Re: VPN security vs SD-WAN security

"Acee Lindem (acee)" <acee@cisco.com> Wed, 25 July 2018 11:21 UTC

Return-Path: <acee@cisco.com>
X-Original-To: rtgwg@ietfa.amsl.com
Delivered-To: rtgwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AD471130F83 for <rtgwg@ietfa.amsl.com>; Wed, 25 Jul 2018 04:21:30 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -14.51
X-Spam-Level:
X-Spam-Status: No, score=-14.51 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_HI=-5, SPF_PASS=-0.001, T_DKIMWL_WL_MED=-0.01, USER_IN_DEF_DKIM_WL=-7.5] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=cisco.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id q1lkt5c2E9IN for <rtgwg@ietfa.amsl.com>; Wed, 25 Jul 2018 04:21:28 -0700 (PDT)
Received: from rcdn-iport-8.cisco.com (rcdn-iport-8.cisco.com [173.37.86.79]) (using TLSv1.2 with cipher DHE-RSA-SEED-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 46F7D12F295 for <rtgwg@ietf.org>; Wed, 25 Jul 2018 04:21:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=cisco.com; i=@cisco.com; l=14606; q=dns/txt; s=iport; t=1532517688; x=1533727288; h=from:to:cc:subject:date:message-id:references: in-reply-to:mime-version; bh=H13YhSuY09uC49eh/6PqgBmK4qJeUwx9mnCxweBTKPw=; b=nFJwpelnrI5emY0nlw7jLVQ8goV03vKi/5GT8jqj+qVrz5MDPeTk3Ack qyVxYSEkiBV3Xk+8R34xGGE6j9jZn5psNtpjsG8MmWzePd/tSyL9nzHZX u4yPEeoW/CTplQYJgtsPKffc2TECLnNbTzthIVWb3vqHJ5UdVrK97z1zX s=;
X-IronPort-Anti-Spam-Filtered: true
X-IronPort-Anti-Spam-Result: =?us-ascii?q?A0CgAQCyW1hb/4ENJK1cGQEBAQEBAQE?= =?us-ascii?q?BAQEBAQcBAQEBAYJXdmN/KAqDdJRDggyIP4d1hw8LhGwCF4JLITcVAQIBAQI?= =?us-ascii?q?BAQJtKIU2AQEBBCNEEhACAQYCEQMBAisCAgIfER0IAgQBDQWDIAGBG0wDFZQ?= =?us-ascii?q?gm0eBLoRdgjgNgzOGPoEfgQgdF4IAgREnH4JMglaCPgmCYTGCJAKIWpBwKwk?= =?us-ascii?q?CjCeDDIFGhwmFMIschmoCERSBJDMigVJwFWUBgj4JgiESjhdvjVeBGwEB?=
X-IronPort-AV: E=Sophos;i="5.51,401,1526342400"; d="scan'208,217";a="426646948"
Received: from alln-core-9.cisco.com ([173.36.13.129]) by rcdn-iport-8.cisco.com with ESMTP/TLS/DHE-RSA-AES256-GCM-SHA384; 25 Jul 2018 11:21:27 +0000
Received: from XCH-RTP-013.cisco.com (xch-rtp-013.cisco.com [64.101.220.153]) by alln-core-9.cisco.com (8.15.2/8.15.2) with ESMTPS id w6PBLQRa006448 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=FAIL); Wed, 25 Jul 2018 11:21:27 GMT
Received: from xch-rtp-015.cisco.com (64.101.220.155) by XCH-RTP-013.cisco.com (64.101.220.153) with Microsoft SMTP Server (TLS) id 15.0.1320.4; Wed, 25 Jul 2018 07:21:26 -0400
Received: from xch-rtp-015.cisco.com ([64.101.220.155]) by XCH-RTP-015.cisco.com ([64.101.220.155]) with mapi id 15.00.1320.000; Wed, 25 Jul 2018 07:21:26 -0400
From: "Acee Lindem (acee)" <acee@cisco.com>
To: Stewart Bryant <stewart.bryant@gmail.com>, Robert Raszuk <robert@raszuk.net>
CC: "rtgwg@ietf.org" <rtgwg@ietf.org>
Subject: Re: VPN security vs SD-WAN security
Thread-Topic: VPN security vs SD-WAN security
Thread-Index: AQHUI/ub6BVsNGuaiEG6J+Uqxv16j6Sf9jSA///VE4A=
Date: Wed, 25 Jul 2018 11:21:26 +0000
Message-ID: <5D10C0C4-B93D-463F-A071-EEA6F35506CD@cisco.com>
References: <CA+b+ERmfOaFMURD2eNPScs2SZ88rOEfGXZZJsqGDWX3M6bTY-g@mail.gmail.com> <0cb8f15b-7538-500c-dda3-915bf9814f94@gmail.com>
In-Reply-To: <0cb8f15b-7538-500c-dda3-915bf9814f94@gmail.com>
Accept-Language: en-US
Content-Language: en-US
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
x-ms-exchange-messagesentrepresentingtype: 1
x-ms-exchange-transport-fromentityheader: Hosted
x-originating-ip: [10.116.152.201]
Content-Type: multipart/alternative; boundary="_000_5D10C0C4B93D463FA071EEA6F35506CDciscocom_"
MIME-Version: 1.0
X-Outbound-SMTP-Client: 64.101.220.153, xch-rtp-013.cisco.com
X-Outbound-Node: alln-core-9.cisco.com
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtgwg/XbtWMn8dbw_RSLx_PzUu-Jq1v-8>
X-BeenThere: rtgwg@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Routing Area Working Group <rtgwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtgwg>, <mailto:rtgwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtgwg/>
List-Post: <mailto:rtgwg@ietf.org>
List-Help: <mailto:rtgwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtgwg>, <mailto:rtgwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jul 2018 11:21:31 -0000


From: rtgwg <rtgwg-bounces@ietf.org>; on behalf of Stewart Bryant <stewart.bryant@gmail.com>;
Date: Wednesday, July 25, 2018 at 5:55 AM
To: Robert Raszuk <robert@raszuk.net>;
Cc: Routing WG <rtgwg@ietf.org>;
Subject: Re: VPN security vs SD-WAN security




On 25/07/2018 10:40, Robert Raszuk wrote:
/* Adjusting the subject ... */

​Hello ​
Stewart,

​You have made the below comment in the other thread we are having: ​

Indeed, I would have expected this to be on a secure network of some sort either purely
private or some form of VPN. However, I am sure I read in your text that you were
considering using the Public Internet much in the way of SD-WAN.

​Would you mind as extensively as you can expand on the above statement ?

Specifically on what basis do you treat say L2VPN or L3VPN of naked unencrypted packets often traveling on the very same links as this "bad" Internet traffic to be even slightly more secure then IPSEC or DTLS encrypted SD-WAN carried data with endpoints being terminated in private systems ?

Thx,
Robert

Robert, I think that you have to take it as read that an air traffic control SoF system is encrypting its packets. If it is not, then it is clearly not fit for purpose.

What concerns me is that an air traffic system is one of the most, if not the most, high profile targets in civil society. You get reminded of this each time you travel to IETF.

The thing about safety of flight traffic is that a sustained and effective DDoS attack has global impact in a way that few other such attacks have.

A VPN system ought to sustain resistance to such an attack better than the proposed system which treats the SoF traffic the same as regular traffic.

I guess you are making a case for your network slicing work 😉

Acee


- Stewart