In virtualized computing systems, host machines generally host a plurality of virtual machines. In hosting virtual machines, a host machine may provide a virtual switch that connects virtual machines running on the host to communicate with other virtual machines hosted on the same host machine as well as virtual machines hosted on other hosts. For example, the virtual machines may be interconnected as part of a logical overlay network. Logical overlay networks may be implemented by the host by encapsulating egress packets from the virtual machines and decapsulating ingress packets. For example, Virtual Extensible Local Area Network (VXLAN) tunnel endpoint (VTEP) services for encapsulating packets may be implemented at each host or at a gateway. Edge VTEPs or hypervisor-based VTEPs are generally connected to virtual switches implemented by the hypervisor for virtual machines on the same physical host. While the term “VTEP” refers to “VXLAN” tunneling protocol, it is now often used regardless of the tunneling protocol. The host may refer to internally-maintained forwarding tables that are populated by a control plane for determining whether to encapsulate packets and the targets of the encapsulation header based on the destination address of the original packet's header.
For example, a source virtual machine may generate an IP/MAC packet with the address of the source virtual machine set as the source address and the address of the destination virtual machine on a different host set as the destination address. The source virtual machine may send the packet to a virtual switch implemented on the same physical host as the source virtual machine. The virtual switch may, in accordance with forwarding tables associated with the virtual switch, be connected to a VTEP, which encapsulates the packet received from the source virtual machine to generate an encapsulated packet. The original packet may be referred to as an inner packet, and the encapsulated packet may be referred to as an outer packet. Further, a header of the inner packet including the address of the source virtual machine set as the source address and the address of the destination virtual machine set as the destination address may be referred to as an inner header. The VTEP may further include an outer header as part of the outer packet. The outer header may include a source address of the VTEP (e.g., source VTEP) generating and transmitting the encapsulated packet, and further may include a destination address of a VTEP (e.g., destination VTEP) associated with the destination virtual machine. Accordingly, in the overlay network, the outer header is used to forward the encapsulated packet through the overlay network from the source VTEP to the destination VTEP. The destination VTEP may then extract the inner packet and forward the original packet to a virtual switch connected to the destination VTEP, which forwards the original packet to the destination virtual machine based on the inner header of the decapsulated original packet.
However, in some cases, the packet that the source virtual machine generates may be an unknown unicast packet. In such cases, the host machine running the source virtual machine may send the unknown unicast packet to another host machine that replicates the unknown unicast packet and sends each replicated unknown unicast packet to other host machines within a logical overlay network or a logical layer-2 network/broadcast domain within the logical overlay network. In some cases, it may be desirable to secure the transmission of unknown unicast packets between the host machines using the IP security (IPsec) protocol, and more specifically, using distributed network encryption (DNE), which is a functionality created within a virtualized network environment to simplify key management associated with IPsec. Certain aspects of DNE are described in U.S. Pat. No. 9,613,218, which is hereby expressly incorporated by reference in its entirety.