Cisco Systems CL-28826-01 Security Camera User Manual


  Open as PDF
of 2616
 
28-3
User Guide for Cisco Security Manager 4.4
OL-28826-01
Chapter 28 Group Encrypted Transport (GET) VPNs
Understanding Group Encrypted Transport (GET) VPNs
Key servers—The routers that act as key servers are the gatekeepers to the topology. The group
member must successfully register with a key server before becoming an active member of the VPN.
The key servers control the shared service policy, and generate and transmit keys to group members.
Key servers cannot be group members themselves, but a single key server can service more than one
topology. For more information, see Understanding the GET VPN Registration Process, page 28-4.
The Group Domain of Interpretation (GDOI) group key management protocol is used to provide a
set of cryptographic keys and policies to a group of devices. In a GET VPN network, GDOI is used
to distribute common IPsec keys to a group of enterprise VPN gateways (group members) that must
communicate securely. Devices designated as key servers periodically refresh and send out the
updated keys to the group members using a process called “rekeying.”
The GDOI protocol uses the Phase 1 Internet Key Exchange (IKE) SA. All participating VPN
gateways authenticate themselves to the device providing keys using IKE. All IKE authentication
methods, for example, pre-shared keys (PSKs) and public key infrastructure (PKI), are supported
for initial authentication. After the VPN gateways are authenticated and provided with the
appropriate security keys using the IKE SA, the IKE SA expires and GDOI is used to update the
group members in a more scalable and efficient manner. For more information about GDOI, refer to
RFC 3547.
Address preservation—IPsec-protected data packets carry the original source and destination in the
outer IP header rather than replacing them with tunnel endpoint addresses. Address preservation
allows GET VPN to use the routing functionality present within the core network. Address
preservation allows routing to deliver the packets to any customer-edge (CE) device in the network
that advertises a route to the destination address. Any source and destination matching the policy for
the group will be treated in a similar manner. In the situation where a link between IPsec peers is
not available, address preservation also helps combat traffic “black-hole” situations.
Header preservation also maintains routing continuity throughout the enterprise address space and
in the WAN. As a result, end host addresses of the campus are exposed in the WAN (for MPLS, this
applies to the edge of the WAN). For this reason, GET VPN is applicable only when the WAN
network acts as a “private” network (for example, in an MPLS network).
The following figure shows the general operation of a GET VPN topology.
Figure 28-1 General GET VPN Operation
1. Group members register with the key server using the Group Domain of Interpretation (GDOI)
protocol. The key server authenticates and authorizes the group members and downloads the IPsec
policy and keys that are necessary for them to encrypt and decrypt IP multicast and unicast packets.
The registration process can use unicast or multicast communications.