Experience with prefix discovery servers and IPSec VPN gateways

The use of IPSec encryption via virtual private network (VPN) gateways is expected to increase within tactical networks. Robust tactical networks that leverage VPN gateways require the ability to map remote IPSec protected plain text (PT) networks to their VPN gateway´s cipher text (CT) network address. Security associations between VPN gateways must allow for refresh and change based upon network connectivity and performance over time. A VPN-based prefix discovery server (PDS) can be implemented to help enable these network mappings and allow performance monitoring and network connection change. The discovery of new VPN gateways can be enabled through a registration process. Optional information for registration can include a VPN gateway´s ability to support different types of traffic or gateway preference. Following registration, the VPN gateway can be configured to distribute learned prefixes into the directly attached enclave´s interior routing protocol and provide updates to remote PDS(s) as network changes occur. To help analyze the challenges associated with the deployment of tactical network architectures that leverage a PDS, we have developed an open-source based VPN gateway and PDS. The purpose of this paper is to provide an overview of our PDS design, capabilities, lessons learned and recommendations for future architectures