Re: VPN security vs SD-WAN security

Robert Raszuk <robert@raszuk.net> Wed, 25 July 2018 12:24 UTC

Return-Path: <rraszuk@gmail.com>
X-Original-To: rtgwg@ietfa.amsl.com
Delivered-To: rtgwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D66FF130DEF for <rtgwg@ietfa.amsl.com>; Wed, 25 Jul 2018 05:24:28 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fVrlYfl9DqwY for <rtgwg@ietfa.amsl.com>; Wed, 25 Jul 2018 05:24:25 -0700 (PDT)
Received: from mail-pg1-x532.google.com (mail-pg1-x532.google.com [IPv6:2607:f8b0:4864:20::532]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id A92AE12DD85 for <rtgwg@ietf.org>; Wed, 25 Jul 2018 05:24:25 -0700 (PDT)
Received: by mail-pg1-x532.google.com with SMTP id k3-v6so5215368pgq.5 for <rtgwg@ietf.org>; Wed, 25 Jul 2018 05:24:25 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=dORmjZ+TScMJY8+tHp6EtrxuZ8PKoLiIlICtRyvwIsM=; b=e+BaWctIAwriHoXGl7RDbwDxhVJf7UepCeawxN5zvHRfLYp3cSqL3Yr5wZOU2zUmVd 0+0LLKks5O3yQV351rMT26wmgOfx2bLNY/PhJWDecAHe0wfSX5/8eTWXwKAKkCfrla9v AMMzo+dNqmTeeBOxmzt12Vl9tcjwrlm8Yzr1LA8YqIis+AJSuSCeXfd5v28t0E2xsT35 EYub1y1LqS8nHnelpuA+VTl5abVN8PBxEcZUWr2Rdm2HN+KA43hFBMG4xYt92RW15Wps 2g2u7ksaSBTbT0HJXrz57F5JSgvU6BlicJT1FIk8sy9cEZKNDhpLjm3cjDSFSFttL5cs S6tA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=dORmjZ+TScMJY8+tHp6EtrxuZ8PKoLiIlICtRyvwIsM=; b=YIoLYLmz9xVnNpZmdg0/GBOMNE3ID1rS7I/Mbbqdui8UcbJMdpvBA6zTp+ndQjxGbt eaOWJH9iqAjl7oa6tUUWsiHvPMUszXPrev5/LltGgu6Z9rKffnpyEi+YMydJLpN+B4TT cidqvXppNvuafcfN8WAni69qzSm8NSZmN4CB02ABOJfZ9j9u8KwXYfI+EMeS2EHapxhI 5irOCyoYZGt2eGSim94xGP9/mvZLCFlxKaV3YmeotvBjiMFH1Q2ebBpSOCxZxnb8o/fk QaqJGYF+toBIoL6qTp4+WN+bRCxq/NG5hRHcsCVQaVftDz0Fuzl+USnizOdvfKTZXqzV Cdbw==
X-Gm-Message-State: AOUpUlED7csv9/IgLLPBLepmj6Z75aDFXVI6JizrBUJL7ws3XqO9Ck8O fBBoGnzIC4fJz7XFNf3qT5KxQHtiRJ+FTSBk7PI=
X-Google-Smtp-Source: AAOMgpds+ZnDHN58g5khj3tQPkz5IO1P1u0fX8IVJP5b3gXY58TraZRpf1mDw3AWwDno6h3h43BXukcZm3A0GHIrX2I=
X-Received: by 2002:a65:498c:: with SMTP id r12-v6mr20791354pgs.112.1532521464954; Wed, 25 Jul 2018 05:24:24 -0700 (PDT)
MIME-Version: 1.0
Sender: rraszuk@gmail.com
Received: by 2002:a17:90a:228e:0:0:0:0 with HTTP; Wed, 25 Jul 2018 05:24:24 -0700 (PDT)
In-Reply-To: <5D10C0C4-B93D-463F-A071-EEA6F35506CD@cisco.com>
References: <CA+b+ERmfOaFMURD2eNPScs2SZ88rOEfGXZZJsqGDWX3M6bTY-g@mail.gmail.com> <0cb8f15b-7538-500c-dda3-915bf9814f94@gmail.com> <5D10C0C4-B93D-463F-A071-EEA6F35506CD@cisco.com>
From: Robert Raszuk <robert@raszuk.net>
Date: Wed, 25 Jul 2018 14:24:24 +0200
X-Google-Sender-Auth: SUwqImYslvJeeANkQ98lOORFu7s
Message-ID: <CA+b+ERkqrr4Wr+Wy9q81SpyWi7H1s=z_RAvbc3Rbddvpgb7Xpg@mail.gmail.com>
Subject: Re: VPN security vs SD-WAN security
To: "Acee Lindem (acee)" <acee@cisco.com>
Cc: Stewart Bryant <stewart.bryant@gmail.com>, "rtgwg@ietf.org" <rtgwg@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000008782500571d1f54b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtgwg/S32gM7QdEySj5xai0koSFdo3xHU>
X-BeenThere: rtgwg@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Routing Area Working Group <rtgwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtgwg>, <mailto:rtgwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtgwg/>
List-Post: <mailto:rtgwg@ietf.org>
List-Help: <mailto:rtgwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtgwg>, <mailto:rtgwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jul 2018 12:24:29 -0000

True network slicing for IP networks means either waist of resources or
very strict multi-level queuing at each hop and 100% ingress traffic
policing. Yet while this has a chance to work during normal operation at
the time of even regular failures this all pretty much melts like cheese on
a good sandwich.

It is going to be very interesting to compare how single complex sliced
network compares for any end to end robust transport from N normal simple
IP backbones and end to end SLA based millisecond switch over between one
and another on a per flow basis. Also let's note then while the former is
still to the best of my knowledge a draft the latter is already deployed
globally in 100s of networks.

Best,
R.


On Wed, Jul 25, 2018 at 1:21 PM, Acee Lindem (acee) <acee@cisco.com> wrote:

>
>
>
>
> *From: *rtgwg <rtgwg-bounces@ietf.org> on behalf of Stewart Bryant <
> stewart.bryant@gmail.com>
> *Date: *Wednesday, July 25, 2018 at 5:55 AM
> *To: *Robert Raszuk <robert@raszuk.net>
> *Cc: *Routing WG <rtgwg@ietf.org>
> *Subject: *Re: VPN security vs SD-WAN security
>
>
>
>
>
>
>
> On 25/07/2018 10:40, Robert Raszuk wrote:
>
> /* Adjusting the subject ... */
>
>
>
> ​Hello ​
>
> Stewart,
>
>
>
> ​You have made the below comment in the other thread we are having: ​
>
>
>
> Indeed, I would have expected this to be on a secure network of some sort
> either purely
> private or some form of VPN. However, I am sure I read in your text that
> you were
> considering using the Public Internet much in the way of SD-WAN.
>
>
>
> ​Would you mind as extensively as you can expand on the above statement ?
>
>
>
> Specifically on what basis do you treat say L2VPN or L3VPN of naked
> unencrypted packets often traveling on the very same links as this "bad"
> Internet traffic to be even slightly more secure then IPSEC or DTLS
> encrypted SD-WAN carried data with endpoints being terminated in private
> systems ?
>
>
>
> Thx,
>
> Robert
>
>
> Robert, I think that you have to take it as read that an air traffic
> control SoF system is encrypting its packets. If it is not, then it is
> clearly not fit for purpose.
>
> What concerns me is that an air traffic system is one of the most, if not
> the most, high profile targets in civil society. You get reminded of this
> each time you travel to IETF.
>
> The thing about safety of flight traffic is that a sustained and effective
> DDoS attack has global impact in a way that few other such attacks have.
>
> A VPN system ought to sustain resistance to such an attack better than the
> proposed system which treats the SoF traffic the same as regular traffic.
>
>
>
> I guess you are making a case for your network slicing work 😉
>
>
>
> Acee
>
>
>
> - Stewart
>
>
>