During the bringup of the overlay, the Cisco vSmart Controller establishes the information for edge routers to send data to each other. However before a pair of routers can exchange data
traffic, they establish an IPsec connection between them, which they use as a secure communications channel. Since the Cisco vSmart Controller has authenticated the devices, the devices do not further authenticate each other.
Control plane communications have allowed the edge device to have enough information to establish IPsec tunnels. Edge devices
simply send data through the tunnels. There is no authentication step.
In a traditional IPsec environment, key exchange is handled by the Internet Key Exchange (IKE) protocol. IKE first sets up
secure communications channels between devices and then establishes security associations (SAs) between each pair of devices
that want to exchange data. IKE uses a Diffie-Hellman key exchange algorithm to generate a shared key that encrypts further
IKE communication. To establish SAs, each device (n) exchanges keys with every other device in the network and creates per-pair
keys, generating a unique key for each remote device. This scheme means that in a fully meshed network, each device has to
manage n2 key exchanges and (n-1) keys. As an example, in a 1,000-node network, 1,000,000 key exchanges are required to authenticate
the devices, and each node is responsible for maintaining and managing 999 keys.
The discussion in the previous paragraph points out why an IKE-style key exchange does not scale as network size increases
and why IKE could be a bottleneck in starting and in maintaining data exchange on a large network:
-
The handshaking required to set up the communications channels is both time consuming and resource intensive.
-
The processing required for the key exchange, especially in larger networks, can strain network resources and can take a long
time.
The Cisco SD-WAN implementation of data plane authentication and encryption establishes SAs between each pair of devices that
want to exchange data, but it dispenses with IKE altogether. Instead, to provide a scalable solution to data plane key exchange,
the Cisco SD-WAN solution takes advantage of the fact that the DTLS control plane connections in the Cisco SD-WAN overlay
network are known to be secure. Because the Cisco SD-WAN control plane establishes authenticated, encrypted, and tamperproof
connections, there is no need in the data plane to set up secure communications channels to perform data plane authentication.
In the Cisco SD-WAN network for unicast traffic, data plane encryption is done by AES-256-GCM, a symmetric-key algorithm that
uses the same key to encrypt outgoing packets and to decrypt incoming packets. Each router periodically generates an AES key
for its data path (specifically, one key per TLOC) and transmits this key to the vSmart controller in OMP route packets, which
are similar to IP route updates. These packets contain information that the vSmart controller uses to determine the network
topology, including the router's TLOC (a tuple of the system IP address and traffic color) and AES key. The vSmart controller
then places these OMP route packets into reachability advertisements that it sends to the other routers in the network. In
this way, the AES keys for all the routers are distributed across the network. Even though the key exchange is symmetric,
the routers use it in an asymmetric fashion. The result is a simple and scalable key exchange process that uses the Cisco vSmart Controller.
In Cisco SD-WAN Release 19.2.x and Cisco IOS XE SD-WAN Release 16.12.x onwards, Cisco SD-WAN supports IPSec pairwise keys that provide additional security. When IPSec pairwise keys are used, the edge router generates
public and private Diffie-Hellman components and sends the public value to the vSmart for distribution to all other edge devices.
For more information, see IPSec Pairwise Keys Overview
For multicast traffic, data plane encryption is done by AES-256-CBC with SHA1-HMAC.
If control policies configured on a vSmart controller limit the communications channels between network devices, the reachability
advertisements sent by the vSmart controller contain information only for the routers that they are allowed to exchange data
with. So, a router learns the keys only for those routers that they are allowed to communicate with.
To further strengthen data plane authentication and encryption, routers regenerate their AES keys aggressively (by default,
every 24 hours). Also, the key regeneration mechanism ensures that no data traffic is dropped when keys change.
In the Cisco SD-WAN overlay network, the liveness of SAs between router peers is tracked by monitoring BFD packets, which are periodically exchanged
over the IPsec connection between the peers. IPsec relays the connection status to the vSmart controllers. If data connectivity
between two peers is lost, the exchange of BFD packets stops, and from this, the vSmart controller learns that the connection
has been lost.
The IPsec software has no explicit SA idle timeout, which specifies the time to wait before deleting SAs associated with
inactive peers. Instead, an SA remains active as long as the IPsec connection between two routers is up, as determined by
the periodic exchange of BFD packets between them. Also, the frequency with which SA keys are regenerated obviates the need
to implement an implicit SA idle timeout.
In summary, the Cisco SD-WAN data plane authentication offers the following improvements over IKE:
-
Because only n +1 keypaths are required rather than the n2 required by IKE, the Cisco SD-WAN solution scales better as the network grows large.
-
Keys are generated and refreshed locally, and key exchange is performed over a secure control plane.