Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Community Member

GETVPN and rekeying when many group members leave at the same time

It's not specified how Key Servers react when many group members leave at the same time. For example, if 3 members leave a same group, did the key manager sends three keys (KEK,TEK), and only the last one will be available for future connections ? Or did the key manager optimizes the rekeying and sends only one key ?

Thanks

Everyone's tags (1)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

GETVPN and rekeying when many group members leave at the same ti

Pierre,

On itself it's not insecure. You can extract the session keys from memory (not impossible but tricky).

I guess what you're looking for is a red button to clear SAs on all devices?

In which case:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_getvpn/configuration/15-2mt/sec-get-vpn.html#GUID-6267F36C-094F-483F-A1CA-735D39484364

Specifically "clear crypto gdoi ks members now"

Was there any particular risk you were thinking about?

M.

4 REPLIES
Cisco Employee

GETVPN and rekeying when many group members leave at the same ti

Pierre,

TEK and KEK (for the most part) do not change during their lifetime.

A change of state of a particular GM does not affect TEK used by other peers.

M.

Community Member

GETVPN and rekeying when many group members leave at the same ti

Thanks for your answer Marcin,

So, that means if a member leave his group, he will be able to read messages of his old group until the life-time of the TEK expires ? It's a little bit unsecure, isn't it?

Pierre

Cisco Employee

GETVPN and rekeying when many group members leave at the same ti

Pierre,

On itself it's not insecure. You can extract the session keys from memory (not impossible but tricky).

I guess what you're looking for is a red button to clear SAs on all devices?

In which case:

http://www.cisco.com/en/US/docs/ios-xml/ios/sec_conn_getvpn/configuration/15-2mt/sec-get-vpn.html#GUID-6267F36C-094F-483F-A1CA-735D39484364

Specifically "clear crypto gdoi ks members now"

Was there any particular risk you were thinking about?

M.

Community Member

GETVPN and rekeying when many group members leave at the same ti

That's what i was looking for, thanks very much. I thought that all SAs were cleared by default when a gm leave.

Thanks again, have a nice day.

Pierre

234
Views
0
Helpful
4
Replies
CreatePlease to create content