Virtual Private Networks (VPNs) provide a partitioning mechanism for isolating data transmitted and received between customer network nodes even though a corresponding physical network supporting propagation of the data is shared by many users. The data transmitted between such network nodes may be encrypted to protect against eavesdropping and tampering by unauthorized parties. A typical VPN may include a group, composed of network nodes in several subnets.
In one conventional system, when network nodes within the same group, but in different subnets wish to communicate, the network nodes (or their respective subnet routers) establish a point-to-point secure connection by negotiating a pairwise key for the communication. However, because establishing a pairwise key can require substantial computational resources, a Dynamic Group VPN (DGVPN) may be used instead. With a DGVPN, when network nodes which are members of the same group wish to communicate, no pairwise key is required. Instead, the two network nodes use a shared group key in order to communicate encrypted data. In this approach, a shared key server provides group security policies to nodes within particular groups. When a first network node wishes to communicate with a second node, both nodes being in a shared group, each node should have the group security policy from the shared key server. The security policy includes a group ID, a set of subnet prefixes identifying members of the group, and a group key. When the first node communicates with the second node, the first node determines if the first and the second node are in a shared group, by determining if there is a group ID in its routing table corresponding to the subnet prefix of the second node. If the two nodes are in a common group, the first node encrypts communications to the second node using the group key associated with the group ID. The two nodes may then communicate using that group key. A technique similar to this latter approach is described in co-pending U.S. patent application Ser. No. 10/867,266 (Wainner, et al.), filed Jun. 14, 2004, entitled “System and method for Dynamic Secured Group Communication.”