GDS-B: A protocol to support HAIPE® peer discovery server communication

HAIPE® devices provide encrypted tunneling and transporting services for Internet Protocol (IP) datagrams through an unsecured network on behalf of secure Plain Text (PT) enclaves. Traditionally, secure tunnels were established by manually configuring the local HAIPE with information for peer enclaves. When a large number of enclaves are involved, automation of this configuration process improves administrative efficiency and reduces errors. Such automation is known as HAIPE Peer Discovery, or HPD. With the support of the HAIPE Interoperability Specification (HAIPE IS) Generic Discovery Client (GDC) Extension, HAIPEs can communicate with a generic discovery server (GDS) that implements a server-based HPD service. The HAIPE IS GDC Extension specifies only how a HAIPE communicates with a GDS. It does not specify a mechanism for exchanging HAIPE peer information between GDSes. In this paper we describe a protocol mechanism for exchanging discovery information among GDSes. This protocol, which we refer to as the GDS-B protocol, reuses Border Gateway Protocol (BGP) Virtual Private Network (VPN) and Tunnel mechanisms to encode and disseminate HAIPE and enclave routing information among servers. Servers implementing the GDS-B protocol, known as GDS-B Servers, obtain and provide this information to client HAIPEs via the HAIPE IS GDC Extension. We describe the design and implementation of a GDS-B Server using open-source routing software and present the status of this implementation when used in large-scale scenarios.