Computer virtualization is a technique that involves encapsulating a physical computing machine platform into virtual machine(s) executing under control of virtualization software on a hardware computing platform or “host.” A virtual machine provides virtual hardware abstractions for processor, memory, storage, and the like to a guest operating system. The virtualization software, also referred to as a “hypervisor,” includes one or more virtual machine monitors (VMMs) to manage the virtual machine(s). Each virtual machine supports the execution of a guest operating system (OS) and software on top of the guest OS.
Computer virtualization is used within data centers to provide software-defined compute resources. Other typically hardened infrastructures can be virtualized in a data center, including networking infrastructure. Network virtualization encapsulates physical network hardware into virtualized networks controlled by virtualization software on a hardware computing platform. A virtualized network provides software containers that implement logical network components, such as switches, routers, firewalls, load balancers, virtual private networks (VPNs), and the like. Virtualized networks can employ distributed network encryption (DNE) to encrypt network traffic between distributed logical network components. A DNE service can be implemented using VPNs.
VPNs are often used to securely share data between network nodes over a public network, such as the Internet. VPNs encapsulate data communications, such as Internet Protocol (IP) packets, between nodes via the public network. A traditional VPN employs a point-to-point key negotiation between nodes to establish a tunnel (referred to herein as a “session”). For each session, the nodes establish a security association (SA) that defines the rules to use for authentication and encryption algorithms, key exchange mechanisms, and secure communications. However, key management for traditional VPNs is not scalable and becomes burdensome in large networks due to the increasing number of SAs between nodes. Virtualized networks can include a large number of logical network components, making the implementation of DNE services using traditional VPNs too complex and burdensome.