-> GetVPN is a tuneless VPN mainly used in MPLS and multicast deployments.
--> GetVPN stands for Group Encrypted Transport VPN.
-> GETVPN is having mainly 3 components
i) GM ( Group Member)
ii) KS ( Key Server)
iii) GDOI ( Group Domain of Interpretation).
-> Each and every GM registers with KeyServer by providing Group ID then key server provides IPSEC SA so that GM can encrypt/decrypt the data before sending.
-> Key Server is responsible for providing Security Policies and Keys to Group Members so that they can encrypt/decrypt the data before sending.
-> When a GM registers with the key server, the key server verifies the group id number of the GM. If this id number is a valid and the GM has provided valid Internet Key Exchange (IKE) credentials, the key server sends the SA policy and the Keys to the group member.
--> A router can be either Key Server or Group Member, both can't be configured on the same router.
-> Each and every GM will receive two types of keys from KeyServer
i) Key Encryption Key -- used to encrypt control traffic. ( Between KS-- Group Member)
ii) Traffic Encryption Key -- used to encrypt data traffic. ( Between Group Member-- Group Member)
-> Key Encryption Key used to secure rekey process and Traffic Encryption Key used in IPsec SA
-> KeyServer will send rekey ( refresh key) to GM before SA Policy Expiration or change of SA policy.
-> rekey can be sent by using two modes
i) unicast -- requires acknowledgment by GM.
ii) multicast-- does not require acknowledgment.
-> GDOI protocol is used for Group key and group SA management.
Md.Kareemoddin
CCIE # 54759
--> GetVPN stands for Group Encrypted Transport VPN.
-> GETVPN is having mainly 3 components
i) GM ( Group Member)
ii) KS ( Key Server)
iii) GDOI ( Group Domain of Interpretation).
-> Each and every GM registers with KeyServer by providing Group ID then key server provides IPSEC SA so that GM can encrypt/decrypt the data before sending.
-> Key Server is responsible for providing Security Policies and Keys to Group Members so that they can encrypt/decrypt the data before sending.
-> When a GM registers with the key server, the key server verifies the group id number of the GM. If this id number is a valid and the GM has provided valid Internet Key Exchange (IKE) credentials, the key server sends the SA policy and the Keys to the group member.
--> A router can be either Key Server or Group Member, both can't be configured on the same router.
-> Each and every GM will receive two types of keys from KeyServer
i) Key Encryption Key -- used to encrypt control traffic. ( Between KS-- Group Member)
ii) Traffic Encryption Key -- used to encrypt data traffic. ( Between Group Member-- Group Member)
-> Key Encryption Key used to secure rekey process and Traffic Encryption Key used in IPsec SA
-> KeyServer will send rekey ( refresh key) to GM before SA Policy Expiration or change of SA policy.
-> rekey can be sent by using two modes
i) unicast -- requires acknowledgment by GM.
ii) multicast-- does not require acknowledgment.
-> GDOI protocol is used for Group key and group SA management.
--> GDOI uses Internet Security Association Key Management Protocol (ISAKMP) for authenticating the GMs and KSs.
--> All the standard ISAKMP authentication schemes like RSA Signature (certificates) and Pre-shared key can be used for GETVPN.
CCIE # 54759
INFORMATIVE PAGE.......!!
ReplyDeleteGood Summary
ReplyDelete