A traffic encryption key (TEK) is used to encrypt data between Group Encrypted Transport (GET) virtual private network (VPN) group members. GET VPN is a connectionless, nontunneling VPN technology based on the Group Domain of Interpretation (GDOI) standard proposed in Request for Comments (RFC) 3547.
Nontunneling VPNs such as GET VPN can be used on a variety of networks, including IP, Frame Relay, Multiprotocol Label Switching (MPLS), and Asynchronous Transfer Mode (ATM) networks. Although GET VPN does not use tunneling, it does rely upon Internet Key Exchange (IKE) and IP Security (IPSec) security associations (SAs).
GET VPN requires a key server. The key server maintains the policy, creates and maintains group keys, and services registration requests. When a group member registers with the key server, the group member downloads the IPSec policy and encryption keys from the key server. If a group member fails to register with a key server, all traffic is sent unencrypted through the group member unless the FailClose feature is activated.
A key encryption key (KEK) is used to encrypt data between the key server and group members. Periodically, the key server will send rekey messages to group members in order to refresh the IPSec SA before it expires. The KEK protects the rekey message, which contains new encryption keys that the group members should use, thereby securing the control plane.
Synchronous Antireplay (SAR) provides antireplay protection for GET VPN group members. The key server keeps track of time by maintaining a pseudotime clock.
Group members regularly synchronize to the pseudotime on the key server. If an intercepted message is replayed, the replayed message will likely fall outside the pseudotime window. A group member will detect the pseudotime discrepancy and will therefore reject the replayed message.
A transmission security key (TSK) is used by directsequence spread spectrum (DSSS) or frequencyhopping radios. TSKs are not used by GET VPN group members.