A typical VPN (Virtual Private Network) is a network of point-to-point tunnels, where the tunnel is a security association (SA) between two security devices. A security key for the SA is negotiated between two tunnel end devices. Tunnel encapsulation adds an outer header that hides the original source and destination IP addresses. Multicast traffic is replicated and encapsulated before entering into tunnels and treated like unicast traffic within the core network. The overlay architecture is not optimal for multicast or routing traffic, and is not scalable for large deployment.
Group VPNs have been developed that extend current Internet Protocol Security (IPsec) architecture to support group-shared SAs. The center of a group VPN includes a group server, which can be a cluster of servers.