Understanding Rekey Messages

If the group is configured for server-member communications (see Understanding Server-Member Communication ), the server periodically sends SA and key refreshes to group members with rekey (GDOI groupkey-push) messages. Rekey messages are sent before SAs expire; this ensures that valid keys are available for encrypting traffic between group members.

The server also sends rekey messages to provide new keys to members when there is a change in group membership or the group SA has changed (for example, a group policy is added or deleted).

Server-member communications options must be configured on the server to allow the server to send rekey messages to group members. These options specify the type of message and the intervals at which the messages are sent, as explained in the following sections:

• Types of Rekey Messages
• Rekey Intervals

Types of Rekey Messages

There are two types of rekey messages:

• Unicast rekey messages—The group server sends one copy of the rekey message to each group member. Upon receipt of the rekey message, members must send an acknowledgment (ACK) to the server. If the server does not receive an ACK from a member (including retransmission of rekey messages), the server considers the member to be inactive and removes it from the membership list. The server stops sending rekey messages to the member.

  The number-of-retransmission and retransmission-period configuration statements for server-member communications control the resending of rekey messages by the server when no ACK is received from a member.

• Multicast rekey messages—The group server sends one copy of the rekey message from the specified outgoing interface to the configured multicast group address. Members do not send acknowledgment of receipt of multicast rekey messages. The registered membership list does not necessarily represent active members because members might drop out after initial registration. All members of the group must be configured to support multicast messages.

  Note: IP multicast protocols must be configured to allow delivery of multicast traffic in the network. For detailed information about configuring multicast protocols on Juniper Networks devices, see the Junos Multicast Protocols Configuration Guide.

Rekey Intervals

The interval at which the server sends rekey messages is calculated based on the values of the lifetime-seconds and activation-time-delay configuration statements at the [edit security group-vpn server group] hierarchy. The interval is calculated as lifetime-seconds minus 4*(activation-time-delay).

The lifetime-seconds for the KEK is configured as part of the server-member communications; the default is 3600 seconds. The lifetime-seconds for the TEK is configured for the IPsec proposal; the default is 3600 seconds. The activation-time-delay is configured for the group on the server; the default is 15 seconds. Using the default values for lifetime-seconds and activation-time-delay, the interval at which the server sends rekey messages is 3600 minus 4*15, or 3540 seconds.

Related Topics

• Junos OS Feature Support Reference for SRX Series and J Series Devices
• Understanding the GDOI Protocol
• Understanding Group Servers and Members
• Understanding Group Keys
• Understanding Key Activation
• Understanding Member Reregistration
• Group VPN Configuration Overview