AES 256 GCM has built in hashing to verify integrity
Anti-Replay protection is enabled
Key negotiation
No ISAKMP
Each WAN Edge generates an AES-256 bit key per transport and advertises across control plane (DTLS/TLS) tunnel to vSmart
Keys are regenerated every 24 hours, rekey timer can be tuned
Symmetric keys used in an asymmetric fashion
Example Data going from cEdge1 to cEdge2. cEdge1 knows cEdge2's key from OMP, and will use that to encrypt data. cEdge2 will then use it's own key to decrypt.
Pairwise keys
Additional security since the same key isn't used across all devices for encrypt/decrypt
Each WAN edge generates a key per transport and per peer, which is advertised to vSmart
Example cEdge1 sending data to cEdge2. Would use the cEdge1-2 key. cEdge3->cEdge2 would use the cEdge3-2 key