cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
749
Views
0
Helpful
4
Replies

GETVPN and rekeying when many group members leave at the same time

supercolver
Level 1
Level 1

It's not specified how Key Servers react when many group members leave at the same time. For example, if 3 members leave a same group, did the key manager sends three keys (KEK,TEK), and only the last one will be available for future connections ? Or did the key manager optimizes the rekeying and sends only one key ?

Thanks

1 Accepted Solution

Accepted Solutions

Pierre,

On itself it's not insecure. You can extract the session keys from memory (not impossible but tricky).

I guess what you're looking for is a red button to clear SAs on all devices?

In which case:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_getvpn/configuration/15-2mt/sec-get-vpn.html#GUID-6267F36C-094F-483F-A1CA-735D39484364

Specifically "clear crypto gdoi ks members now"

Was there any particular risk you were thinking about?

M.

View solution in original post

4 Replies 4

Marcin Latosiewicz
Cisco Employee
Cisco Employee

Pierre,

TEK and KEK (for the most part) do not change during their lifetime.

A change of state of a particular GM does not affect TEK used by other peers.

M.

Thanks for your answer Marcin,

So, that means if a member leave his group, he will be able to read messages of his old group until the life-time of the TEK expires ? It's a little bit unsecure, isn't it?

Pierre

Pierre,

On itself it's not insecure. You can extract the session keys from memory (not impossible but tricky).

I guess what you're looking for is a red button to clear SAs on all devices?

In which case:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_getvpn/configuration/15-2mt/sec-get-vpn.html#GUID-6267F36C-094F-483F-A1CA-735D39484364

Specifically "clear crypto gdoi ks members now"

Was there any particular risk you were thinking about?

M.

That's what i was looking for, thanks very much. I thought that all SAs were cleared by default when a gm leave.

Thanks again, have a nice day.

Pierre

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: