Group member recovery techniques

What is claimed is: 1. A method comprising: at a key server configured to provision a plurality of routers that are part of a virtual private network, selecting a counter value that is part of a security association, wherein the counter value is selected from a range of counter values and a maximum size value of the range of counter values is based on a number of bits in the counter value; determining whether the counter value is lower than the maximum size value; in response to determining that the counter value is lower than the maximum size value, determining a Security Parameter Index (“SPI”) value as a key value; sending the key value together with the security association to the plurality of routers such that the plurality of routers are able to exchange encrypted packets with each other in the virtual private network using the key value and the security association; and incrementing the counter value to a value within a range of counter values capable of being predicted by the plurality of routers that receive the key value. 2. The method of claim 1 , wherein sending comprises sending the key value to one or more of the plurality of routers that is part of the virtual private network to enable at least one router that is part of the virtual private network, but that has not received the key value, to determine the key value. 3. The method of claim 1 , further comprising sending an updated security association with the incremented counter value to the plurality of routers that are part of the virtual private network. 4. The method of claim 3 , further comprising: receiving a request from one or more of the plurality of routers for the updated security association; and providing the updated security association to the one or more of the plurality of routers in response to the request. 5. The method of claim 1 , wherein determining an SPI value further comprises selecting an SPI value that reduces the likelihood that a group member associated with the plurality of routers will detect a false-positive SPI value. 6. The method of claim 1 , wherein determining an SPI value further comprises performing an encoding operation using the counter value and a fixed value that is a function of a value associated with the virtual private network. 7. The method of claim 6 , wherein the encoding operation is a block cipher operation. 8. The method of claim 1 , further comprising: determining whether the SPI value is greater than a predetermined number; and if it is determined that the SPI value is greater than the predetermined number, associating the SPI value with the security association. 9. The method of claim 8 , further comprising: if it is determined that the SPI value is less than or equal to the predetermined number, incrementing the counter value; and determining whether the counter value is greater than the maximum size value, and if so, resetting the counter value to zero. 10. The method of claim 1 , wherein sending comprises sending the key value together with the security association to the plurality of routers using an Internet Key Exchange (“IKE”) protocol. 11. An apparatus comprising: a network interface unit configured to send and receive messages in a network; and a processor coupled to the network interface unit, and configured to: select a counter value that is part of a security association, wherein the counter value is selected from a range of counter values and a maximum size value of the range of counter values is based on a number of bits in the counter value; determine whether the counter value is lower than the maximum size value; in response to determining that the counter value is lower than the maximum size value, determine a Security Parameter Index (“SPI”) value as a key value; send the key value together with the security association to a plurality of routers that are part of a virtual private network such that the plurality of routers are able to exchange encrypted packets with each other in the virtual private network using the key value and the security association; and increment the counter value to a value within a range of counter values capable of being predicted by the plurality of routers that receive the key value. 12. The apparatus of claim 11 , wherein the processor is further configured to send the key value to one or more of the plurality of routers that is part of the virtual private network to enable at least one router that is part of the virtual private network, but that has not received the key value, to determine the key value. 13. The apparatus of claim 11 , wherein the processor is further configured to send an updated security association with the incremented counter value to the plurality of routers that are part of the virtual private network. 14. The apparatus of claim 13 , wherein the processor is further configured to: receive a request from one or more of the plurality of routers for the updated security association; and provide the updated security association to the one or more of the plurality of routers in response to the request. 15. A non-transitory processor readable medium storing instructions that, when executed by a processor, cause the processor to: select a counter value that is part of a security association, wherein the counter value is selected from a range of counter values and a maximum size value of the range of counter values is based on a number of bits in the counter value; determine whether the counter value is lower than the maximum size value; in response to determining that the counter value is lower than the maximum size value, determine a Security Parameter Index (“SPI”) value as a key value; send the key value together with the security association to a plurality of routers that are part of a virtual private network, such that the plurality of routers are able to exchange encrypted packets with each other in the virtual private network using the key value and the security association; and increment the counter value to a value within a range of counter values capable of being predicted by the routers that receive the key value. 16. The processor readable medium of claim 15 , wherein the instructions are further operable to cause the processor to send the key value to one or more of the plurality of routers that is part of the virtual private network to enable at least one router that is part of the virtual private network, but that has not received the key value, to determine the key value. 17. The processor readable medium of claim 15 , wherein the instructions are further operable to cause the processor to send an updated security association with the incremented counter value to the plurality of routers that are part of the virtual private network. 18. The processor readable medium of claim 17 , wherein the instructions are further operable to cause the processor to: receive a request from one or more of the plurality of routers for the updated security association; and provide the updated security association to the one or more routers of the plurality of routers in response to the request.