Cisco Cisco IOS Software Release 12.4(4)T Données agrégées
Product Bulletin
© 2009 Cisco Systems, Inc. All rights reserved. This document is Cisco Public Information.
Page 20 of 299
3.1.5) Time-Based Anti-Replay on The VPN Services Adapter (VSA)
This feature enables Time-Based Anti-Replay (TBAR) support on the VPN Services Adapter (VSA)
of the 7200 NPE-G2 platform. TBAR is used in the Group Encrypted Transport VPN (GETVPN)
solution to detect replay attacks since standard sequence-based anti-replay attack detection is not
supported. This feature prevents ‘man in the middle’ attacks.
This feature enables Time-Based Anti-Replay (TBAR) support on the VPN Services Adapter (VSA)
of the 7200 NPE-G2 platform. TBAR is used in the Group Encrypted Transport VPN (GETVPN)
solution to detect replay attacks since standard sequence-based anti-replay attack detection is not
supported. This feature prevents ‘man in the middle’ attacks.
The Cisco GETVPN solution allows organizations to have branch-to-branch secure connectivity
without having to incur the cost of establishing and maintaining full-mesh connections.
without having to incur the cost of establishing and maintaining full-mesh connections.
Benefits
●
Supports anti-replay in the Cisco GET VPN solution
●
Allows protection against ‘man in the middle’ attacks, bolstering overall GET VPN security
Hardware
Routers
● Cisco 7200 with Network Processing Engine (NPE) G2
Additional Information:
Product Management Contact:
3.1.6) Group Encrypted Transport VPN (GET VPN) Enhancements
Several new GET VPN feature enhancements are introduced in Release 12.4(22)T:
Several new GET VPN feature enhancements are introduced in Release 12.4(22)T:
●
Passive Security Association (SA)
This feature enables a new mode of IPSec Security Association (SA) with GET VPN. In this
mode, the SA will accept unencrypted traffic and encrypted traffic on the inbound, while it
will always encrypt traffic on the outbound. Passive SA mode is configured on the Group
Member (GM), and is persistent over router restarts: this allows the Group Member to
modify the SAs downloaded from the Key Server (KS). Passive SA can be used similar to
the SA receive-only to enable transitions in large scale deployment.
mode, the SA will accept unencrypted traffic and encrypted traffic on the inbound, while it
will always encrypt traffic on the outbound. Passive SA mode is configured on the Group
Member (GM), and is persistent over router restarts: this allows the Group Member to
modify the SAs downloaded from the Key Server (KS). Passive SA can be used similar to
the SA receive-only to enable transitions in large scale deployment.
●
Fail-Close
This feature enables GET VPN traffic forwarding to follow the “fail-close” model, wherein an
unregistered Group Member (GM) stops forwarding data packets rather than send them out
unencrypted.
unregistered Group Member (GM) stops forwarding data packets rather than send them out
unencrypted.
The fail-close command sets up an implicit “permit ip any any” at the end of the crypto map
during the pre-registration phase. Post successful GDOI registration, the “permit ip any any”
is removed from the crypto map.
during the pre-registration phase. Post successful GDOI registration, the “permit ip any any”
is removed from the crypto map.
You can specify exceptions that need to be forwarded in the clear, through a deny entry in
the ACL. This is useful to allow routing packets and management packets from a particular
host to get through. However, note that the deny ACL in the GDOI crypto map still takes
precedence. After the registration is successful, the deny entry in the ACL goes away while
the deny entry in the GDOI crypto map is persistent.
the ACL. This is useful to allow routing packets and management packets from a particular
host to get through. However, note that the deny ACL in the GDOI crypto map still takes
precedence. After the registration is successful, the deny entry in the ACL goes away while
the deny entry in the GDOI crypto map is persistent.
Once the GM is successfully registered to all its groups, the policies downloaded from the
KS take over, governing the GMs behavior and the fail-close ACL and implicit “permit ip any
any” are taken out. GMs keep the policies downloaded from the KS even if the re-
registration fails and IPSec SA has expired.
KS take over, governing the GMs behavior and the fail-close ACL and implicit “permit ip any
any” are taken out. GMs keep the policies downloaded from the KS even if the re-
registration fails and IPSec SA has expired.
When fail-close is activated, unencrypted packets are prevented prior to and during
registration. Once the GM is successfully registered to all its groups however, the policies
registration. Once the GM is successfully registered to all its groups however, the policies