GDOI protocol is used for Group key and group SA management. GDOI uses Internet Security Association Key Management Protocol (ISAKMP) for authenticating the GMs and KSs. All the standard ISAKMP authentication schemes like RSA Signature (certificates) and Pre-shared key can be used for GETVPN.
All the necessary crypto policies are configured only on the KS. This includes the crypto access list, crypto policies, life times etc.
Typically the KS is installed in the data center of the customer network. The CPE routers connecting to the MPLS core is configured as GMs. The KS should be reachable from all GMs through the core or the enterprise network.
The steps below explain protocol flows that are necessary for Group Members to participate in a GETVPN group:
1. Once the GM boots up, it attempts to register with the KS using the GDOI protocol. 2. Registration goes through after successful mutual authentication. 3. After successful registration GM receives KEK and TEK keys. 4. GMs can now encrypt and decrypt the packets as specified by the SA. 5. KS keeps track of the SA life time. It sends rekey information when the current SA is about to expire. Rekey information includes the new SA and session key details. Rekey messages are sent in advance of the SA expiration time to ensure that valid group keys are always available.