1. Field of the Invention
The present invention relates generally to networks and, more particularly, to the operation of end-to-end secure networks.
2. Description of the Background Art
The High Assurance Internet Protocol Encryption (“HAIPE”) is the primary encryption device used to provide end-to-end security for the Global Information Grid (“GIG”) environment. A HAIPE device operates at the IP layer of the TCP/IP protocol stack and represents a boundary between a common encrypted IP “black core” (e.g., the general Internet) and protected “red enclaves” at the perimeter.
This HAIPE device breaks the normal routing function such that traffic generated in one red enclave cannot be directly routed to other red enclaves. To support end-to-end traffic forwarding, a HAIPE device must be able to discover the “cipher-text” (“CT”) address of the HAIPE fronting the destination red enclave, this CT address corresponding to the address of the fronting HAIPE as seen from the black network. Once the CT address is known, the source HAIPE can establish a secure communication channel with the destination HAIPE, and end-to-end secure traffic between a source red enclave and a destination red enclave may be transmitted.
An approach for providing HAIPE peer discovery is the “Routing Based Peer HAIPE Discovery” (“RBD”), which uses Border Gateway Protocol (“BGP”) to send PT-to-CT mapping information to other enclaves. The fronting HAIPE of the source red enclave is operable to discover the “plain-text” (“PT”) addresses of networked systems within the red enclave using an intra-enclave routing protocol, this PT address corresponding to the address of any systems as seen from within the red enclave. The fronting HAIPE is also able to obtain its own CT address and to create PT-to-CT address mappings using the aforementioned information, which is then provided to a discovery server. The discovery server is itself protected by a HAIPE, but does not necessarily reside in the source red enclave. The discovery server is operable to exchange and further populate the PT-to-CT mapping information with other discovery servers using BGP. Accordingly, when a first workstation located in a first enclave wants to establish communications with a second workstation in a second enclave, the first workstation knowing the PT address of the second workstation, the first workstation could use this mapping to determine the CT address corresponding to the fronting HAIPE which must be contacted in order to establish the communications channel.
By its nature, peer discovery of IP crypto is uni-directional. When a first workstation located in a first enclave wants to establish communications with a second workstation in a second enclave, the first workstation expects the second workstation to provide a reply. For the second workstation to reply, its fronting HAIPE must discover the fronting HAIPE of the first enclave. The peer discovery process at the fronting HAIPE of the second enclave adds latency to communication between the first and second workstation. We name this problem the “double discovery issue.”
Accordingly, what is desired is a means of providing optimization of HAIPE peer discovery on reply communications.