A Virtual Private Network (VPN) is a logical network that uses insecure public telecommunications, such as the Internet, to provide secure communications to members of the VPN. A VPN seeks to provide the security associated with dedicated communication lines but without requiring the necessary hardware and at a fraction of the cost, which is typically associated with dedicated communication lines.
A VPN works by using shared public infrastructure while simultaneously maintaining privacy through agreed upon security procedures and protocols. Essentially, a VPN uses custom encryption to encrypt messages communicated via the VPN. The encryption and decryption of messages rely upon keys that are securely held by participants of the VPN.
Dynamic Group VPN (DGVPN) is an enhancement of the virtual private network configuration process of conventional network routers. DGVPN prevents the need for pre-configured (static) IPsec peers in the network. IPsec (IP security) is a standard for securing Internet Protocol (IP) communications by encrypting and/or authenticating all IP packets communicated among the network peers. IPsec provides security at the network layer. The DGVPN functionality of conventional network routers allows greater scalability over previous IPsec configurations. All traffic between protected areas is encrypted by the secure gateway as it leaves one secure area, and decrypted by another secure gateway as it enters another. This eliminates the need for a hub to route data between secure gateway networks, as was common in a non-fully meshed frame relay topology.
In DGVPN, network traffic can traverse from one secure gateway to another. In order for the various secure gateways to be able to encrypt and decrypt the traffic, there is a centralized key server that generates the IPSec keys, and distributes them to the various secure gateways. Because all secure gateways have the same keys, this eliminates the overhead of establishing individual links between pairs of secure gateways.
Unfortunately, because the key server distributes the same keys to all security gateways, data packets sent to a secure gateway group can be accessed and deciphered by any secure gateway in the group. In many circumstances, it is desirable to maintain point-to-point privacy and not allow access to data packets by all members of a group. But, it is also desirable to not be required to incur the overhead of establishing individual links between each secure gateway. Conventional VPN solutions have not been able to provide such privacy in an encrypted group network configuration.
Thus, a system and method for ensuring privacy in point-to-point encrypted group network communication is needed.