Group Encrypted Transport Virtual Private Network (GETVPN) solution is incorporated with innovative technologies which use to consume the power of underlying Multi Protocol Label Switching (MPLS) / Shared IP Networks. It brings the idea of trusted group to remove the integration of overlay routing and point to point tunnels. The traffic that was encrypted by one group member can be decrypted by other group members.
In GET VPN mutual security association is shared among all group members, which is also called group security association. Among group members negotiation of point to point IPsec tunnels is not necessary. Group domain of interpretation (GDOI) is incorporated to share mutual IPsec keys which are connected to the group of enterprise virtual private network gateways that are integrated with secured communication. These keys are updated and refreshed after certain time period, under “Re-key” process which is done on all of the virtual private network gateways. “Re-key” is the process in which new keys are send out when current keys are just near expiry. In GET VPN network, the entity which is most important is Key Server (KS) because control plane is also maintained by KS. GDOI rekey services use two procedures of transport that are unicast and Multicast. When multicast is not carried out by WAN infrastructure then unicast rekey is used. At key server, steps of re-registration get started by the Group Member (GM).
In designing GET VPN network, the platform which is carried out is selected then it get started and for the group members Cisco IOS is released. Network scalability is the factor on which key server is mainly dependent. Packet forwarding rate is the criteria on which selection occurs of a group member. Before the current IPsec security associations (SAs) expire, new IPsec security associations are established. For ISR routers AIM / SSL cards are suggested, but in all ISR models they are not used.
In GET VPN, The Group Domain of Interpretation is incorporated by Cisco. On the contrary group VPN in incorporated by Junos OS, but in networking environment security devices and routers both are included. Members of both can inter operate with Cisco GETVPN server. One should not enable re-key on server when VPN group in integrated with security devices, in order to get rid of traffic disruption. For unicast re-key messages, if there is no response from any of the group member in that situation that group member is removed from the group and also cannot receive re-keys. By default, time based anti-replay is carried out by Cisco server.
With a centralized key server easy membership control is granted. Transport authentication and data security is provided. When all WAN traffic is encrypted internal regulation and security compliance is attained. High scale network meshes are enabled. Network intelligence is also maintained like full mesh connectivity, quality of service and natural routing path for Multi Protocol Label Switching (MPLS) networks. On customer premises equipment (CPE) traffic loads are decreased. The IP source is preserved as well as destination addresses during the encryption of IPsec and in the process of encapsulation. Integration of GET VPN occurs very effectively with its traffic engineering and quality of service features.
For native multicast packets encryptions in enabled when multicast rekeying is integrated by GET VPN, and on private network unicast rekeying occur. The concept and relationships of GET VPN is integrated with three main parts that are Data Protection, Routing and Key Distribution. In which Secure Unicast, Secure Multicast, IP Header Preservation and Group Domain of Interpretation are incorporated.
Secure Data Plane Multicast
The Key Server provides the traffic encryption key (TEK) that is used by multicast sender. Before the packet is switched out, the multicast data packet is encrypted with header preservation.
An efficient multicast re-key is used to receive multicast re-keys. This multicast re-key is sent out to all the registered group members. On the key server where the lifetime is configured tell that when the multicast rekeys are sent out after certain time period.
In private WAN environments, among data privacy and network intelligence the requirement for settlement is removed. New categories of VPN are incorporated where tunnels are not integrated. Managed encryption is provided by the service provider and management of VPN and provisioning is simplified. To secure IP multicast traffic or unicast traffic an efficient procedure is used which helps the user by connecting the keying protocol Group Domain of Interpretation with IP security encryption which is done by GET VPN. Encryption is applied by the router to non tunneled IP multicast and unicast packets and to protect multicast and unicast traffic it removes the need to configure tunnels.
In the end, we promise our readers for a quick configuration on how to configure and establish a GETVPN between peers up and running.
- GET VPN – Design and Implementation Guide
- JUNOS Group VPN Feature Guide for Security Devices
- CISCO Group Encrypted Transport VPN Configuration Guide