling
protocol (like other telecommunication signaling protocols) for IPsec
security associations.
Remote configuration exchange is done as in 'The ISAKMP Configuration
Method' draft. I used something similar for the exchange of monitoring and
management messages (new, Control Payload).
Finally, my VPN prototype is configured and controlled from one place
(central server). Addition or removal of one VPN gateway can be easily done,
by changing only central server configuration. All VLLs between all VPN
gateways are configured, monitored and controlled from one central server in
a secure manner, since ISAKMP security associations are used for this
traffic. Central server does not know IPsec session keys between two VPN
gateways (they use DH algorithm), so eventual breaking into it, does not
reveal traffic between these VPN gateways. This works fine, but I would like
to know if there are some hidden security flaws in this design, that I
omitted.
Anyway, I think that this kind of ISAKMP extension, that makes it a full
signaling protocol is worth examining. I am interested if someone has used
this approach before (please send me then some pointers), and I'd like to
hear pros and cons for it.

Thanks in advance,
Pavle Vuletic
Belgrade University Computer Centre
BEGIN:VCARD
VERSION:2.1
N:Vuletic;Pavle
FN:Pavle Vuletic
ORG:RCUB
TITLE:B.Sc.E.E.
TEL;WORK;VOICE:+381-11-434-596, +381-11-321-840H
TEL;HOME;VOICE:+381-11-136-069
TEL;CELL;VOICE:+381-63-237-359
ADR;WORK:;;Kumanovska bb;Belgrade;Serbia;11000;Yugoslavia
LABEL;WORK;ENCODING=QUOTED-PRINTABLE:Kumanovska bb=0D=0ABelgrade, Serbia 11000=0D=0AYugoslavia
ADR;HOME:;;Bulevar Mihajla Pupina 13/12;Belgrade;Serbia;11070
LABEL;HOME;ENCODING=QUOTED-PRINTABLE:Bulevar Mihajla Pupina 13/12=0D=0ABelgrade, Serbia 11070
EMAIL;PREF;INTERNET:vpavle@rcub.bg.ac.yu
REV:20001213T102425Z
END:VCARD