Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
789
Views
0
Helpful
4
Replies

GETVPN and rekeying when many group members leave at the same time

Go to solution
supercolver
Level 1
Level 1

‎08-06-2013 04:51 AM - edited ‎02-21-2020 07:04 PM

It's not specified how Key Servers react when many group members leave at the same time. For example, if 3 members leave a same group, did the key manager sends three keys (KEK,TEK), and only the last one will be available for future connections ? Or did the key manager optimizes the rekeying and sends only one key ?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to supercolver

‎08-08-2013 02:59 AM

Pierre,

On itself it's not insecure. You can extract the session keys from memory (not impossible but tricky).

I guess what you're looking for is a red button to clear SAs on all devices?

In which case:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_getvpn/configuration/15-2mt/sec-get-vpn.html#GUID-6267F36C-094F-483F-A1CA-735D39484364

Specifically "clear crypto gdoi ks members now"

Was there any particular risk you were thinking about?

M.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎08-07-2013 06:58 AM

Pierre,

TEK and KEK (for the most part) do not change during their lifetime.

A change of state of a particular GM does not affect TEK used by other peers.

M.

0 Helpful

Go to solution
supercolver
Level 1
Level 1
In response to Marcin Latosiewicz

‎08-08-2013 02:16 AM

Thanks for your answer Marcin,

So, that means if a member leave his group, he will be able to read messages of his old group until the life-time of the TEK expires ? It's a little bit unsecure, isn't it?

Pierre

0 Helpful

Go to solution
Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to supercolver

‎08-08-2013 02:59 AM

Pierre,

On itself it's not insecure. You can extract the session keys from memory (not impossible but tricky).

I guess what you're looking for is a red button to clear SAs on all devices?

In which case:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_getvpn/configuration/15-2mt/sec-get-vpn.html#GUID-6267F36C-094F-483F-A1CA-735D39484364

Specifically "clear crypto gdoi ks members now"

Was there any particular risk you were thinking about?

M.

0 Helpful

Go to solution
supercolver
Level 1
Level 1
In response to Marcin Latosiewicz

‎08-08-2013 04:35 AM

That's what i was looking for, thanks very much. I thought that all SAs were cleared by default when a gm leave.

Thanks again, have a nice day.

Pierre

0 Helpful
Customers Also Viewed These Support Documents