Deploying GET to Secure VPNs

Transcription

1

2 Deploying GET to Secure VPNs Scott Wainner Distinguished Systems Engineer

3 Session Objectives and Prerequisites Session Objectives Identify VPN environments where GET is applicable Understand how GET can secure a VPN Understand how GET functions Understand how to deploy GET Understand the strategic directions for GET Pre-requisites Knowledge of IPsec Protocols Knowledge of IP VPN Technologies 3

4 Agenda Overview A Group Paradigm for Security VPN Environments GET Components and Functions GET Deployment Methods Strategic Directions for GET 4

5 A Group Paradigm for Security

6 Key Messages Security Paradigms Point-to-Point Security Paradigm Group Security Paradigm Security Policies Conditions for Group Security Challenges for Group Security 6

7 Point-to-Point Security Paradigm Routing connectivity between two crypto end-points Tunneling between two crypto end-points Routing through the crypto tunnel IP Core Routing Adjacency Overlay Routing Adjacency Crypto Session 7

8 Group Security Paradigm Routing between any network entity Securing traffic between a set of network entities Preserving the routing context between all network entities IP VPN Group Core Routing Adjacency Crypto Session 8

9 Secure Multicast Data Plane Model Premise: Sender does not know the potential recipients GM? GM GM GM 9

10 Secure Multicast Data Plane Model Premise: Sender does not know the potential recipients Sender assumes that legitimate group members obtain Traffic Encryption Key from key server for the group KS GM GM GM GM 10

11 Secure Multicast Data Plane Model Premise: Sender does not know the potential recipients Sender assumes that legitimate group members obtain Traffic Encryption Key from key server for the group KS GM Encrypt Multicast with IP Address Preservation Replication In the Core based on original (S,G) GM GM GM 11

12 Corollary: Secure Unicast Data Plane Premise: Receiver advertises destination prefix but does not know the potential encryption sources GM??? GM GM GM 12

13 Corollary: Secure Unicast Data Plane Premise: Receiver advertises destination prefix but does not know the potential encryption sources KS Receiver assumes that legitimate group members obtain Traffic Encryption Key from key server for the group GM GM GM GM 13

14 Corollary: Secure Unicast Data Plane Premise: Receiver advertises destination prefix but does not know the potential encryption sources KS Receiver assumes that legitimate group members obtain Traffic Encryption Key from key server for the group GM GM GM Receiver can authenticate the group membership GM 14

15 Group Encrypted Transport Data Plane Format Preservation of Original IP Addresses and DSCP in Encapsulating IP Packet Encapsulating Security Payload (ESP) with irrelevant Sequence Number OPTIONAL: Time-based Anti-Replay in lieu of Sequence Number IPSec Next Header identified as IANA Private Encryption (protocol = 99) Cisco Meta Data (99) carries PseudoTimeStamp for receiver verification IP Header (Outer) Preserved IP Addresses from Inner IP Header Security Parameter Index (SPI) Sequence Number (ignored by receiver for group encryption) Next Header = IP Length (0x2) Version (0x1) Reserved Len (0x1) Type 5 = Time-based Anti-Replay Reserved Pseudo Time Stamp (Time-based Anti-Replay) IP Header (Inner) IPSec Padding Original IP Payload Pad Length Authentication Tag IPSec Padding Next Header (MD 99) 15

16 VPN Environments

17 Key Messages What constitutes a VPN? Tools to create a VPN: FR, ATM, MPLS, VPLS, GRE, and IPSec Tools to secure a VPN: IPSec and GET and Other? GET uses an existing VPN; IPSec creates a VPN IPSec often creates an overlay VPN Decoupling Routing Plane and Crypto Plane Distinguishing VPN Topology from Security Perimeter Topology: Point-to-Point verses Multi-point Security Perimeter: Point-to-Point verses All-Points Perimeter Topology Point-to-Point Multi-Point IPSec Group Security 1 1 Shared crypto group for all links advised 17

18 Core VPN Infrastructure FR/ATM Hub-and-Spoke VPN Hub CE Transit for all Spokes Security Perimeter: Per Link IPSec Crypto creates Overlay VPN CE MPLS/VPLS Any-to-Any VPN Direct Flows between all CE Security Perimeter: All Sites GET Crypto Leverages Existing VPN CE SW PE MPLS VPN CE SW FR/ATM/TDM SW CE PE PE CE IPSec Point-to-Point Connection SW CE PE Group Security Flows Security Perimeter CE Security Perimeter CE 18

19 VPN Access Infrastructure Securing the VPN Access GET secures a core VPN IPSec creates VPN and secures it over Internet IPSec applied to a core VPN would create an overlay VPN Redundant Core VPN Access Dual-homed CE Site Dual-VPN CE Site Redundant CE Site Hybrid Dual-VPN CE Site Internet Redundant CE GET 2 Internet GET MPLS VPN Dual-homed GET 1 MPLS VPN1 MPLS VPN 2 Hybrid Dual-VPN Dual-VPN Hybrid Dual-VPN 19

20 Infrastructure and Access Agnostic Security Routing provides IP Paths Provides path for crypto flows Independent of crypto state GET secures IP flows Independent of network path Independent of routing state Group Security Backup (L2TP, DSL, IPSec, ) MPLS VPN FR / ATM 20

21 Crypto Policy Goals Secure Insure we encrypt traffic that MUST be encrypted Insure we do not encrypt traffic that MUST be clear-text Simplify Provisioning Consistency through policy templates Smart address management (management plane, control plane, data plane) Policy Symmetry Minimize the number of policy permutations Point-to-point policies should use IPSEC GET is best used with aggregate symmetric IP address ranges Reliability Redundant paths for control plane and data plane 21

22 Policy Permutations: Pt-to-Pt IPSec Associations Site 1 Site 2 Site 3 Addresses A1 B1 A2 B2 C A3 B3 Site 1 A1 - - A1-A2 A1-B2 A1-C A1-A3 A1-B3 B1 - - B1-A2 B1-B2 B1-C B1-A3 B1-B3 Site 2 A2 A2-A1 A2-B A2-A3 A2-B3 B2 B2-A1 B2-B B2-A3 B2-B3 C C-A1 C-B C-A3 C-B3 Site 3 A3 A3-A1 A3-B1 A3-A2 A3-B2 A3-C - - B3 B3-A1 B3-B1 B3-A2 B3-B2 B3-C - - Policy Statements on Site 1: 10 Policy Statements on Site 2: 12 Policy Statements on Site 3: 10 Total Network Policy Statements: 32 Site specific policy A = B = C =

23 Policy Permutations: Asymmetric Group Disaggregate Site 1 Site 2 Site 3 Addresses A1 B1 A2 B2 C A3 B3 Site 1 A1 - - A1-A2 A1-B2 A1-C A1-A3 A1-B3 B1 - - B1-A2 B1-B2 B1-C B1-A3 B1-B3 Site 2 A2 A2-A1 A2-B A2-A3 A2-B3 B2 B2-A1 B2-B B2-A3 B2-B3 C C-A1 C-B C-A3 C-B3 Site 3 A3 A3-A1 A3-B1 A3-A2 A3-B2 A3-C - - B3 B3-A1 B3-B1 B3-A2 B3-B2 B3-C - - Policy Statements on Site 1: 32 Policy Statements on Site 2: 32 Policy Statements on Site 3: 32 Total Network Policy Statements: 32 Global policy distributed to all sites 23

24 Policy Permutations: Group Asymmetric Aggregates Site 1 Site 2 Site 3 Addresses A1 B1 A2 B2 C A3 B3 Site 1 A1 - - A-A A-B A-C A-A A-B B1 - - B-A B-B B-C B-A B-B Site 2 A2 A-A A-B A-A A-B B2 B-A B-B B-A B-B C C-A C-B C-A C-B Site 3 A3 A-A A-B A-A A-B A-C - - B3 B-A B-B B-A B-B B-C - - Policy Statements on Site 1: 8 Policy Statements on Site 2: 8 Policy Statements on Site 3: 8 Total Network Policy Statements: 8 Global Policy (aggregates) distributed to all sites including unused policy 24

25 Policy Permutations: Group Asymmetric Aggregates Site 1 Site 2 Site 3 Addresses A1 B1 A2 B2 - A3 B3 Site 1 A1 - - A-A A-B - A-A A-B B1 - - B-A B-B - B-A B-B Site 2 A2 A-A A-B A-A A-B B2 B-A B-B B-A B-B Site 3 A3 A-A A-B A-A A-B B3 B-A B-B B-A B-B Policy Statements on Site 1: 4 Policy Statements on Site 2: 4 Policy Statements on Site 3: 4 Total Network Policy Statements: 4 Global Policy (aggregates) distributed to all sites including unused policy 25

26 Policy Permutations: Group Symmetric Aggregate Site 1 Site 2 Site 3 Addresses A1 B1 A2 B2 C A3 B3 Site 1 A1 - - any, any any, any any, any any, any any, any B1 - - any, any any, any any, any any, any any, any Site 2 A2 any, any any, any any, any any, any B2 any, any any, any any, any any, any C any, any any, any any, any any, any Site 3 A3 any, any any, any any, any any, any any, any - - B3 any, any any, any any, any any, any any, any - - Policy Statements on Site 1: 1 Policy Statements on Site 2: 1 Policy Statements on Site 3: 1 Total Network Policy Statements: 1 Global Universal Policy (aggregate): <permit ip any any> 26

27 GET Components and Functions

28 Key Messages Group Member Point of Traffic Encryption Implementation Group IPSec: Method of Security Group IPSec: Method of Resiliency Key Server Point of Control (Policy, Keys, Membership) GDOI: Method of Policy and Key Deployment COOP: Method for Control Plane Resiliency (Synchronization) Performance, Scalability, and Reliability Scale: KS Operations Performance: GM Operations Reliability: Synchronization 28

29 Group Member: Membership Management Group Member Join: Registration Immediately upon boot Immediately upon applying crypto map Protected by IKE SA (Pre-shared Keys or X.509 Certificate) Group Member Maintenance: Rekey Periodic Update Protected by Rekey SA (IKE SA expires) New Policies, Time Sync, or New Keys (TEK or KEK) Acknowledgement with Unicast Rekey Unacknowledged with Multicast Rekey 29

30 Group Member States Uninitialized Router Reboot Mis-configured Cleared Fail-Closed Blocking / Dropping Fail-Open Forwarding Registration Authenticating Group Member Forwarding / Encrypting Receiving Rekeys Expired, Retry Expiring TEK Uninitialized Router Initialize Fail-Closed 1 Authentication Fail-Closed Registration Authorization Initialize Group Member 1 Fail-Closed is a feature; it is also a crypto state 2 Fail-Open is NOT a feature; it is a crypto state Fail-Open 2 Authentication Fail-Open Registration Authorization Rekey Retry Reset 30

31 Group Member Procedures RFC-3547 Group Domain of Interpretation Definitions Initiator = Group Member (GM) Receiver = Key Server (KS) Groupkey-Pull = Registration Groupkey-Push = Rekey Group Member Protection IKE SA IKE Phase I GROUP-ID SA-POLICY SA-POLICY ACK Key Server REGISTRATION POLICY & KEYS Registration GM Authenticates with KS KS Provides Policies and Keys Rekey KS Periodically Refreshes Keys Protection: KEK X KEK,TEK,PST REKEY REKEY IKE Phase I REKEY REKEY REGISTRATION Protection IKE SA GROUP-ID 31

32 Group Member Perimeter Interfaces Crypto Map Applied Crypto Exceptions Control Plane, Management Registration Interfaces Accessible via Any Interface Always Routable to KS Secured Group Member Interface interface Serial0/0 ip address crypto map svn access-group fail-closed out Fail-closed Policy crypto map svn 10 gdoi set group secure-wan match address control_plane <- WAN ENCRYPTION <- BLOCK EVERYTHING BUT CONTROL ip access-list extended fail-closed permit esp any any <- ALLOW ENCRYPTED permit ip host host <- ALLOW ROUTE ADJACENCY permit tcp host eq ssh any <- ALLOW SECURE SHELL Crypto Map Association to Group Security <- GROUP CRYPTO MAP ENTRY <- GROUP MEMBERSHIP <- EXCLUDE ENCRYPTION Group Member Policy Exceptions ip access-list extended control_plane <- CONTROL PLANE PROTOCOLS deny ip host host <- PE-CE LINK (BGP, ICMP) deny tcp host eq ssh any <- MANAGEMENT SECURE SHELL Group Member Association crypto gdoi group secure-wan identity number 3333 server address ipv4 <ks1_address> server address ipv4 <ks2_address> <- GROUP ENCRYPTION <- MEMBER S GROUP IDENTITY <- KS ADDRESS TO REGISTER <- ALTERNATE KS REGISTRATION 32

33 Key Server: Group Management Functions Manage Group Policy and Keys Create Policy Create Keys Synchronize Policy and Keys Manage Group Membership Registration of Group Members Synchronization of Group Membership Roles Primary: Create Keys, Register GM, Distribute Keys, Notify Secondary KS Secondary: Register GM, Monitor Primary, Update Primary Primary KS GDOI Group Member GET COOP VPN GET GET Secondary KS COOP Secondary KS GDOI Group Member 33

34 Key Server States Unknown Reboot, Mis-Configured, Cleared Unknown Secondary Monitor Primary KS Announcements Accept GM Registrations Update Primary KS of GM Evaluate & Election Initialize Secondary Reset Reset Primary Announce GM, Policy, and Keys Create Policy and Keys Execute Rekey Accept GM Registrations Evaluate & Announce Promotion Primary Demote 34

35 Cooperative Key Server Protocol COOP Key Server Insertion Process ISAKMP Phase 1 Authentication Pre-shared Key or Certificate Keep-Alive Persistent COOP Processing Announcement Messages Election Processes Policy and Key Control Group Membership Primary KS - Priority 100 Primary KS GM Database Policy And Keys IKE Initialize IKE Phase I Announce (100) Announce (50) Election Announce Announce Unknown KS - Priority 50 Secondary KS - Priority 50 Secondary KS 35

36 Cooperative Key Server Protocol COOP Key Server Promotion Process Policy & Keys Periodic Announcement Primary at 20 second interval Missed Announcement Request Secondary at 30 seconds Dead Hold-Time Secondary at 60 seconds Election Initiation Secondary at 65 seconds Synchronize GM Database Primary Announce Secondary Announce Primary KS - Priority 100 GM Database Policy And Keys Primary KS Primary KS (partitioned) or Secondary KS (reboot) IKE Phase I Announce Announce Announce Announce Announce (Req.) Announce (Reply) Election Announcement Announcement Secondary KS - Priority 50 Secondary KS Announcement Missed Dead KS Hold-Time Primary KS GM Database Policy And Keys 36

37 Cooperative Key Server Protocol COOP Key Server Merge Process Peer Establishment ISAKMP Phase 1 COOP Exchange Election Initiation and Synchronization Evaluation of Peer Priority Election Executed Database Exchange Independent Rekey Primary Periodic Announcement Deprecation of Oldest Key Primary KS-1 - Priority 100 GM Database Policy And Keys Primary KS GM Database Policy And Keys GM Rekey Primary KS IKE Phase I Evaluation Announce (100) Announce (50) Update Update Announcement Primary KS-2 - Priority 50 GM Database Policy And Keys Primary KS Demoted Secondary KS GM Database Policy And Keys Rekey Secondary KS GM GM Rekey Announcement Rekey Key Roll-over GM 37

38 Key Server Configuration Crypto Group Established Policy Established Control Plane Attributes Authorized GM (GDOI) Remote Peer KS (COOP) Peer Authentication GM and KS Traditional ISAKMP Pre-shared Keys Certificates crypto gdoi group secure-wan identity number 3333 <- GROUP ID server local <- KEY SERVER rekey address ipv4 102 <- REKEY ADDRESSES REKEY rekey retransmit 40 number 3 <- REKEY RETRANSMITS rekey authentication mypubkey rsa my_rsa <- KS MSG AUTHENTICATION authorization address ipv4 member-list <- GROUP MEMBER AUTHORIZATION sa ipsec 1 <- SECURITY ASSOCIATION profile gdoi-p <- CRYPTO ATTRIBUTES SELECTION match address ipv4 lans-only <- ENCRYPTION POLICY LAN-to-LAN no replay <- NO ANTI-REPLAY address ipv4 <ks_address> <- KS ADDRESS redundancy <- ENABLING COOP peer address ipv4 <peer_ks_address> <- REMOTE KS local priority 100 <- LOCAL KS PRIORITY Rekey Profile (needed for multicast rekey only) access-list 102 permit any host ip access-list extended member-list permit <gm_ou> permit <gm_address> <- REKEY SOURCE / DESTINATION Group Member Authorization List (optional) Encryption IPsec Proxy (mandatory) <- GM AUTH LIST <- GM CERTIFICATE <- GM IP ADDRESS ip access-list extended lans-only <- ENCRYPTION POLICY deny udp any eq 848 any eq 848 <- ALLOW GDOI permit ip <- UNICAST permit ip <- MULTICAST 38

39 Resilient Key Server Functions Principles Network Resiliency COOP Associated with Loopback Interface on KS (Always Up/Up) Physically Diverse Paths (Active/Active) for COOP Protocol Key Server Processes Preemptive Rekey of New Keys and/or Policy Iterative Rekey Attempts Group Member Processes Preemptive Re-registration after Failed Rekey Iterative Re-registration Attempts 39

40 Resilient Key Server Functions Network Resiliency for Key Servers Key Server Architecture Full Mesh Peering Geographically Dispersed KS Diverse Control Plane Paths Dynamic Election of Primary KS Priority Bias of Primary KS Selection Maximum of Eight KS per Group Recommend Two KS per Group Primary KS Secondary KS Priority 50 Priority 40 VPN GET VPN Out-of-Band GET Out-of-Band Secondary KS Priority 30 COOP Protocol Diverse Paths Physical Paths 40

41 Resilient Key Server Functions Key Server Processes Retry = 1, Interval = 60 sec Rekey KS Prepositions next TEK Iteratively Pushes key to each Group Member Rekeyed in Batches of 50 GM Rekey Interval (M) in Seconds Rekey Retry Attempts (N) KS 10 % + Interval 10 % 5 % t t -420 t -360 t -180 t -30 t 0 GM Model: t 0 (M interval seconds) (N retries + 1) max( 10% of TEK lifetime seconds, 90 seconds) Example: t 0 (60 interval seconds) (0 retries + 1) max( 10% of 3600 seconds, 90 seconds) t 0 60 seconds 360 seconds t seconds 41

42 Resilience Key Server Functions Group Member Processes All GM are eligible to register to any KS serving their group Each GM will iteratively attempt to register to each KS Each GM will attempt to register to alternate KS iteratively Each GM will repeat the registration process indefinitely until policy and keys are retrieved Primary Secondary Priority 50 Priority 40 Secondary Priority 30 Member Member Member GET Member Member 42

43 Resilience Key Server Functions Group Member Processes GM Registration Invoked at boot, crypto configuration, or missed rekey Any eligible KS serving the Group GM configured order of KS Alternates Priority and Status of KS Irrelevant Primary Secondary Priority 50 Priority 40 Secondary Priority 30 Member Member Member Member GET Member 43

44 Resilience Key Server Functions Group Member Processes GM Recognizes lack of policy or current keys KS1 KS2 KS3 GM attempts registration to preferred KS (four ISAKMP attempts = 40 seconds) GM attempts registration to alternate KS (four ISAKMP attempts = 40 seconds) GM repeats KS registration attempts until successful Time Old SA Re-register Window Key Roll-over New SA T reg max (5%TEK, 60sec) 44

45 Key Server Scalability Key Server Choice: Based on Maximum Number of GM per Group ASR1K PSK or PKI 3945E PSK or PKI E PSK or PKI PSK or PKI PSK or PKI PSK or PKI PSK or PKI Peak Registration Rate: ASR1006 PSK/PKI Capability: > 85 Reg/Sec 3945E and 3925 PSK/PKI Capability: > 80 Reg/Sec 3945 PSK/PKI Capability: > 90 Reg/Sec 2951 PSK/PKI Capability: = 63 Reg/Sec 2925E PSK/PKI Capability: > 75 Reg/Sec 2921 PSK/PKI Capability: > 17 Reg/Sec 2911 PSK/PKI Capability: = 17 Reg/Sec Number of GM per Group

46 Group Member Performance ASR1000 ESP100 ASR1000 ESP40 ASR1000 ESP20 ASR1002-X ASR1000 ESP10 ASR1000 ESP10 IMIX Throughput at 70% Max CPU ASR1000 ESP5 3945E 3925 ASR1000 ESP5 CEF Load-Balancing CEF Load-Balancing 2925E Gigabits Per Second 16Gbps G 3.0 G 1.0 G 2.0 G 4.0 G 5.0 G 6.0 G 7.0 G 8.0 G 46

47 GET Deployment Methods

48 Key Messages Transition Methods GET Methods: Receive-Only and Passive-Mode Access Methods: Physical and Logical Migrations Enhanced VPN Protection Customer Group Protection Models Service Group Protection Models Segmentation Encryption Methods Hierarchical Protection Models Network Considerations MTU, NAT, Route/Crypto State Synchronization, Policy Modifications 48

49 Transitioning to GET protected VPN s

50 Methods for Transition Clear-text Transition Environment using no encryption on private WAN GET VPN conditional encryption Site-by-site transition with a single policy!!! IPsec Transition Environment with Point to Point IPSec deployed GET VPN is encryption of last resort Site-by-site migration VTI / GRE-IPSec Transition Environment using encrypted tunnel overlay GET VPN encryption of non-tunneled packets Site-by-site migration 50

51 Clear-Text Transition Passive Mode Policy Migration Receive-Only Mode Forwards packets in clear-text that match permit policy Allows decryption of packets that match permit policy Passive Mode Applies encryption of packets that match permit policy Accepts both cipher-text or clear-text of packets that match the permit policy N/A SA N/A SA clear-text clear-text clear-text cipher-text N/A SA N/A SA GM: Receive Only GM: Passive Mode 51

52 Passive Mode Policy Migration Migration Sequence Passive-Mode Used for clear-text to cipher-text network transitions Applies encryption to packets that match permit policy Allows receipt of encrypted and clear-text packets that match permit policy Crypto States of Group Members: Step 1: Enable Receive-Only on All GM RO CT RO CT RO Step 3: Remove Receive-Only from KS PM PE PM PE PE Step 2: Enable Passive-Mode on All GM PM RO PM RO PM Step 4: Remove Passive-Mode on GM s NM NM NM CT Clear-text RO Receive-Only PM Passive Mode PE Normal Mode Passive Exception NM Normal Mode 52

53 Incrementally Enabling GET VPN GM without GET GM Receive Only GM Passive GM Normal GM without GET Communication Successful Communication Successful Communication Fail Communication Fail GM Receive Only Communication Successful Communication Successful Communication Successful Communication Fail GM Passive Communication Fail Communication Successful Communication Successful Communication Successful GM Normal Communication Fail Communication Fail Communication Successful Communication Successful 53

54 Receive-only Mode: Key Server Config All sites capable of receiving and decrypting All sites default to forwarding in clear-text Specific sites configured to forward in cipher-text crypto gdoi group customer-vpn identity number 3333 server local rekey transport unicast rekey retransmit 40 number 3 rekey authentication mypubkey rsa my_rsa sa receive-only sa ipsec 1 profile gdoi-p match address ipv4 everything address ipv4 <ks_address>! ip access-list extended everything deny udp any eq 848 any eq 848 permit ip any any <- GROUP ID <- KEY SERVER <- REKEY ADDRESSES REKEY <- REKEY RETRANSMITS <- KS MSG AUTHENTICATION <- RECEIVE-ONLY <- SECURITY ASSOCIATION <- CRYPTO ATTRIBUTES SELECTION <- ENCRYPTION POLICY EVERYTHING <- KS ADDRESS <- POLICY <- ALLOW GDOI <- ENCRYPT ALL 54

55 Passive Mode: Group Member Config All sites capable of receiving and decrypting Any site capable of forwarding in clear-text Specific sites configured to forward in cipher-text crypto gdoi group customer-vpn identity number 3333 server address ipv server address ipv passive! crypto map get-customer-vpn 10 gdoi set group orange match address no-encryption! ip access-list extended no-encryption deny ip host <ce> host <pe> deny tcp host <ce> eq ssh any... interface serial0/0 ip address crypto map get-customer-vpn 55

56 IPsec Transitions Crypto Map Order of Priority Goal Transition network using point to point IPsec to GET VPN Method Deploy KS with SA using global (permit ip any any) scope of encryption Incrementally add CE to GET network Incrementally remove point-to-point IPsec Assessment Pro: Easy transition of individual CE s to GET VPN Pro: Incremental deployment of GET infrastructure Con: GET can t be leveraged until point-to-point SA s are removed Con: GET must be the default encryption paradigm 56

57 IPsec Transition Traditional Hub-and-Spoke IPsec VPN established using point-to-point IPsec Security Associations Key Server introduced to IP VPN environment /24 Hub Primary Key Server / 24 IPVPN Spoke Spoke Spoke / / 24 57

58 IPsec Transition Each site configured to support GET as the default protection mechanism (last entry on the crypto map list) Point-to-point IPsec connections remain the preferred protection mechanism /24 Primary KS Group Member Hub / 24 GET Group Member Spoke / / 24 Group Member Spoke Group Member Spoke 58

59 IPsec Transition Each site configured to support GET as the last-resort protection mechanism (last entry on the crypto map list) Point-to-point IPsec connections remain the preferred protection mechanism /24 Primary KS Group Member / 24 GET Group Member Group Member / / 24 Group Member 59

60 IPsec Transition /24 GET crypto map svn 5 ipsec-isakmp set peer set transform-set ipsec match address p2p-gm2 crypto map svn 7 ipsec-isakmp set peer set transform-set ipsec match address p2p-gm3 crypto map svn 10 gdoi set group get_vpn ip access-list extended p2p-gm2 permit ip any ip access-list extended p2p-gm3 permit ip any / / 24 crypto map svn 5 ipsec-isakmp set peer set transform-set ipsec match address hub crypto map svn 10 gdoi set group get_vpn crypto map svn 7 ipsec-isakmp set peer set transform-set ipsec match address hub crypto map svn 10 gdoi set group get_vpn ip access-list extended hub permit ip any ip access-list extended hub permit ip any 60

61 Virtual Interface (VTI or GRE) Goal Transition encrypted multi-point tunnel overlay network to GET VPN Method Deploy KS with SA using global (any any) scope of encryption Exclude encryption of pre-encrypted ESP traffic Advertise CE routes to core at hub (modified metric) Incrementally deploy crypto on CE Advertise Transitioning CE routes to core Recycle Transitioning CE routes into tunnel overlay at hub Assessment Pro: Incremental deployment of crypto on CE s Pro: Independent transition of CEs to GET VPN Con: Route metric management required 61

62 Virtual Interface Transition Hub-and-Spoke tunnels (VTI / GRE) established with IPsec protection Tunnel Protection applied to Tunnel Interface Crypto Map applied to Physical Interface Key Server introduced to IP VPN / / / / /24 Hub IPVPN Key Server / 24 Spoke Spoke Spoke / / 24 62

63 Virtual Interface Transition Individual sites transitioned to GET VPN GRE Tunnel Protection: GDOI crypto map excludes ESP traffic (i.e. GRE+IPsec) Crypto Map Protection of GRE: GDOI last entry on crypto map list Routes Diverted from Tunnels Modified Spoke Tunnel Routing Metrics / / / /24 Spoke /0 Spoke / / / /24 Hub IPVPN GET Spoke Routes in Core VPN Key Server / 24 Spoke 63

64 Virtual Interface Transition Individual sites transitioned to GET VPN GRE Tunnel Protection: GDOI crypto map excludes ESP traffic (i.e. GRE+IPsec) Crypto Map Protection of GRE: GDOI last entry on crypto map list More Routes Diverted from Tunnels Modified Spoke Tunnel Routing Metrics / / / /24 Spoke /0 Spoke / / / / /24 Hub IPVPN GET Spoke Routes in Core VPN Key Server / 24 Spoke 64

65 Virtual Interface Transition Individual sites transitioned to GET VPN GRE Tunnel Protection: GDOI crypto map excludes ESP traffic (i.e. GRE+IPsec) Crypto Map Protection of GRE: GDOI last entry on crypto map list All Routes Diverted from Tunnels Modified Spoke Tunnel Routing Metrics / / / /24 Spoke /0 Spoke / / / / /24 Spoke Routes in /24 Core VPN /24 Hub IPVPN GET Key Server / 24 Spoke 65

66 Group Service Models

67 Enhanced VPN Deployment Models Multi-Group Management (Common VPN) Multi-Customer Group Management (Segregated VPN) Multi-Service Group Management (Common or Segregated VPN) 67

68 Multi-Group Management: Service Groups Shared KS Infrastructure Distinct Group per Protocol Shared Cooperative KS Model Customer uses Shared Dual-Stack VPN Only sites capable of routing IPv6 join the GET IPv6 group All sites join the IPv4 GET group All Control Plane (COOP and GDOI) must use IPv4 Service IPv6 Policy permit ipv6 <any > <any> Dual-Stack GM KS / :a:1:1::/64 gm Dual-Stack Systems permit ip <any> <any> IPv6 grp1 x 1 x 2 Service IPv4 Policy gm gm grp2 gm y 1 IPv4 / IPv6 IPv4 Dual-Stack GM gm / / / :a:1:2::/64 y 2 IPv4 GM Single-Stack Systems IPv4-only 68

69 Key Servers: Dual-Group (IPv4 and IPv6) Common VPN Your goal is to define a distinct SERVICE GROUPS for each protocol: crypto gdoi group v4vpn identity number 4444 server local sa ipsec 1 match address ipv4 ipv4-crypto crypto gdoi group ipv6 v6vpn identity number 6666 server local sa ipsec 1 match address ipv6 ipv6-crypto ip extended access-list ipv4-crypto permit ip any any ipv6 access-list ipv6-crypto! Insure link-local adjacency processes are not encrypted deny icmp fe80::/10 any deny icmp any fe80::/10 permit ipv6 any any 69

70 Group Members: Dual-Stack (IPv4 and IPv6) Common VPN Both SERVICE GROUPS rely on IPv4 as the Control Plane (GDOI) protocol: interface loopback0 ip address <v4-address> crypto gdoi group v4vpn identity number 4444 server address ipv4 <ks-address> client registration interface loopback0 crypto gdoi group ipv6 v6vpn identity number 6666 server address ipv4 <ks-address> client registration interface loopback0 70

71 Group Members: Dual-Stack (IPv4 and IPv6) Common VPN Both SERVICE GROUPS applied to interface to common VPN interface g0/0 ip address <v4-address> ipv6 address <v6-address> ipv4 crypto map v4vpn ipv6 crypto map v6vpn crypto map v4vpn 10 gdoi set group 4444 match address ipv4 ipv4-crypto crypto map v6vpn 10 gdoi set group 6666 match address ipv6 ipv6-crypto ip extended access-list ipv4-crypto deny ip <ipv4-address> <ipv4-address> ipv6 access-list ipv6-crypto deny ipv6 <ipv6-address> <ipv6-address> 71

72 Cloud-based Customer Groups GET Group per VPN Shared KS Infrastructure Group Per Customer Shared Cooperative KS Model Service granted access to each Customer VPN Customer s private IP Address spaced may be NAT d to service addresses (i.e. NAT private addresses on GM to service address assigned to GM) Service Gateway connected to each Customer VPN Customer X Policy Customer Y Policy permit ip <x*> <s> permit ip <y*> <s> permit ip <s> <x*> permit ip <s> <y*> Service Gateway KS gm Server grp1 grp2 x 1 x 2 y 1 y 2 Dual-Stack GM gm gm gm gm / / / /24 Customer: /8 Subnet X Customer: /8 Subnet Y 72

73 Cloud-based Customer Groups GET Group per VPN Your goal is to use a CUSTOMER ACL for group policy defined as follows: ip extended access-list services! access for a specific customer X to service-alpha permit ip <service-alpha-address> <customer_x> permit ip <customer_x> <service-alpha-address>! access for another customer Y to service-alpha permit ip <service-alpha-address> <customer_y> permit ip <customer_y> <service-alpha-address> 73

74 Cloud-based Customer Groups Customer GM Joins Customer Group Customer X N GM crypto gdoi group cust-x identity number 3333 server address ipv server address ipv ! crypto map get-cust-x 10 gdoi set group blue match address no-encryption! ip access-list extended no-encryption deny ip host <ce> host <pe> deny tcp host <ce> eq ssh any... interface serial0/0 ip address crypto map get-cust-x Service GM Joins Each Customer Group Service GM crypto gdoi group cust-y identity number 2222 server address ipv server address ipv ! crypto gdoi group cust-x identity number 3333 server address ipv server address ipv ! crypto map get-customers 10 gdoi set group purple match address no-encryption! crypto map get-customers 20 gdoi set group blue match address no-encryption! ip access-list extended no-encryption deny ip host <ce> host <pe> deny tcp host <ce> eq ssh any... interface serial1/1 ip address crypto map get-customers 74

75 Multi-Group Management: GET Group per Service Shared KS Infrastructure Group Per Service Shared Cooperative KS Model Customer s granted access to Service VPN Customer s private IP Address spaced may be NAT d to service addresses (i.e. NAT private addresses on GM to service address assigned to GM) Service A Policy permit ip <any> <A> permit ip <A> <any> KS Dual-Stack GM /24 gm Service B Policy permit ip <any> <B> permit ip <B> <any> Service Gateway Service A gm Service B grp1 grp2 x 1 x 2 y 1 y 2 gm gm gm / / /24 Customer: /8 Customer: /8 Subnet X Subnet Y 75

76 Cloud-based Service Groups GET Group per Service Your goal is to use a SERVICE ACL for group policy defined as follows: ip extended access-list services! access for any customer to service-alpha permit ip <service-alpha-address> any permit ip any <service-alpha-address>! access for any customer to service-beta permit ip <service-beta-address> any permit ip any <service-beta-address> 76

77 Service Group Policy Convergence Customer GM Joins on or more Service Groups Service GM Joins Every Service Group GM X N : Purchased Services A crypto gdoi group service-a identity number 5555 server address ipv server address ipv ! crypto map get-services 10 gdoi set group service-a match address no-encryption! ip access-list extended no-encryption deny ip host <ce> host <pe> deny tcp host <ce> eq ssh any... interface serial0/0 ip address crypto map get-services GM Service: crypto gdoi group service-a identity number 4444 server address ipv server address ipv ! crypto gdoi group service-b identity number 5555 server address ipv server address ipv ! crypto map get-services 10 gdoi set group service-a match address no-encryption crypto map get-services 20 gdoi set group service-b match address no-encryption! ip access-list extended no-encryption deny ip host <ce> host <pe> deny tcp host <ce> eq ssh any... interface serial1/1 ip address crypto map get-services 77

78 Hierarchical Group Service Models

79 Hierarchical Group Management: Service Groups Shared KS Infrastructure Group Per VPN Shared Cooperative KS Segment Policies permit ip <any > <any> permit ip <any > <any> permit ip <any> <any> Model Regional VPN s Each Protected by a distinct Group Regional VPN s route through Core VPN for inter-region flows Decryption and Encryption executed on Regional Gateway ks grp1 grp2 gm Regional Gateway grp2 gm gm gm gm / / / /24 79

80 Hierarchical Service Groups Best Practice for Large-scale VPN (> 4,000 GM per group) Your goal is to use a SERVICE GROUP for each VPN Segment: group 1111 => CORE group 2222 => REGION-1 group 3333 => REGION-2 crypto gdoi group get-core identity number 1111 server local sa ipsec 1 match address ipv4 core-policy crypto gdoi group region-1 identity number 2222 server local sa ipsec 1 match address ipv4 region-1 crypto gdoi group region-2 identity number 3333 server local sa ipsec 1 match address ipv4 region-2 ip extended access-list ipv4-crypto permit ip any any ip extended access-list ipv4-crypto permit ip any any ip extended access-list ipv4-crypto permit ip any any 80

81 Hierarchical Group Management: Regional GM Joins one Service Group crypto gdoi group region-1 identity number 2222 server address ipv server address ipv ! crypto map get-region-1 10 gdoi set group region-1!... interface serial0/0 ip address crypto map get-region-1 Regional Gateway GM Joins Core and Regional Groups crypto gdoi group core identity number 1111 server address ipv server address ipv ! crypto map get-core 10 gdoi set group core! interface serial0/1 ip address crypto map get-core...! crypto gdoi group region-1 identity number 2222 server address ipv server address ipv ! crypto map get-region-1 10 gdoi set group region-1! interface serial0/2 ip address crypto map get-region-1 81

82 Multi-Group Management: NOC VPN Route Management via MPLS VPN Route-Targets Existing NOC Management VPN Distinct Customer VPN s Leveraging MPLS VPN Route-Target Exchange KS GM KS Groups Crypto Policy Crypto Policy Crypto Policy Provider Edge management-vrf Non-overlapping IP Addresses for Management and GM Identity Provider Edge customer-vrf-purple customer-vrf-blue Crypto Map - Crypto Policy - Crypto Policy GM GM GM GM Crypto Map - Crypto Policy - Crypto Policy Crypto Map - Crypto Policy Route Exchange Using Route-Targets 82

83 Multi-Group Management: Customer VPN Route Management via MPLS VPN and VLAN Segmentation Instantiation of Management VPN Extension of Distinct Customer VPN s Leveraging Distinct Routed KS Interfaces KS Groups Crypto Policy Crypto Policy KS Crypto Map - Crypto Policy Provider Edge Non-overlapping IP Addresses for Management and GM Identity Provider Edge customer-purple Crypto Map - Crypto Policy GM GM GM customer-blue GM GM Crypto Map - Crypto Policy Only Management Routes Exchanged Route Segmentation Using Route-Targets Crypto Map - Crypto Policy 83

84 Multi-Group Management: KS Configuration crypto gdoi group mgmt identity number 1111 server local authorization address ipv4 mgmt-list ipsec sa 1 profile gdoi-p match address ipv4 noc-hosts ip access-list standard mgmt-list permit <gm1-ip> permit <gm2-ip> permit <gm3-ip> permit <gm4-ip> ip access-list extended noc-hosts permit ip host <mgmt> any permit ip any host <mgmt> gm1 mgmt: gm1, gm2, gm3, gm4 grp1: gm1, gm2 grp2: gm3, gm4 ks mgmt mgmt grp1 grp2 gm4 ip access-list extended everything deny ip <control> <control> permit ip any any crypto gdoi group purple identity number 3333 server local authorization address ipv4 purple-list ipsec sa 1 profile gdoi-p match address ipv4 everything ip access-list standard purple-list permit <gm1-ip> permit <gm2-ip> gm2 crypto gdoi group blue identity number 2222 server local authorization address ipv4 blue-list ipsec sa 1 profile gdoi-p match address ipv4 everything ip access-list standard blue-list permit <gm3-ip> permit <gm4-ip> gm3 84

85 Multi-Group Management: GM Configuration Customer GM Joins Management Group and Customer Group NOC Group Member Joins Management Group Customer Purple GM crypto gdoi group purple identity number 3333 server address ipv server address ipv ! crypto gdoi group mgmt identity number 1111 server address ipv server address ipv ! crypto map get-purple 5 gdoi set group mgmt crypto map get-purple 10 gdoi set group purple match address no-encryption! ip access-list extended no-encryption deny ip host <ce> host <pe> deny tcp host <ce> eq ssh any... interface serial0/0 ip address crypto map get-purple Customer Blue GM crypto gdoi group blue identity number 2222 server address ipv server address ipv ! crypto gdoi group mgmt identity number 1111 server address ipv server address ipv ! crypto map get-blue 5 gdoi set group mgmt crypto map get-blue 10 gdoi set group blue match address no-encryption! ip access-list extended no-encryption deny ip host <ce> host <pe> deny tcp host <ce> eq ssh any... interface serial1/1 ip address crypto map get-blue 85

86 Data Plane Resiliency Methods

87 Group Member Access Architecture Single Provider / VPN Single Provider w/ Bypass Dual-Homed via Alternate Aggregation Network Aggregation Methods L2TP/PPP (LAC LNS) ISDN 3G (HWIC Enterprise HA) Nested IPSec (separate h/w today) Nested IPSec (combined h/w future) IP Backup Backup Aggregator PE CE DATA CENTER PE VPN GM CE PE Backup CE / GM CE / GM 87

88 Group Member Access Architecture Dual Provider Single CE, Inter-Provider VPN Shared Policy Shared Policy PE CE / GM PE Inter-Provider Inter-AS Single CE, Dual Provider Discrete Policy PE PE CE / GM Discrete Policy 88

89 Group Member Access Architecture Dual CE, Dual Provider Dual CE, Dual Provider Dual-Homed CEF Balanced PE PE PE PE Discrete Policy CE / GM GM CE GM Discrete Segments And Policy AGG 89

90 GM Redundancy and Load Balancing Identity Availability Loopback Identity Always Up/Up Advertised via Multiple Paths Link Redundancy Diverse paths for identity and protected prefix Stateful crypto policy on both links Stateful crypto policy on both CE PE PE grp1 KS PE / /30 crypto gdoi group getvpn identity number 2222 server address ipv server address ipv ! crypto map getvpn local-address loopback0 crypto map getvpn 10 gdoi set group getvpn match address ipv4 no-encryption-acl! ip access-list extended no-encryption-acl deny udp any eq 848 any eq 848 deny ip host host ! interface Loopback 0 ip address interface Serial0/0 ip address crypto map getvpn interface FastEthernet0 ip address / /30 CE CE / / /32 90

91 Encryption GM Redundancy and Load Balancing CEF load balancing Front-End Aggregation Routers Group Member Bank Back-End Aggregation Switches Distributed Group Security Association Common Crypto State Redundancy N-for-1 IGP CEF GET VPN AGG GM IGP CEF SWITCH 91

92 Network Deployment Caveats

93 Fragmentation Objective: Fragment IP before encryption Decrypt IP fragments (no reassembly required) Original Packet H1 H2 H1 Original Packet H1 H3 Forward IP fragments to host for reassembly Post-Encryption Fragmentation Implications Reassembly of ESP Fragments Required GET VPN Device only entity capable Fragmentation Avoidance Methods H1 H2 (m) H1 H2 (m) H1 H2 H1 H2 H1 H3 H1 H3 (m) IP MTU (Maximum Transmission Unit) TCP Maximum Segment Size (MSS) H1 H2 (m) H1 H2 H1 H3 H1 H3 interface Serial0/0 ip address ip mtu 1400 crypto map get-vpn interface FastEthernet0 ip address tcp mss 1380 H1 H2 H2 H3 H1 H3 93

94 NAT Traversal Intervening NAT NAT between GM prevents the return of GET packets H1 NAT ALLOWED Pre or Post NAT Processing NAT performed before GET encryption devices or after GET decryption devices will function GET proxy idents must include the NAT d address in the policy NAT can be performed on the GET VPN device Encryption occurs after NAT on egress Decryption occurs before NAT on ingress NAT ALLOWED NO NAT ALLOWED H2 H3 94

95 Strategic Directions for GET

96 Recent Releases Feature T-Train CCO T-Train Date XE Train CCO XE Train Date GM Removal & Policy Trigger 15.2(1)T 7/29/ /30/12 GDOI MIB 15.2(1)T 7/29/ /30/12 GET IP v6 Data Plane 15.2(3)T 3/30/ /30/12 GET VPN Key Server Initial Release December /29/13 GET VPN with TrustSec 15.3(2)T 3/29/ /29/13 GET VPN Control Enhancements Phase I 15.3(2)T 3/29/ /29/13 Long Lifetime Security Association Periodic Reminder and Sync-up Rekeys Pre-Position Rekey TBAR Error Monitoring and Recovery GM Error Recovery 96

97 Recent Releases Feature T-Train CCO T-Train Date XE Train CCO XE Train Date GET VPN Traceability and Debugging Enhancements 15.3(2)T 3/29/ /29/13 GET VPN Suite B Algorithms 15.3(2)T 3/29/ /29/13 Released Execute Committed Planning 97

98 Roadmap Feature T-Train CCO T-Train Date XE Train CCO XE Train Date GET VPN Certificate Revocation List Checking 15.2(4)M 7/25/ /31/13 GET VPN Control Enhancements Phase II 15.2(4)M 7/25/ /31/13 GDOI / IKE Separation (1)T 11/30/ /27/13 VRF Aware GM 15.0(1)M 10/30/ /28/14 Announcement Message Optimization (~ 8,000 GM per Group) 15.4(2)T 3/30/ /28/14 2 GM Routing Awareness 15.4(2)T 3/30/ /28/14 2 Released Execute Committed 1 Required for introduction of IKEv2 2 Tentative Dates Pending Execute Commit Planning 98

99 Complete Your Online Session Evaluation Give us your feedback and you could win fabulous prizes. Winners announced daily. Receive 20 Cisco Daily Challenge points for each session evaluation you complete. Complete your session evaluation online now through either the mobile app or internet kiosk stations. Maximize your Cisco Live experience with your free Cisco Live 365 account. Download session PDFs, view sessions on-demand and participate in live activities throughout the year. Click the Enter Cisco Live 365 button in your Cisco Live portal to log in. 99

100