This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.
Fixing the Internet Using Secure Vector Routing: Page 3 of 4
Continued from Page 2
Although conceptually simple, the 128T approach is radically different from other routing mechanisms, and it brings enormous benefits:
Elimination of "middle boxes" along with incorporation of the best of network function virtualization (NFV) -- 128T routers include all of the value-added capabilities typical of traditional routers, including firewall, deep packet inspection, load balancing, and NAT. 128T has integrated these capabilities within the software stack of its routers, making them all available to network administrators who are developing network policies. Furthermore, because 128T uses a software-based architecture, its approach is like NFV -- with one big difference. The 128T technology integrates the network functions with management in a single interface along with a common reporting mechanism. Comparatively, most NFV solutions treat network functions as discrete capabilities "chained together," managed separately, and with separate reporting mechanisms.
"Deny by default" secure networking -- because the router gathers security and network policy based on the first packet, no packets can enter the network without a policy applicable to that packet and session type. If no rule exists, the router discards the packet. This enables "zero trust" networking based on a white list.
The benefits of software-defined WAN technology without CPU and bandwidth penalties -- 128T's routers add only 36 bytes of metadata to the first packet. SD-WAN mechanisms, because they are not based on sessions with state information, add between 100 and 124 bytes to each packet. Let's consider this in context of a typical G.711 voice packet with 20 milliseconds of voice data. This packet starts out at 160 bytes in length. Add the 40-byte IP overhead (20 for the IP header information, eight for User Datagram Protocol, and 12 for Real-time Transport Protocol), and the typical G.711 packet grows to 200 bytes in length. 128T routers add 36 bytes of metadata to the first packet only; subsequent packets remain 200 bytes long. SD-WAN devices add 100 to 124 bytes to every packet, expanding each G.711 packet to a whopping 300 to 324 bytes in length. Thus, 128T routers require 33% less bandwidth per packet while consuming fewer CPU cycles on each end. Also to note, large packet sizes can cause fragmentation of real-time video flows, which in turn causes latency and jitter issues in video traffic.
G.729 voice packets suffer even more severe consequences. Normal G.729 packets are 40 bytes in length (including IP protocol overhead); with SD-WAN technology they become 140 to 164 bytes long. SD-WANs use three times more bandwidth with G.729 media flows than do 128T routers. The impact on available bandwidth is enormous over WAN links -- especially on international circuits -- that are typically bandwidth constrained in the first place.
SD-WANs also use IPsec, which encrypts all traffic. But, some flows already have encryption. For example, many IP communications media streams are encrypted when they leave an endpoint. Thus, SD-WANs re-encrypt already encrypted payloads, effectively "double encrypting" them with the attendant CPU overhead required to do so. Through policy, 128T routers recognize when a new session comes already encrypted, so 128T sessions do not suffer from double encryption overhead.
Double NAT security -- 128T routers identify packets based on their unique 5-tuple signatures. When seeing packets in the same session with the same 5-tuple combination, the router immediately maps the packets to the unique session ID it has already created. Based on this ID, the router already knows to use the path set up for the very first packet. The 128T routers replace the 5-tuple with the waypoint path information, which hides the source and destination IP/port addresses. This is similar to what a NAT device does. When the packet arrives at the final 128T router in the path, the router, which knows the original source and destination IP addresses based on the session ID, simply replaces the waypoint addresses in the packet with the source and destination IP addresses. Thus, the final packet presented to the far end application or service is identical to the original sent by the source. This double NAT capability (NATs on both ends of the flow) eliminates the potential for man-in-the-middle attacks.
128T's routers can work with existing network infrastructure -- 128T routers can replace existing network routers and the middle boxes that surround them, or they can sit inside existing networks providing overlay and/or deterministic QoS pathways to sessions traversing them. They rely on standard networking industry protocols like Border Gateway Protocol and Open Shortest Path First.
Session detail records enable new business models -- 128T routers create session detail records for every session and report on network performance during that session, including the number of dropped packets, number of TCP re-transmits, bandwidth consumed, etc. Network administrators can use this data to monitor the network, as well as to create new business models. For example, with 'Net neutrality in jeopardy, content providers like Netflix, Facebook, and Hulu could pay for high-quality network connectivity to their content rather than having users pay for the bandwidth or having the network provider throttle it. (This would be similar to toll-free calling in voice world; in this case, however, the content provider pays the high-quality network connection costs.)
Continue to Page 4: Architecture, Use Case, Key Takeaways