Re: VPN security vs SD-WAN security

Robert Raszuk <robert@raszuk.net> Wed, 25 July 2018 10:32 UTC

Return-Path: <rraszuk@gmail.com>
X-Original-To: rtgwg@ietfa.amsl.com
Delivered-To: rtgwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 227F5126DBF for <rtgwg@ietfa.amsl.com>; Wed, 25 Jul 2018 03:32:33 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id H8EymHdjTEbK for <rtgwg@ietfa.amsl.com>; Wed, 25 Jul 2018 03:32:31 -0700 (PDT)
Received: from mail-pf1-x42b.google.com (mail-pf1-x42b.google.com [IPv6:2607:f8b0:4864:20::42b]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 6439212DD85 for <rtgwg@ietf.org>; Wed, 25 Jul 2018 03:32:30 -0700 (PDT)
Received: by mail-pf1-x42b.google.com with SMTP id l9-v6so1645582pff.9 for <rtgwg@ietf.org>; Wed, 25 Jul 2018 03:32:30 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:in-reply-to:references:from:date:message-id :subject:to:cc; bh=iAf/i4yvzsb+hFPoYe+7NDt7KJzKPuXStoCYIQhY6rg=; b=i32pP3j/CWqvYk1c19PduAvaq1az/7KOzw3kHlTgl1V5eZaFaFB0iqfnybVEBhAeFm klRBoaN9flQ7JeBQUoHtP6sFad8TQkppOsby513L6FGbE+GUMgiyLFwiLokwnKEFn57E X4/HvZYxCoSPve9hxM5D+cqUjGWw57vzlGDFFO59Fftf+9MAVznkzCL9kvpjoHsoN/08 uNjh844UO3DRHd3KSDfZUvTHLIIVLSr8znsgRUiKd4bSoZcyk7kbvSlXfjf2n9LzLe+1 vtdebLyc/mW0XLVCU68XMNxI1/AzwksyWnnN9WW9MMWyMpmKcY2LjX7FXmEME5KWuvEU larQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:in-reply-to:references:from :date:message-id:subject:to:cc; bh=iAf/i4yvzsb+hFPoYe+7NDt7KJzKPuXStoCYIQhY6rg=; b=mCRYHdyRm0T37E2NsesIQs4zFsULNjIpopiuDnaJrVlHNTd/b/3gm73BSOj74gGfug 5zWYDIVynMk+3R7022L8Dei79DxT4ObSFcUFPJRFPwsMgjKTi47Kkzrw+sUmezwV5qWG c4hEQojgG0RJEZ0P8FoSHAdM2KbjekhKtl/USD/fTzg/qxln3/OIviUHdOIl6DECXKFn CyF72RK1CWKZLqIADMz1/AMeDm0wKEvBAn8CZXIxPjzjaF7f3MW2dWqGnMeuRcsNAnT/ pQoW4msLSEUV3QJX6iDpFIv5NIZYwcCuevliP4T3YnZ/pChUjoFHdZ4yCS9uxerohzti KyOg==
X-Gm-Message-State: AOUpUlHclOcFOaYnYqtJMQixJQLpX3Yod+4AC4jkEAZHED/N4Z1x6icj 9axQP1GDlrp2DpBY/A50TdWN5V492wXOa4HU6uM=
X-Google-Smtp-Source: AAOMgpf4OA3tVL5h55ooBzPZjxXNwNvE27c1oLB7f6P9sBPpjmHTZnu+G4VwggfKgz7yzuQ6szDLrDFhP2QkvYPkNII=
X-Received: by 2002:a62:4704:: with SMTP id u4-v6mr21480746pfa.76.1532514749703; Wed, 25 Jul 2018 03:32:29 -0700 (PDT)
MIME-Version: 1.0
Sender: rraszuk@gmail.com
Received: by 2002:a17:90a:228e:0:0:0:0 with HTTP; Wed, 25 Jul 2018 03:32:29 -0700 (PDT)
In-Reply-To: <0cb8f15b-7538-500c-dda3-915bf9814f94@gmail.com>
References: <CA+b+ERmfOaFMURD2eNPScs2SZ88rOEfGXZZJsqGDWX3M6bTY-g@mail.gmail.com> <0cb8f15b-7538-500c-dda3-915bf9814f94@gmail.com>
From: Robert Raszuk <robert@raszuk.net>
Date: Wed, 25 Jul 2018 12:32:29 +0200
X-Google-Sender-Auth: lGcsHN3LkuLsPIPky-a4ULftGxM
Message-ID: <CA+b+ERkST3-eN=XEXFmrD_+5umyLpUTyYv=+-nu7gmcUhAu0mA@mail.gmail.com>
Subject: Re: VPN security vs SD-WAN security
To: Stewart Bryant <stewart.bryant@gmail.com>
Cc: "rtgwg@ietf.org" <rtgwg@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000044ec6f0571d06520"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtgwg/YLHVZdanWF8YPE2pA3B9h4zRGQk>
X-BeenThere: rtgwg@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Routing Area Working Group <rtgwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtgwg>, <mailto:rtgwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtgwg/>
List-Post: <mailto:rtgwg@ietf.org>
List-Help: <mailto:rtgwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtgwg>, <mailto:rtgwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jul 2018 10:32:33 -0000

Hi,

> A VPN system ought to sustain resistance to such an attack better than
the proposed system which treats the SoF traffic the same as regular
traffic.

In purely technical terms what makes a VPN system less likely to suffer
from DDoS then wisely used Internet system as transport ?

Note that key here is *wisely used* meaning that you are relaying on
dynamic selection of your IP transport among N number of alternative paths
(in many cases could be only 1 AS hop away from your other peer).

Experience actually indicates that number of carries are offering "emulated
L2 VPN circuits" today over their IP Internet backbones and effects of this
in terms or resistance from attacks are purely imaginary at best.

Cheers,
R.


On Wed, Jul 25, 2018 at 11:55 AM, Stewart Bryant <stewart.bryant@gmail.com>;
wrote:

>
>
> On 25/07/2018 10:40, Robert Raszuk wrote:
>
> /* Adjusting the subject ... */
>
> ​Hello ​
> Stewart,
>
> ​You have made the below comment in the other thread we are having: ​
>
> Indeed, I would have expected this to be on a secure network of some sort
>> either purely
>> private or some form of VPN. However, I am sure I read in your text that
>> you were
>> considering using the Public Internet much in the way of SD-WAN.
>
>
> ​Would you mind as extensively as you can expand on the above statement ?
>
> Specifically on what basis do you treat say L2VPN or L3VPN of naked
> unencrypted packets often traveling on the very same links as this "bad"
> Internet traffic to be even slightly more secure then IPSEC or DTLS
> encrypted SD-WAN carried data with endpoints being terminated in private
> systems ?
>
> Thx,
> Robert
>
>
> Robert, I think that you have to take it as read that an air traffic
> control SoF system is encrypting its packets. If it is not, then it is
> clearly not fit for purpose.
>
> What concerns me is that an air traffic system is one of the most, if not
> the most, high profile targets in civil society. You get reminded of this
> each time you travel to IETF.
>
> The thing about safety of flight traffic is that a sustained and effective
> DDoS attack has global impact in a way that few other such attacks have.
>
> A VPN system ought to sustain resistance to such an attack better than the
> proposed system which treats the SoF traffic the same as regular traffic.
>
> - Stewart
>
>