Group Encrypted Transport - VPN Service Without Tunnels
1546 views 
Cisco Group Encrypted Transport is a revolutionary WAN security technology that defines a new category of VPN, one that does not use tunnels. For the first time, Group Encrypted Transport VPN eliminates the need to make the compromise between network intelligence and data privacy.
This security model introduces the concept of "trusted" group member routers that use a common security methodology that is independent of any point-to-point relationship. By eliminating point-to-point tunnels, Cisco Group Encrypted Transport VPNs can scale higher while accommodating multicast applications and instantaneous branch-to-branch transactions.
MPLS VPNs that use this encryption technology are able to maintain their scalable, any-to-any connectivity and meet government-mandated encryption requirements. The flexible nature of Group Encrypted Transport allows security-conscious enterprises to manage their own network security over a service provider WAN service or to offload encryption services to managed services providers.
This encryption model is based on the existing routing infrastructure and relies on two technologies: Group Domain of Interpretation (GDOI) and IP Security (IPsec).
Breaking Standards
Cisco is breaking from standards, inserting proprietary "shims" to make this works since they break anti-replay mechanisms. They are also breaking IP frag/reassembly rules here by re-using the originating IP headers. The fact is that this technology is not really "tunneless". What they do is resuse the 'inside' IP addresses in the 'outside' header. This has several benefits, but also breaks down in the presence of fragmentation between crypto peers. You have pay really close attention to flows and re-assembler performance with this one.
Post new comment