Linda, If you want to securely encrypt traffic between endpoints then you are going to need to build point-point encrypted tunnels between these endpoints, this is the main reason that SD-WAN implementations use either a full-mesh or dynamic-mesh of point-point tunnels. If you rely on a multi-point connection model then you end up using a group key encryption model which is less secure (many customers will not accept using group keys).
Mike. [http://www.cisco.com/content/dam/m/en_us/signaturetool/images/banners/Events/cisco_live_las_vegas/email-signature-clus-17-lv-indigo.jpg]<http://www.ciscolive.com/> Mike Sullenberger CCIE-2902 [email protected]<mailto:[email protected]> Tel: +1 408 527 8702 Cisco.com DISTINGUISHED ENGINEER. ENGINEERING Product Development Cisco Systems, Inc. [http://www.cisco.com/assets/swa/img/thinkbeforeyouprint.gif] Think before you print. This email may contain confidential and privileged material for the sole use of the intended recipient. Any review, use, distribution or disclosure by others is strictly prohibited. If you are not the intended recipient (or authorized to receive for the recipient), please contact the sender by reply email and delete all copies of this message. Please click here<http://www.cisco.com/web/about/doing_business/legal/cri/index.html> for Company Registration Information. From: IPsec [mailto:[email protected]] On Behalf Of Linda Dunbar Sent: Friday, September 08, 2017 9:07 AM To: Yoav Nir <[email protected]> Cc: [email protected]; IPsecME WG <[email protected]> Subject: Re: [IPsec] your example (like Gap) about IPSec VPN gateway deployed in shopping mall not aware of where the controller is. Yoav, Not having interoperable solution for SD-WAN is a huge issue for enterprises. That is one of the main reasons that SD-WAN deployment has been slow since its inception in 2012. In ONUG (Open Network User Group) where majority of participants are enterprises, it was overwhelmingly voted the need for interoperable SD-WAN solutions. As the result, the ONUG started a SD-WAN Exchange WG. However, ONUG is not a standard organization. Their main goal is to identify use cases, requirements, etc. Well, SD-WAN has other issues, like SD-WAN solution builds point-to-point overlay paths between two end-points (or branch offices) as alternative paths. However, most enterprises need multi-point interconnection among multiple locations, as done by MPLS L2/L3-VPN. Using SD-WAN overlay paths to achieve any to any mesh interconnection among all branches not only requires all branches CPEs to be upgraded, but also require CPEs to manage routing among other CPEs located at other locations, which dramatically increase the complexity of the CPEs. Almost like going back to the complexity of frame relay where each CPE needs maintain mesh routing for all destinations. Linda From: Yoav Nir [mailto:[email protected]] Sent: Friday, September 08, 2017 12:36 AM To: Linda Dunbar <[email protected]<mailto:[email protected]>> Cc: [email protected]<mailto:[email protected]>; IPsecME WG <[email protected]<mailto:[email protected]>> Subject: Re: your example (like Gap) about IPSec VPN gateway deployed in shopping mall not aware of where the controller is. Hi, Linda The reason I brought up the Gap was because they described their network in a Packet Pusher’s episode ([1]). And the solution for them was some vendor’s SD-WAN solution. As far as I can tell, each vendor’s SD-WAN solution is proprietary and non-interoperable with other vendors’ SD-WAN solution. That vendor (Viptela, since then merged with Cisco) uses BGP on a large scale to pass configuration information between CPE devices and data center devices, and an SD-WAN controller to manage it all. Other vendors use other technology to learn protected domains, and as I mentioned, there was an attempt to standardize something in IPsecME a few years ago, but that failed. The draft we were discussing has no way to transfer domain information from the CPEs to the controller or to other CPEs, so I assume that it does not fit this use case. At least not in its current form. Yoav [1] http://packetpushers.net/podcast/podcasts/show-274-packet-pushers-live-viptela-three-real-world-sd-wan-deployments-sponsored/ On 7 Sep 2017, at 22:33, Linda Dunbar <[email protected]<mailto:[email protected]>> wrote: Yoav, At yesterday’s I2NSF Interim meeting, you described an example of Gap having thousands of locations and most of them are in a mall where public network is available. You said that typically the VPN gateway placed in the store has no knowledge of the global network topology, nor does it know where the controller is located. Today, many vendors’ remote CPEs support ONUG’s SD-WAN “Zero-touch deployment” requirement, where the remote CPEs devices can be connected to its controller via barcode scan/email/etc. Does it solve the problem? Thanks, Linda
_______________________________________________ I2nsf mailing list [email protected] https://www.ietf.org/mailman/listinfo/i2nsf
