Cisco has announced a brand new "tunnel-less" VPN technology, which it will tout as a long-term replacement for conventional IPSec VPNs.
Called GET-VPN (Group Encrypted Transport VPN), the system can be added to the company’s 800, 1800, 2800 and 3800 series ISR (integrated service routers) routers as a software module upgrade. In reality, the arguments in favour of the new design are complex but probably compelling in the long term - at least for companies already using Cisco gear.
Being a point-to-point tunnelling design, IPSec creates overlay routing complexity, the so-called "N squared mesh" problem, whereby every point must be prepared to communicate directly with every other IPSec destination via an encrypted channel. This causes problems when attempting to enforce quality of service (QoS) using native routing schemes such as MPLS (multi-protocol label switching).
GET-VPN, by contrast, abandons this scheme in favour of building an abstraction layer into each router, a sort of routing "cloud". An application or device requiring a secure connection to another point can do so simply by sending data across this cloud in a way that preserves the IP source and destination address as only the data payload is actually encrypted. Hence, layer 3 routing is maintained, and no special tunnels need be set up.
Apart from removing the need for complicated IPSec VPNs, the upside is that quality of service can be set up using the same set of MPLS policies as it would were the communication between two points on the same LAN, great for video and Voice. The catch - if it’s fair to call it that - is that each router must be part of the same trusted zone, and that means that, for now, they must all have a Cisco badge on them.
The short-term impact of the new system is likely to be small as few companies that have invested time setting up IPSec communications will be willing to rip it all down to migrate to a totally new approach. However, as QoS-sensitive applications such as video and voice spread, GET-VPN will start to gain momentum.
"There is pent up demand from enterprises for a solution which allows them to encrypt traffic running over multi-protocol label switching VPNs in order to meet the pressures of regulatory compliance. Existing tunnel based encryption techniques make this difficult to do without sacrificing the quality of service (QoS) and meshing capabilities of these services," Cisco quoted Neil Rickard of Gartner as saying of the technology.
Although Cisco-only for now, A Cisco UK spokesman confirmed that the standard has been submitted to the IETF in the hope that it will become adopted industry-wide, at which point IPSec’s days will be numbered.
The Cisco GET VPN solution is available from this month as part of Cisco IOS 12.4(11)T on Cisco ISRs, as well as Cisco 7301 and Cisco 7200 series units. Further information on the ISR range can be found on Cisco’s website.