Dynamic Group Virtual Private Networks (DGVPNS) provide a highly scalable method for Customer Edge-to-Customer Edge (CE-CE) encryption across a Virtual Private Network (VPN) environment where all of the devices are confined to a single Internet Protocol (IP) routing domain under a single management/security authority. For example, typically, a DGVPN can be deployed in a Multi-Protocol Label Switching (MPLS) VPN network where the VPN is limited to a single service provider network.
In a multi-domain network where DGVPNs are utilized and devices are deployed that involve multiple providers, each set of devices must be segregated into provider-specific DGVPN groups. However, in such an instance, inter-domain security is an issue to be addressed. A conventional approach for providing security between disparate domains can involve bridging the two domains with a pair-wise encrypted link or tunnel. For example, when an Autonomous System Border Router (ASBR) associated with domain a (ASBRa) needs to route a packet to an ASBR associated with domain b (ASBRb) (e.g., routed from Provider Edge a (PEa) to Provider Edge b (PEb)), ASBRa decrypts the packet using keys that are a part of DGVPNa and re-encrypts the packet under pair-wise keys shared with ASBRb. Correspondingly, ASBRb decrypts the packet and re-encrypts it using DGVPNb keys before forwarding it.
This inter-domain bridging method can create certain problems. For example, the ASBRs are forced to do two sets of crypto operations on every packet flowing through them. Further, the domain owning the prefixes (e.g., receiving packets) has no visibility with regard to the protection provided to the packets in the other domain, or indeed whether the packets were protected in the other domain at all. Moreover, in some cases, the two DGVPN groups are not the same enterprise, but the bridge exists to share packets between a subset of customer prefixes. However, there is no protection available to either DGVPN when unauthorized data packets are accidentally sent across the inter-domain link.
Service/content providers desire the ability to provide intra-domain security for VPNs that are bounded by their domain and inter-domain security for VPNs that extend beyond the boundaries of their domain.