Understanding the GDOI Protocol

Group VPN is based on RFC 3547, The Group Domain of Interpretation (GDOI). This RFC describes the protocol between group members and a group server to establish SAs among group members. GDOI messages create, maintain, or delete SAs for a group of devices. The GDOI protocol runs on port 848.

The Internet Security Association and Key Management Protocol (ISAKMP) defines two negotiation phases to establish SAs for an AutoKey IKE IPsec tunnel. Phase 1 allows two devices to establish an ISAKMP SA. Phase 2 establishes SAs for other security protocols, such as GDOI.

With group VPN, Phase 1 ISAKMP SA negotiation is performed between a group server and a group member. The server and member must use the same ISAKMP policy. In Phase 2, GDOI exchanges between the server and member establish the SAs that are shared with other group members. A group member does not need to negotiate IPsec with other group members. GDOI exchanges in Phase 2 must be protected by ISAKMP Phase 1 SAs.

There are two types of GDOI exchanges:

• The groupkey-pull exchange allows a member to request SAs and keys shared by the group from the server.
• The groupkey-push exchange is a single rekey message that allows the server to send group SAs and keys to members before existing group SAs expire. Rekey messages are unsolicited messages sent from the server to members.

Related Topics

• JUNOS Software Feature Support Reference for SRX Series and J Series Devices
• Group VPN Overview
• Understanding IKE and IPsec Packet Processing
• Understanding Group Servers and Members
• Understanding Group Keys
• Understanding Rekey Messages
• Understanding Member Reregistration
• Understanding Key Activation