Group Encrypted Transport VPN (GETVPN)

GETVPN (Group Encrypted Transport VPN) is a tunnel-less VPN technology meant for

private networks like MPLS VPN where we use a single SA (Security Association)

for all routers in a group.

When you run IPSec on top of a hub and spoke topology like DMVPN then the hub has

an IPSec SA with each and every spoke router. This limits the number of spoke routers

you can have. DMVPN supports direct spoke-to-spoke traffic but when a spoke wants to

send traffic to another spoke, it first has to create a new IPSec SA which takes time,

causing delay.

Another issue with traditional IPSec is that you can’t encapsulate multicast traffic unless

you encapsulate it first with GRE.

GETVPN solves the scalability issue by using a single IPSec SA for all routers in a group.

It also supports multicast traffic without GRE

GDOI is used to transfer the data within the group members.

GDOI is the next gen protocol of ISAKMP ( UDP based protocol on port 848).

GETVPN Components

GETVPN has four main components:

· GDOI (RFC 6407)

 · Key servers (KSs)

· Group Members (GMs)

· IPSEC

---------------------------------------------------------------------------------------------------------

· Group Member

The GM (Group Member) is a VPN router that is a member of the group and encrypts traffic with other
GMs. All GMs have the same IPSec SA so any GM can encrypt traffic with any other GM right away.

· Key Server

The KS (Key Server) is the “caretaker” of our group. The KS takes care of group registration and
authentication of GMs. Each GM that wants to join the group registers with the KS and when
authentication is successful, the KS sends the encryption keys and the policy that we use for the group.

When a GM tries to register with the KS, the KS checks a group ID and IKE credentials. When this checks
out, the KS sends the following items to the GM:

· The security policy that we use for the group.

· Two keys:

1. KEK (Key Encryption Key): this is used to encrypt rekey messages. GMs use this key to decrypt
rekey messages from the KS.

2. TEK (Traffic Encryption Key): this becomes the IPSec SA that all GMs use to encrypt traffic
between each other.

The KS sends rekey messages when the current IPSec SA is about to expire or when the security policy is
changed. Rekeying can be done through unicast or multicast. With unicast, each GM sends an
acknowledgment to the KS when it receives the new key. When the KS doesn’t receive an
acknowledgment after 3 transmissions, it deletes the GM. Multicast is a more scalable method for
rekeying but it doesn’t support acknowledgments.

The KS takes care of registration, authentication, the security policy, and the keys but it’s not a GM. The
KS does not become part of the group, it doesn’t install and use the IPSec SA.

GDOI

GDOI is the protocol we use between the KS and GMs. It is protected with ISAKMP phase 1, the same
ISAKMP we use for regular IPSec. You can use all ISAKMP authentication options like a pre-shared key or
certificates. In phase 2, the KS sends the two keys (KEK and TEK) and the security policy. The KS keeps
track of the SA lifetime and rekeys a new SA when it is about to expire. The rekey messages are signed
with a private key of the KS since anyone could pretend to be the KS.

GETVPN does not support volume-based SA expiry, only time-based SA expiry. Volume-based is not
practical since many GMs use the same SA.

IPSec

GETVPN uses ESP (Encapsulating Security Payload), the same as traditional IPSec VPNs. It only supports
tunnel mode which encapsulates the entire IP packet which adds a new IP header. There is a twist
however, GETVPN uses tunnel mode with address preservation. This means it copies the inner IP header
to the outer IP header, without any changes

---------------------------------------------------------------------------------------------------------

GETVPN is meant for private networks, like MPLS VPN where you have full reachability between all sites.

--------------------------------------------------------------------------------------------------------