GetVPN
1. Topology 2. Overview GetVPN is on private IP Transport, tunnel-less, has header preservation. 3. Basic architecture Step 1: Group Members (GM) register via GDOI with the Key Server (KS) •KS authenticates and authorizes the GMs •KS pushes down a set of IPSec SAs for the GM to use Step 2: Data Plane Encryption •GM exchange encrypted traffic using the group keys •Traffic is forwarded using IPSec Tunnel Mode with Header Preservation Step 3: Periodic Rekey of Keys •KS pushes out replacement IPSec keys before current IPSec keys expire; this is called a Rekey 4. GetVPN Deployment 4.1 On KS generate RSA keys which is required for rekey authentication •RSA public key distribution from KS to GM: –Public key sent to GM at GDOI registration –The rekeys are signed by the private key of the KS and GM verifies the signature in the rekey with the public key of the KS •Exporting RSA Key between KSs: –One of the KSs in the redundancy group should generate the ex