Re: VPN security vs SD-WAN security

Stewart Bryant <> Wed, 25 July 2018 09:55 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id CE1F8129C6A for <>; Wed, 25 Jul 2018 02:55:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.999
X-Spam-Status: No, score=-1.999 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id PVZzNspbErz0 for <>; Wed, 25 Jul 2018 02:55:07 -0700 (PDT)
Received: from ( [IPv6:2a00:1450:4864:20::431]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 06C8C126DBF for <>; Wed, 25 Jul 2018 02:55:06 -0700 (PDT)
Received: by with SMTP id t13-v6so6754681wrv.12 for <>; Wed, 25 Jul 2018 02:55:06 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=kjlMPoo5ikmT5eG3v9pu4dUXHJmINZJiMQkGoEuGbS0=; b=HffWG/VZcN9rD4sAHqC5lzdCht0LW8KSwVOZHnzYRWk7/B7/lvJb5E6zELy8Fphrzy vGEiNyRmS1tQ9REzdh8j1ebjDdVzIN5wCnDVk3WX1lAHtxuVkTFa46YyVCyY5NwgOTLz vSKDXp/+XN5prr800tiZYY9BPT9IQF+iUnctLFCzKusPj/t2xXXSQMwNqFM6Aa/YYlTq RfS35Iy0UdaCkjp2RhqYFZ3Bkjx1/jn/0ufsCjCS6Y1FAMuw2SAdElMTmiLz9pKMo/pH aQJAEi/TakKy9sjK1B5CVWBCi27xXntGyh8EopKyAlQCOeqMVhRvakLuUbsu0mXTx+yg xYTA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=kjlMPoo5ikmT5eG3v9pu4dUXHJmINZJiMQkGoEuGbS0=; b=iH6uI8Q7MtMmi6J8QB+qgBil4rdmEsAcF7J4Qey5IRJCTpEvOH0kxoMsKkIIpPpUtc KZob1FlCKiEG+JvfdKvDl/hvI/UD75rK9sQxbi7jieReLCtYtRhak3ZlZtlfScxNtMQi GGK4yiekn56ZFZK9ZskkoW59nJ6KtMshgA1B2tsNTjkOnC2wvZKHyUM+m6LWKqmijppr bzU6e1jJHT4qwFvQga0JCodxl3w2OeAGiHFPPQkZzAcRZQcTGdkfLoikM3UJfg07w8W6 e9VuoAyskqLye2TMp4sPteZr3Sxb1aeBwklwsfC7ROdZ3jzYCi+5NAgpynVr4MMUspnz e7Jw==
X-Gm-Message-State: AOUpUlH22apJGUY/qov14P0qqgj5uWL87TvMbbNMOrarbNItJ+ytUXNB AOCrK5gBZFtA3OSlNb1gdhLq4GNp9e4=
X-Google-Smtp-Source: AAOMgpf4e+0wSiiF5Pigx02KmHunE48sqWt3PssZguwcVmPj/OH95mnpwyP8xTy2kjdDkfs+9g0mqA==
X-Received: by 2002:adf:80c9:: with SMTP id 67-v6mr13573909wrl.95.1532512505229; Wed, 25 Jul 2018 02:55:05 -0700 (PDT)
Received: from [] ( []) by with ESMTPSA id x7-v6sm17024369wrr.95.2018. (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 25 Jul 2018 02:55:04 -0700 (PDT)
Subject: Re: VPN security vs SD-WAN security
To: Robert Raszuk <>
Cc: "" <>
References: <>
From: Stewart Bryant <>
Message-ID: <>
Date: Wed, 25 Jul 2018 10:55:03 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <>
Content-Type: multipart/alternative; boundary="------------35C44D9DC1CC73CB7FCC3C9A"
Content-Language: en-GB
Archived-At: <>
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Routing Area Working Group <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 25 Jul 2018 09:55:12 -0000

On 25/07/2018 10:40, Robert Raszuk wrote:
> /* Adjusting the subject ... */
> ​Hello ​
> Stewart,
> ​You have made the below comment in the other thread we are having: ​
>     Indeed, I would have expected this to be on a secure network of
>     some sort either purely
>     private or some form of VPN. However, I am sure I read in your
>     text that you were
>     considering using the Public Internet much in the way of SD-WAN.
> ​Would you mind as extensively as you can expand on the above statement ?
> Specifically on what basis do you treat say L2VPN or L3VPN of naked 
> unencrypted packets often traveling on the very same links as this 
> "bad" Internet traffic to be even slightly more secure then IPSEC or 
> DTLS encrypted SD-WAN carried data with endpoints being terminated in 
> private systems ?
> Thx,
> Robert

Robert, I think that you have to take it as read that an air traffic 
control SoF system is encrypting its packets. If it is not, then it is 
clearly not fit for purpose.

What concerns me is that an air traffic system is one of the most, if 
not the most, high profile targets in civil society. You get reminded of 
this each time you travel to IETF.

The thing about safety of flight traffic is that a sustained and 
effective DDoS attack has global impact in a way that few other such 
attacks have.

A VPN system ought to sustain resistance to such an attack better than 
the proposed system which treats the SoF traffic the same as regular 

- Stewart