Nested independent virtual private networks with shared rekey and consistency services

摘要

First and second nested virtual private networks share a common rekey service. A first key server generates first cryptographic keys and policies for use by gateways of the VPN to encrypt and decrypt data packets. The key server establishes a connection with a second key server to generate second cryptographic keys and policies independently of the first key server for use by encryption units of a second VPN that is nested with and operates independently of the first VPN. The first key server refreshes the first cryptographic keys in the first VPN gateways using a common rekey service, and cooperates with the second key server to refresh the second cryptographic keys in the second VPN encryption units using the common rekey service.

主权项

1. A method of using a common rekey service shared between nested Virtual Private Networks (VPNs) to simplify cryptographic key management, comprising:
at a first key server configured to generate first cryptographic keys and policies for gateways of a first VPN that are configured to encrypt and decrypt data packets based on the first cryptographic keys and policies: establishing a connection with a second key server configured to generate second cryptographic keys and policies independently of the first key server for encryption units of a second VPN that is nested with and operates independently of the first VPN, wherein the encryption units are configured to encrypt and decrypt data packets based on the second cryptographic keys and polices; refreshing the first cryptographic keys in the first VPN gateways by generating updated first cryptographic keys and distributing, via at least one of the second VPN encryption units, the updated first cryptographic keys to the first VPN gateways using the common rekey service; and refreshing the second cryptographic keys in the second VPN encryption units by receiving updated second cryptographic keys from the second key server and distributing, via at least one of the first VPN gateways, the updated second cryptographic keys to the second VPN encryption units using the common rekey service.