1. Field of the Invention
The present invention relates to the field of network security and more particularly to automated Internet Protocol security (Ipsec) security association (SA) recovery.
2. Description of the Related Art
Internet security has increasingly become the focus of information technologists who participate in globally accessible computer networks. In particular, with the availability and affordability of broadband Internet access, even within the small enterprise, many computers and small computer networks enjoy continuous access to the Internet. Notwithstanding, continuous, high-speed access is not without its price. Specifically, those computers and computer networks which heretofore had remained disconnected from the security risks of the Internet now have become the primary target of malicious Internet crackers and script kiddies, collectively referred to as “malicious intruders”.
To address the vulnerability of computing devices exposed to the global Internet, information technologists have deployed network address translation (NAT) and network port address translation (NAPT) technologies deployed as a firewall. NAT technologies map a publicly known network address to a privately known address within a private network. In this way, external intruders cannot directly access private network devices as the private network address can be shielded from the external intruder through the proxy action of NAT. The use of NAT, however, requires a one-to-one correspondence between private and public address. To economize on the cost of a single public network address (which can be expensive), a NAPT configured firewall can act similarly to NAT excepting that a single public address can map to multiple private devices which can be distinguished by unique port assignments behind the firewall.
While NAPT and NAT enable security for devices behind the firewall, NAPT and NAT can do little to secure data in transit between source and destination nodes in the Internet. To provide true, end-to-end security for data in the Internet, secure communications must be employed. The Internet Security Protocol, known in the art as “IPsec” represents a common form of secure communications for use over the Internet. In IPsec, communications between source and destination nodes in the Internet can be administered in accordance with a security association (SA). An SA can include one or more rules that define the IPsec processing that is applied to the communication. IPsec is defined in the Request for Comment (RFC) 2401 superceded by RFC 4301 among other RFCs.
In IPsec, whether the transmission of a packet is denied or permitted with or without IPsec processing is determined by matching the attributes of a packet within the security rules in a security policy database (SPD). To make this determination, both the static rules of a security policy and dynamic rules negotiated as part of an Internet Key Exchange (IKE), each which refers to an SA as described in RFC 2401, can be subjected to a filtered search in the order of most specific to least specific attributes for both outgoing and incoming packets. The filtering of the attributes of a packet within the security rules can be based upon the source and destination address for the paired nodes engaging in secured communications.
IPsec SA endpoints typically are disposed within a security enforcement point such as a virtual private network (VPN)/firewall. Security enforcement points generally are no different than any other computing device excepting that the computing device supporting a security enforcement point hosts logic including program code enabled to support security services such as IPsec SA endpoint management. Like other computing devices, then, IPsec SA endpoints are susceptible to power outages, network communications faults, hardware failures and disabling crashes of the operating system for the computing device (collectively referred to as “outages”).
To account for outages in a security enforcement point supporting an IPsec SA endpoint, two important technologies have been deployed: dead peer detection (DPD) as described in RFC 3706 and failure recovery of network secure communications as described in U.S. Patent Publication No. 20020095496 by Mark L. Antes, James R. Godwin, David A. Herr, Linwood H. Overby, Jr. and David J. Wierbowski. When combined these technologies can detect an outage, identify all established SAs for the security enforcement point, and re-establish every one of the SAs. It will be noted by the skilled artisan, however, that when an IPsec security enforcement point recovers large quantities of IPsec SAs during recovery, undesirable processing overhead and network latencies can arise.