Secure DataPlane Bringup
Secure DataPlane Bringup
Once all the Viptela device are available and are part of Overlay network , DTLS tunnels are created between all the Viptela Devices and over which Control plane information is shared. For data traffic separate One to one IPsec tunnel is formed between each vEdge device and data are sent via proper encryption method.
A overview of the DTLS and IPsec Tunnel are shown in below figure.
Centralized Encryption Key Distribution
In order to make the secure data plane, following Key distribution is done between vEdge router and vSmart Controller.
- Each vEdge advertises its own AES256 IPSec encryption key in control plane updates
- IPSec encryption keys are distributed by the vSmart Controllers
- IPSec encryption keys are frequently rotated (default 2h)
Traffic Encryption Data Privacy
Each site vEdge Router has another Site Remote IPsec Key listed, and as soon as IPsec Tunnel is created, data is encrypted by remote IPSec Key based on site and is sent over tunnel.
Following keys are used for encryption:
- Strong IPSec AES256 ESPv3 encryption
- Symmetric keys used asymmetrically
- HMAC SHA-1 hashing
Over tunnel, it send Bi-directionally echoes liveliness messages. Detects loss, latency, jitter and max-MTU for the IPSec tunnels between all vEdge routers. Helps make forwarding decisions based on actual underlying transport performance.
Tunnel Liveliness Detection
BFD packets are bi-directionally echoed between two vEdge’s
IPSec Security Associations stay up as long as BFD periodic messages succeed with No idle SA timeout
Path Quality and Liveliness Detection
- Each vEdge router sends BFD hello packets for path quality and liveliness detection. Packets echoed back by remote site
- Hello interval and multiplier determine how many BFD packets need to be lost to declare IPSec tunnel down
- Number of hello intervals that fit inside poll interval determines the number of BFD packets considered for establishing poll interval average path quality
- App-route multiplier determines number of poll intervals for establishing overall average path quality
vEdge Routers continuously perform path liveliness and quality measurements . On the Vmanage following App Aware Routing Policy is configured which will be shared to vSmart.
- App A path must have:
- Latency < 150ms
- Loss < 2%
- Jitter < 10ms
And based on APP policy, vEdge will use the part based on policy calculation.
- Path1: 100ms, 0% loss, 5ms jitter
- Path2: 140ms, 1% loss, 10ms jitter
- Path3: 200ms, 3% loss, 10ms jitter
Anti-Replay Protection Man-in-the-middle
Encrypted packets are assigned sequence numbers. vEdge routers drop packets with duplicate sequence numbers
- Replayed packet
vEdge routers drop packets with sequence numbers lower than the minimal number of the sliding window
- Maliciously injected packet
- Isolated virtual private networks across any transport
- VPN mapping is based on physical vEdge Router interface, 802.1Q VLAN tag or a mix of both
- VPN isolation is carried over all transports
Virtual Private Networks (VPNs)
In SD-WAN VPNs provide segmentation, and each VPN has its own forwarding table. In SD-WAN, an interface or sub-interface is explicitly configured under single VPN and cannot be part of more than one VPN.
To identify VPN traffic, Labels are used in OMP routes attributes and in packet encapsulation. VPN is a four byte integer from range 0 to 65530 and there are two by default VPN already present in each vEdge and vSmart Controllers. They are VPN 0 and VPN 512.
VPN 0: It is a transport VPN, and it contain an interface where WAN transport is connected. Over This tunnel secure DTLS tunnel is created between vEdge and vSmart and vBond.
Static Routes or dynamic Protocols are configured under this VPN in order to get the proper next hop information, so that control plane can be established and proper data plane IPSEC tunnel can be created between sites.
VPN 512: It is a management VPN , and is used for OUT of band management traffic between Cisco Viptela devices. This VPN is not carried across overlay.
Other than these two VPN there is another VPN called Service VPN , that contain interface which is connected to LAN and carry user traffic. Over These VPN any routing protocol can be enabled like OSPF and BGP , VRRP , QOS policies.
User traffic can be directed over the IPSec tunnels to other sites by redistributing OMP routes received from the vSmart controllers at the site into the service-side VPN routing protocol. In turn, routes from the local site can be advertised to other sites by advertising the service VPN routes into the OMP routing protocol, which will be sent to the vSmart controllers and redistributed to the other vEdge routers in the network.
Below Figure Explains about VPN 0 , VPN 512 and Service VPN Interfaces