Saturday, April 3, 2021

Juniper/128 Technology's SD-WAN technology

Here is a summary of Secure Vector Routing (SVR), the core technology of 128 Technologies (128T), an SD-WAN company that Juniper acquired last year.

* Related news: Juniper acquires 128 Technology to swiftly differentiate its SD-WAN portfolio

The core technology, SVR is a tunnel-free method, not the IPsec tunnel method used by the existing SD-WAN vendors. 128T says that the overhead is about 30% smaller than that of the tunnel method, which can save traffic.

PacketPushers explains how 128T technology works.
Packet Walking Through A 128 Technology Network

<Session-Aware Data Plane>

For a more detailed explanation of the SVR protocol, see the Tech Field Day recorded video below.

128 Technology Routing Protocols: SVR

To summarize a few...
▶ 128T Session Smart Router (SSR) integrates various middlebox functions (security, routing, firewall, VPN, and load balancer)
▶ Basically, it creates metadata with 5-tuple (original source & destination IP address, original source & destination port, IP protocol)
▶ By default, it provides encryption (AES256) and authentication (HMAC-SHA256-128)
▶ Configure the session table like a stateful firewall
▶ Connection & path attributes between router hops in which SVR called waypoint are checked with BFD (Bi-directional Forwarding Detection) protocol.
▶ Perform double NAT (NAT for both source and destination IP ports) by default before sending packets to the public interface, and additionally support session-based source & destination NAT (44,64,46)
▶ DoS & DDoS defense function for all sessions passing through 128T router

The technical white paper of 128T below also explains how SVR works.
Session Smart Routing: How it Works (PDF)
<Session-based First Packet Processing>

When the first packet corresponding to a new TCP or UDP session arrives at an
SVR-based router, it determines the appropriate route corresponding to the session.
If a route is found:

✓ The SVR-based router translates the source address of the packet to its own egress
waypoint IP address. The destination address of the packet is translated to the
waypoint address of the destination SVR-based router.
✓ The SVR router adds metadata to the packet. This metadata includes the original
source and the destination addresses of the packet, along with other policy and
control parameters. The metadata is then signed and optionally encrypted based on
✓ The packet is then forwarded to the waypoint address of the next secure vector router.
✓ At the last hop SVR-based router, once authenticated and authorized, the original
packet contents are restored, and it’s forwarded to the final destination.
✓ Subsequent packets from the same session are automatically recognized and
forwarded in the same way, but without “first packet processing.”
✓ Similar to above processing, SVR adds metadata to the first reverse packet, which
follows the same path as the first forward packet. Now, complete path symmetry is

No comments: