Another huge scalability issue with the traditional, point-to-point approach for “any to any” VPNs is key management. The GET VPN features simplified security policy and key distribution thanks to the Group Key Distribution Model. This model uses Group Domain of Interpretation (GDOI) as specified in RFC 3547.
The Group Key Distribution Model features a Key Server (a Cisco router) that authenticates group members, and handles the distribution of security policies and any required keys. In the interests of further scaling this already scalable solution, as well as improving availability, Cooperative Key Servers can be used across wide geographic distributions.
The GET VPN solution, a major facet of this exciting technology is the Group Domain of Interpretation (GDOI) as outlined in RFC 3547. This technology is such a pivotal component of GET VPN because it serves as the mechanisms to provide the cryptographic keys to a group of VPN gateways.
GDOI relies on none other than Internet Key Exchange (IKE) Phase 1 to protect the distribution of the keys. Just as with “traditional” IPSec VPNs, you can utilize such methods as Pre-shared Keys (PSK) or thePublic Key Infrastructure (PKI) for authentication with IKE Phase 1.
GDOI actually implements two different encryption keys. The Key Encryption Key (KEK) is used to secure the control plane, while the key used for data encryption is the Traffic Encryption Key (TEK).
Another critical element for the GET VPN is the Key Server (KS). This is the IOS device responsible for creating the GET VPN control plane. The KS is where you actually define the encryption policy (interesting traffic, encryption protocol, etc.) that is pushed to all group members.
Group members in GET VPN are the IOS routers responsible for the actual encryption and decryption of data traffic.
Another excellent aspect of GET VPN is the rekey process built into GDOI. GDOI periodically refreshes cryptographic keying information and distributes it to group members. GDIO has the ability to send rekey messages as unicast or multicast in the network infrastructure.
Obviously, if the Key Server fails, the GET VPN implementation is in big trouble. To help ensure availability of the solution, cooperative Key Servers (COOP KSs) provide redundancy. Under COOP, one of your KSs serves as the primary Key Server, while other KSs are the secondary devices. Messaging between the KSs ensure a failover election occurs if a downing of the primary device is detected through the lack of primary device messages.
No comments:
Post a Comment