Professional Documents
Culture Documents
GET VPN Overview
GET VPN Overview
Transport VPN
Technical Overview
December 2006
Presentation_ID
Cisco Confidential
Agenda
Problem Statement
Solution: Group Encrypted Transport
Technology Components
Feature Overview
Provisioning and Management
Presentation_ID
Cisco Confidential
Problem Statement
Todays Enterprise WAN technologies force a trade-off
between QoS-enabled branch interconnectivity and transport
security
Networked applications such as voice, video and web-based
applications drive the need for instantaneous, branch interconnected,
QoS-enabled WANs
Distributed nature of network applications result in increased demands
for scalable branch to branch interconnectivity
Increased network security risks and regulatory compliance have
driven the need for WAN transport security
Need for balanced control of security management between
enterprises and service providers
Cisco Confidential
CE 3
CE1
10/2
10/4
(10.1.1.1, 10.2.1.1)
(10.4.1.1, 10.3.1.1)
(10.3.1.1, 10.3.1.1)
IP VPN
(10.1.1.1, 10.2.1.1)
(10.3.1.1, 232.0.0.1)
(10.1.1.1, 10.2.1.1)
CE 4
CE 2
Key
Server
(10.4.1.1, 10.3.1.1)
Branch
Encrypted Any-Any
connectivity
Enterprise Core
Any-to-Any Connectivity
Hierarchical Routing
(without tunnels)
Redundancy Established
by Core Routers
Native Multicast
Encryption
Presentation_ID
10/1
(10.3.1.1, 232.0.0.1)
10/3
Cisco Confidential
10/5
Branch
Transparent Service
Integration (e.g.,MPLS)
Integration with DMVPN
Highly Scalable Full Meshes
Monitoring/Management:
centralized policy
distribution CLI/GUI
4
Multicast traffic encryption through Encryption supported for Native Multicast and
IPsec tunnels:
Unicast traffic with GDOI
Not scalable
Allows higher scalability
Difficult to troubleshoot
Simplifies Troubleshooting
Extensible standards-based framework
Overlay VPN Network
Overlay Routing
Sub-optimal Multicast
replication
Lack of Advanced QoS
No Overlay
Leverages Core network for Multicast
replication via IP Header preservation
Optimal Routing introduced in VPN
Advanced QoS for encrypted traffic
Presentation_ID
Cisco Confidential
Multicast Source
VPN A
VPN A
VPN A
VPN B
VPN A
VPN A
VPN B
VPN A
VPN A
VPN A
MPLS VPN Network
VPN B
VPN B
VPN B
GRE Tunnels
CE-CE
VPN B
VPN A
Multicast VRF
VPN B
VPN A
Multicast
Source
VPN B
Multicast Source
VPN B
Overlay Routing
No Overlay Routing
Presentation_ID
Cisco Confidential
Additional
Value
Presentation_ID
Cisco Confidential
GET VPN
DMVPN
IPSec (P2P/GRE)
Alternative/Backup WAN
Replacement
for/Existing Traditional
FR/ATM WAN
Replacement
for/Existing Traditional
FR/ATM WAN
Alternative/Backup
WAN
Alternative/Backup
WAN
Encryption of pipe
Simplifies configuration
for hub & spoke VPNs
What it
Does?
Enables participation of
smaller routers in large
meshed networks
Native
Multicast
Yes
Dynamic
Routing
No not supported
Failover
Method
Routing based
Routing based
Stateful Failover
Stateful Failover
QoS
Yes
Yes
Yes
Yes
Keys
Presentation_ID
Group-based
2006 Cisco Systems, Inc. All rights reserved.
Peer-based
Peer-based
Peer-based
Scale
Cisco Confidential
Technology
Components
Presentation_ID
Cisco Confidential
Data Protection
Secure
Multicast
Routing Continuity
No overlay Routing
Key Distribution
Group Domain
Of Interpretation
Routing
IP Header
Preservation
Presentation_ID
Cisco Confidential
Data Protection
Secure
Unicast
10
Group
Member
GDOI--Key distribution
mechanism
Reke
y SA
Subnet
RFC 3547
Subnet
Subnet
IPSe
c
SAs
Group
Memb
er
Private
WAN
IPSe
c
Reke
y SA SAs
Reke
y SA
Subnet
4
2
IPSe
c
Reke
y SA SAs
Group Keys
Unicast/Multicast Key
distribution
Cooperative Key Server for
High Availability
IPSe
c
SAs
Keys
and
RekeyPolicy
and
Policy
Group
Member
Key
Server
GSA*
GDOI
* GSA = Group Security Association
Presentation_ID
Cisco Confidential
11
Routing Continuity:
IPsec Tunnel Mode with IP Header Preservation
Original IP Packet
IP header
IP Payload
IP Header Preservation
GET
VPN
Original header
preserved
ESP header
IP
IP Payload
Cisco Confidential
12
Secure Multicast
Data Protection
Multicast
Receiver
Key Server
Multicast
Sender
GM
IP
Internet
GM
GM
Multicast
Receiver
Cisco Confidential
13
Secure Unicast
Data Protection
Multicast
Host
Key Server
Multicast
Host
!!
IP
GM
!!
!!
GM
Multicast
Host
GM
GM
Group member assumes that legitimate group members obtain Traffic Encryption
Key from key server for the group
Group members can authenticate the group membership
Group member Encrypts Unicast with Group SA
Presentation_ID
Cisco Confidential
14
Detailed Feature
Overview
Presentation_ID
Cisco Confidential
15
Policy Management
Centralized Policy Distribution from PRIMARY Group Controller Key
Server
Group Member Policy Exception (e.g. local deny)
Group Member Policy Merge (concatenate KS policy with GM
policy)
Cisco Confidential
16
GDOI Registration
Key Distribution
Key Server
IPSec
SAs
Rekey
SA
IPSec
SAs
Rekey
SA
IP
10.0.1.0/24
IPSec
SAs
Rekey
SA
Group Member
Group Member
IPSec
SAs
Rekey
Group Member
SA
10.0.2.0/24
Cisco Confidential
17
GDOI Rekey
Key Distribution
Key Server
IPSec
SAs
IPSec
SAs
IP
10.0.1.0/24
IPSec
SAs
Group Member
Group Member
Group Member
IPSec
10.0.2.0/24
SAs
The key server generates and pushes new IPsec keys and policy
to the routers when necessary
Re-key messages can also cause group members to be ejected
from the group
Presentation_ID
Cisco Confidential
18
KEK = 235687404
Multicast
enabled
WAN
KEK = 235687404
IP
Presentation_ID
Cisco Confidential
19
Protect: (*,232.0.0.0/8)
Group Member = 192.168.3.4
Group Member = 192.168.3.2
Group Member = 192.168.3.3
Secondary KS
Key Server
KEK = 235687404
Secondary KS
IP
10.0.1.0/24
Presentation_ID
Cisco Confidential
10.0.2.0/24
20
Policy Management
Local Policy Configured by Group Member
Global Policy Configured and Distributed by Key Server
Global Policy Appended to Local Policy
Key Server
Permit: Any-Any
GM
10.0.3.0/24
10.0.1.0/24
IP
GM
GM
Deny: Link Local
Presentation_ID
Cisco Confidential
10.0.2.0/24
GM
21
Pseudo-Synchronous Anti-Replay
Example
Replay Based on
Synchronization of Pseudotime Across Group Members
Key Server Manages Relative
Clock Time (not Universal
Clock Time)
Group Members Periodically
Re-sync Pseudo-time with
every Rekey
No Existing Fields in IPSec
Header are Viable for Pseudotime (while maintaining IPSec
compliance)
Presentation_ID
Cisco Confidential
Reject
Initial
pseudotime
Accept
PTr - W
PTr
Reject
PTr + W
Anti-replay window
22
Design
Scenarios
Presentation_ID
Cisco Confidential
23
Any-to-any requirements?
Yes, any-to-any traffic
Additional Enterprise
Security Requirements?
Group Authentication
User Authentication
Addressing of remote
routers?
Static IP addresses or dynamic
Scalability?
10s, 100s, or 1000s of branches
QoS requirements?
LLQ, Traffic Shaping, interface
level, per-VPN tunnel
IP Multicast applications?
Traffic Mix?
pps, bps and packet size
Cisco Confidential
24
Hub Site
Number of
Routing Peers
WAN
Router
Number of
Branches
Other services
provided by
hub (e.g. FW,
IPS, QoS)
Key
Server
Service Provider(s)
Multicast enabled
network
Number of
Concurrent
IKE registrations
WAN
Aggregation
Circuit Speed
Group
Member
Anticipated
Utilization
Branch
Access Speeds
Cisco Confidential
25
Member
Subnet 1
Private
Network
IPSec
SAs
Rekey
SA
Subnet 4
Rekey
SA
Rekey
Keys and
Policy
Rekey
SA
Rekey
Keys
and
Policy
Key Server
IPSec
static map
static
p2p GRE
with NHRP
Group
Member
IPsec
Keys
and
Policy
Key
Server
Corp A
Site 2
IP/MPLS
Network
EIGRP
Corp A
Site 1
Corp B
Site 2
NHRP
DMVPN DMVPN
EIGRP
tunnel
protection
Subnet
4
Subnet
2
IPSec
SAs
Group
Member
IPSec
SAs
Rekey
SA
Group
Membe
r
Subnet 2
IPsec
Keys and
Policy
Rekey
SA
Rekey
SA
Rekey
SA
Group
Member
IPSec
SAs
WAN
IPSec
SAs
IPSec
SAs
IPSec
SAs
Subnet
3
Subnet
1
IPSec
SAs
Rekey
SA
Group
Member
Group
Member
Subnet 3
NHRP
Corp B
Site 3
Corp B
Site 1
CPE-CPE
CPE-CPE Encryption
Encryption w/o
w/o Tunnels
Tunnels
Group-SA
Cisco Confidential
26
Provisioning and
Management
Presentation_ID
Cisco Confidential
27
Presentation_ID
Cisco Confidential
28
Fault Isolation
Show and Debugging capabilities for Key server
show crypto gdoi ks, debug crypto gdoi ks
Presentation_ID
Cisco Confidential
29
WLAN/TKIP
2. Management server
authenticates remote router
using certificate authority
and AAA servers
3. Management server pushes
policy including new
certificate
1. Call Home
ISP
5. Secondary Tunnel
4. Data Tunnel
3.
Data
VPN
Gateway 2
Policy Push
Data
VPN
Gateway 1
Management
VPN Gateway
Access to
Corporate
Resources
ISC, IE2100
Certificate
Authority,
AAA
Presentation_ID
Internal
Network
2. Authenticate
Cisco Confidential
SDP:
Secure Device Provisioning
30
Summary
Enterprise WAN technologies previously forced a
trade-off between QoS-enabled branch interconnectivity and
security
Cisco introduces Group Encrypted Transport (GET) VPN, a
next-generation WAN security technology:
Easy-to-manage, high-scale, any-to-any encrypted communications
Secured packets use existing WAN-agnostic routing infrastructure without
tunnels
Networkwide QoS and Multicast capabilities preserved; improves application
performance
Offers flexible span of control among subscribers and providers
Cisco Confidential
31
Presentation_ID
Cisco Confidential
32