VPN security vs SD-WAN security

Robert Raszuk <robert@raszuk.net> Wed, 25 July 2018 09:40 UTC

Return-Path: <rraszuk@gmail.com>
X-Original-To: rtgwg@ietfa.amsl.com
Delivered-To: rtgwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id A07E812DD85 for <rtgwg@ietfa.amsl.com>; Wed, 25 Jul 2018 02:40:51 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.4
X-Spam-Level:
X-Spam-Status: No, score=-1.4 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FREEMAIL_FORGED_FROMDOMAIN=0.249, FREEMAIL_FROM=0.001, HEADER_FROM_DIFFERENT_DOMAINS=0.25, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001] autolearn=no autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id gb7nT_-E7ISD for <rtgwg@ietfa.amsl.com>; Wed, 25 Jul 2018 02:40:50 -0700 (PDT)
Received: from mail-pl0-x22e.google.com (mail-pl0-x22e.google.com [IPv6:2607:f8b0:400e:c01::22e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 94126126DBF for <rtgwg@ietf.org>; Wed, 25 Jul 2018 02:40:50 -0700 (PDT)
Received: by mail-pl0-x22e.google.com with SMTP id w8-v6so3062717ply.8 for <rtgwg@ietf.org>; Wed, 25 Jul 2018 02:40:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:sender:from:date:message-id:subject:to:cc; bh=yjLKMtbx/VbLd+qBmhluskLTQo8iEKEkZq/46Y4ES7M=; b=mLfwhgmhy1d0GCVV/p7e5wj9Zm+GsShngBIr+gbiOdMtLIipThj8P6z+bp9M8cWDgR OqKV/bGJbd3XHMMgR+MB7Cw9kq35bPimXNLg4Suruu/9JBs3mvtYuNJO+8CFm5twxT9p cHpPbpwWI0b5LkzTUrby8HnDUoUKjvagaGkZwK1n7EZe5MB6l/En+Kybj5Ptw941B8Ab JdtkCuNabwNJ91PXR9ulM3BYb7jwjOmWX04Y60r0cnIim3QY7g8eMBSQFAxsZIvWhi7B vhPVGhu/KTGWjELd/vyhXxYl5VJy1vGO+uw4LtopQkpjADZ5nC4/2DU/QbHLsxkk9pPO erTw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:sender:from:date:message-id:subject :to:cc; bh=yjLKMtbx/VbLd+qBmhluskLTQo8iEKEkZq/46Y4ES7M=; b=ti7X54+3ZoagcXcDF14jAKa+Ry6pBbHHeaGgJgQLplSU7LKSp3CiZ0poJTgTG7dr8w gsnqk86GqK2E0h8sJe7uoLGF2N8VglwazCYHLFh84KeHMbvMT3AxZrTtBTqbPsPBfpZi fBycCu4W8fDyr4sZ9EMl499u/RD693nU/O4ofYSy8zv/+wxBNB8j9t2t+8YkyO/qNG5O zGqyFvD6HNa182qJb4vAlICKAiusD4Mt9n5p2pKNA/+levMjt3/UlZf3lv1cx3iXBcP4 GcYg7ddJTx8wXLLtQj0oJOVOtizOyFOyP1RJ3o5SA6TJ3Nv0oFYmfY7pxnEjQW+/R5fZ 4YRw==
X-Gm-Message-State: AOUpUlF82O6RfQ2Ima7E+FvSj7CoQXaicoblg0/sXa6pLS4l3TmNEulA o0EbT6GoWvd4pDO6oEKwGwyyE4VEi4ckD9ObJVLyeA==
X-Google-Smtp-Source: AAOMgpfaKeau5ogk6nmlVJNBDso5EtmaTBvXJSaC3mNmJ5kHCqVBHvrq7oSxW3wYsS73u78Yr9hd5DbB7xIBbtZvVMs=
X-Received: by 2002:a17:902:7287:: with SMTP id d7-v6mr20197352pll.54.1532511649944; Wed, 25 Jul 2018 02:40:49 -0700 (PDT)
MIME-Version: 1.0
Sender: rraszuk@gmail.com
Received: by 2002:a17:90a:228e:0:0:0:0 with HTTP; Wed, 25 Jul 2018 02:40:49 -0700 (PDT)
From: Robert Raszuk <robert@raszuk.net>
Date: Wed, 25 Jul 2018 11:40:49 +0200
X-Google-Sender-Auth: Z39ld-ieHJybwN1mOQ0Wbjj9TEM
Message-ID: <CA+b+ERmfOaFMURD2eNPScs2SZ88rOEfGXZZJsqGDWX3M6bTY-g@mail.gmail.com>
Subject: VPN security vs SD-WAN security
To: Stewart Bryant <stewart.bryant@gmail.com>
Cc: "rtgwg@ietf.org" <rtgwg@ietf.org>
Content-Type: multipart/alternative; boundary="00000000000082598f0571cfac5b"
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtgwg/frRiRLDgr4m9JHYB4gg8e5APdTc>
X-BeenThere: rtgwg@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Routing Area Working Group <rtgwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtgwg>, <mailto:rtgwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtgwg/>
List-Post: <mailto:rtgwg@ietf.org>
List-Help: <mailto:rtgwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtgwg>, <mailto:rtgwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 25 Jul 2018 09:40:52 -0000

/* Adjusting the subject ... */

​Hello ​
Stewart,

​You have made the below comment in the other thread we are having: ​

Indeed, I would have expected this to be on a secure network of some sort
> either purely
> private or some form of VPN. However, I am sure I read in your text that
> you were
> considering using the Public Internet much in the way of SD-WAN.


​Would you mind as extensively as you can expand on the above statement ?

Specifically on what basis do you treat say L2VPN or L3VPN of naked
unencrypted packets often traveling on the very same links as this "bad"
Internet traffic to be even slightly more secure then IPSEC or DTLS
encrypted SD-WAN carried data with endpoints being terminated in private
systems ?

Thx,
Robert