Re: VPN security vs SD-WAN security

Stewart Bryant <stewart.bryant@gmail.com> Mon, 30 July 2018 10:07 UTC

Return-Path: <stewart.bryant@gmail.com>
X-Original-To: rtgwg@ietfa.amsl.com
Delivered-To: rtgwg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 192C9130FF0 for <rtgwg@ietfa.amsl.com>; Mon, 30 Jul 2018 03:07:53 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=gmail.com
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id fQJsPLG6PVee for <rtgwg@ietfa.amsl.com>; Mon, 30 Jul 2018 03:07:49 -0700 (PDT)
Received: from mail-wm0-x236.google.com (mail-wm0-x236.google.com [IPv6:2a00:1450:400c:c09::236]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 87839130E84 for <rtgwg@ietf.org>; Mon, 30 Jul 2018 03:07:48 -0700 (PDT)
Received: by mail-wm0-x236.google.com with SMTP id o11-v6so12439351wmh.2 for <rtgwg@ietf.org>; Mon, 30 Jul 2018 03:07:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language; bh=6/bnQVIu+iCXsgl8bU2p4AAudqAZh2BB72jd+umhul8=; b=pWvRndh8+6kEk3EM7hDMR5KWX7Ep+xa0BrUEFx1dzEue5yYA8gi3Gvl0y8SOB9JRBC 816lRCJgz+1HA8LFJzd8SArq5579o4/d99vKFtP6FNd5j0QbhU+JA5BcjXOw1CnysdRe QxSLDUc535dDH0AUcEEvCMj4F3tRECQQM1Ol8Uit1+662KOKK9oLKIcWEWK3NgQAw2c+ b9JY4ZSOPiet3hYmlivv01co8nDl+xi2His9AZaJAik7FtP2wo0tRJ72joa0KLR5zUM2 QxcFkegN3CE/s3nFG5DHeO3Py3nybqiIYDAknBw/TSmB16Dsv4BGmAi0Owgl7kXGQVN7 PHnA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language; bh=6/bnQVIu+iCXsgl8bU2p4AAudqAZh2BB72jd+umhul8=; b=WcBqf+OFgucXly6TLrFGB4X3M198MGntN7FhdRdfx4SvsLRfiGW3RcVNdEudlgLRH9 fJ1JK8AA8QMFhDKo/unRCkpGK9NPclmsHCUgzGsw65wFtWKLgJs8UHKfH7TzrNDAryMZ kAyMZnMbezMNwvdF/ahlcM3qHwTSgVx8n17WPY5kAJJ4qdMFZIO6oh8MnkWVTUjqMOeT WW9y61A2PLylCY3asHwGN6LWMjR2LQYz3ALJ89mmiqhp5el71UdsINgRwDBPvTKVivCM rtFmnAQ8+kFbZGEhIjTqZ4JFvDII65s1yebGTpiy1UHWaOMZ6/a6n6K5DWg6LsWfPmCV +dXA==
X-Gm-Message-State: AOUpUlEmX1jY4gQ9o4zXYmNF2xoy2oJxOkc5YnXxKSjn5ASjBsgDsdKb 33pQsPNeYNHkLFvVZy3du5Lr0CFxf9A=
X-Google-Smtp-Source: AAOMgpfFAMvgu2w9KyAPsNOFAzUSsxDauOO4Mh0xKKi/qEHUO+HgQ/yNBpLBGrI+vH1F89OejwPuaw==
X-Received: by 2002:a1c:9e89:: with SMTP id h131-v6mr14350136wme.13.1532945266753; Mon, 30 Jul 2018 03:07:46 -0700 (PDT)
Received: from [192.168.2.105] (host213-123-124-182.in-addr.btopenworld.com. [213.123.124.182]) by smtp.gmail.com with ESMTPSA id e12-v6sm12959913wrt.29.2018.07.30.03.07.45 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 30 Jul 2018 03:07:46 -0700 (PDT)
Subject: Re: VPN security vs SD-WAN security
To: "Dongjie (Jimmy)" <jie.dong@huawei.com>, Robert Raszuk <robert@raszuk.net>, "Acee Lindem (acee)" <acee@cisco.com>
Cc: "rtgwg@ietf.org" <rtgwg@ietf.org>
References: <CA+b+ERmfOaFMURD2eNPScs2SZ88rOEfGXZZJsqGDWX3M6bTY-g@mail.gmail.com> <0cb8f15b-7538-500c-dda3-915bf9814f94@gmail.com> <5D10C0C4-B93D-463F-A071-EEA6F35506CD@cisco.com> <CA+b+ERkqrr4Wr+Wy9q81SpyWi7H1s=z_RAvbc3Rbddvpgb7Xpg@mail.gmail.com> <76CD132C3ADEF848BD84D028D243C927A71506F6@NKGEML515-MBS.china.huawei.com>
From: Stewart Bryant <stewart.bryant@gmail.com>
Message-ID: <edc1f10b-d932-877a-1c57-97792cc82dfb@gmail.com>
Date: Mon, 30 Jul 2018 11:07:44 +0100
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1
MIME-Version: 1.0
In-Reply-To: <76CD132C3ADEF848BD84D028D243C927A71506F6@NKGEML515-MBS.china.huawei.com>
Content-Type: multipart/alternative; boundary="------------D686AA454C0436F8E89D865D"
Content-Language: en-GB
Archived-At: <https://mailarchive.ietf.org/arch/msg/rtgwg/n6-pPAGvQBTJn-PN3A9c_qF2kNw>
X-BeenThere: rtgwg@ietf.org
X-Mailman-Version: 2.1.27
Precedence: list
List-Id: Routing Area Working Group <rtgwg.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/rtgwg>, <mailto:rtgwg-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/rtgwg/>
List-Post: <mailto:rtgwg@ietf.org>
List-Help: <mailto:rtgwg-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/rtgwg>, <mailto:rtgwg-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 30 Jul 2018 10:07:53 -0000

Hi Robert

I think that summarises the situation well.

Ultimately the market will decide how much it is prepared to pay for the 
guarantee, and that will be based on a risk benefit analysis. That in 
turn will determine the viability of the market as a whole.

I think that there are certain types of network that may be more 
attracted to an NS system, for example safety of life services, or 
services that need real-time low latency such as a distributed recording 
studio, or services that fail safe but have wide impact such as a rail 
network controller are more likely to want this. On the other hand, the 
back end systems of Acme corp will largely be fine with parallel best 
effort mitigated across multiple providers.

- Stewart


On 28/07/2018 08:51, Dongjie (Jimmy) wrote:
>
> Hi Robert,
>
> IMO the two approaches are targeting at different use cases and 
> customers.
>
> The former (network slicing) is to provide the demanding services with 
> guaranteed performance in a converged network, while the latter 
> (switching between multiple paralleled networks) provides the customer 
> with the best performance that is available among those candidates. To 
> me the latter is still some kind of best effort, and as Toerless said, 
> it depends on the diversity you can have in the multiple networks.
>
> And I agree with Stewart on “you always pay a price for better than 
> best effort.”
>
> Best regards,
>
> Jie
>
> *From:*rtgwg [mailto:rtgwg-bounces@ietf.org] *On Behalf Of *Robert Raszuk
> *Sent:* Wednesday, July 25, 2018 8:24 PM
> *To:* Acee Lindem (acee) <acee@cisco.com>;
> *Cc:* rtgwg@ietf.org
> *Subject:* Re: VPN security vs SD-WAN security
>
> True network slicing for IP networks means either waist of resources 
> or very strict multi-level queuing at each hop and 100% ingress 
> traffic policing. Yet while this has a chance to work during normal 
> operation at the time of even regular failures this all pretty much 
> melts like cheese on a good sandwich.
>
> It is going to be very interesting to compare how single complex 
> sliced network compares for any end to end robust transport from N 
> normal simple IP backbones and end to end SLA based millisecond switch 
> over between one and another on a per flow basis. Also let's note then 
> while the former is still to the best of my knowledge a draft the 
> latter is already deployed globally in 100s of networks.
>
> Best,
> R.
>
> On Wed, Jul 25, 2018 at 1:21 PM, Acee Lindem (acee) <acee@cisco.com 
> <mailto:acee@cisco.com>> wrote:
>
>     *From: *rtgwg <rtgwg-bounces@ietf.org
>     <mailto:rtgwg-bounces@ietf.org>> on behalf of Stewart Bryant
>     <stewart.bryant@gmail.com <mailto:stewart.bryant@gmail.com>>
>     *Date: *Wednesday, July 25, 2018 at 5:55 AM
>     *To: *Robert Raszuk <robert@raszuk.net <mailto:robert@raszuk.net>>
>     *Cc: *Routing WG <rtgwg@ietf.org <mailto:rtgwg@ietf.org>>
>     *Subject: *Re: VPN security vs SD-WAN security
>
>     On 25/07/2018 10:40, Robert Raszuk wrote:
>
>         /* Adjusting the subject ... */
>
>         ​Hello ​
>
>         Stewart,
>
>         ​You have made the below comment in the other thread we are
>         having: ​
>
>             Indeed, I would have expected this to be on a secure
>             network of some sort either purely
>             private or some form of VPN. However, I am sure I read in
>             your text that you were
>             considering using the Public Internet much in the way of
>             SD-WAN.
>
>         ​Would you mind as extensively as you can expand on the above
>         statement ?
>
>         Specifically on what basis do you treat say L2VPN or L3VPN of
>         naked unencrypted packets often traveling on the very same
>         links as this "bad" Internet traffic to be even slightly more
>         secure then IPSEC or DTLS encrypted SD-WAN carried data with
>         endpoints being terminated in private systems ?
>
>         Thx,
>
>         Robert
>
>
>     Robert, I think that you have to take it as read that an air
>     traffic control SoF system is encrypting its packets. If it is
>     not, then it is clearly not fit for purpose.
>
>     What concerns me is that an air traffic system is one of the most,
>     if not the most, high profile targets in civil society. You get
>     reminded of this each time you travel to IETF.
>
>     The thing about safety of flight traffic is that a sustained and
>     effective DDoS attack has global impact in a way that few other
>     such attacks have.
>
>     A VPN system ought to sustain resistance to such an attack better
>     than the proposed system which treats the SoF traffic the same as
>     regular traffic.
>
>     I guess you are making a case for your network slicing work 😉
>
>     Acee
>
>
>
>     - Stewart
>
>
>
> _______________________________________________
> rtgwg mailing list
> rtgwg@ietf.org
> https://www.ietf.org/mailman/listinfo/rtgwg