×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

GETVPN and rekeying when many group members leave at the same time

Answered Question
Aug 6th, 2013
User Badges:

It's not specified how Key Servers react when many group members leave at the same time. For example, if 3 members leave a same group, did the key manager sends three keys (KEK,TEK), and only the last one will be available for future connections ? Or did the key manager optimizes the rekeying and sends only one key ?


Thanks

Correct Answer by Marcin Latosiewicz about 4 years 1 week ago

Pierre,


On itself it's not insecure. You can extract the session keys from memory (not impossible but tricky).


I guess what you're looking for is a red button to clear SAs on all devices?

In which case:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_getvpn/configuration/15-2mt/sec-get-vpn.html#GUID-6267F36C-094F-483F-A1CA-735D39484364


Specifically "clear crypto gdoi ks members now"


Was there any particular risk you were thinking about?



M.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Marcin Latosiewicz Wed, 08/07/2013 - 06:58
User Badges:
  • Cisco Employee,

Pierre,


TEK and KEK (for the most part) do not change during their lifetime.

A change of state of a particular GM does not affect TEK used by other peers.


M.

supercolver Thu, 08/08/2013 - 02:16
User Badges:

Thanks for your answer Marcin,


So, that means if a member leave his group, he will be able to read messages of his old group until the life-time of the TEK expires ? It's a little bit unsecure, isn't it?


Pierre

Correct Answer
Marcin Latosiewicz Thu, 08/08/2013 - 02:59
User Badges:
  • Cisco Employee,

Pierre,


On itself it's not insecure. You can extract the session keys from memory (not impossible but tricky).


I guess what you're looking for is a red button to clear SAs on all devices?

In which case:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_getvpn/configuration/15-2mt/sec-get-vpn.html#GUID-6267F36C-094F-483F-A1CA-735D39484364


Specifically "clear crypto gdoi ks members now"


Was there any particular risk you were thinking about?



M.

supercolver Thu, 08/08/2013 - 04:35
User Badges:

That's what i was looking for, thanks very much. I thought that all SAs were cleared by default when a gm leave.

Thanks again, have a nice day.


Pierre

Actions

This Discussion

Related Content