128 Technology Routing Protocols: SVR

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

so talk about svr the three magic letters svr what 120 stands for simply secure vector routing now what is secure vector routing I think that's a big question what 120 routing is really based off as sessions that is we are session or injured for every single packet we create sessions so that's the basis on which 120 routing platform is built on now for every session we create we believe that it has to be secure that's where the security piece comes that's when our packet is going from one 120 T router to the other one to need a router it should be inherently secure so the routers by default are not secure so you have to have tunnels to encrypt you can have IPSec everything or any kind of encryption technology there but we believe when a packet leaves our outer it has to be inherently secure at the same time we have to maintain sessions to have policies you come into the details a little bit later then application centric now how does session awareness help us now if if you have session aware we know what application you belong to so automatically you get the application awareness along with it so security the direction the vector is the next piece that is applications are directional that is you are trying to access an application the app needs not trying to access you even if the applications is trying to access you that's a different direction so the directionality is an important piece that's where the term vector comes in so it's inherently secure we create sessions and we are directional that's where the vector piece is there so application and server centric and service you already have heard about service in the previous session what a service is what is tenant is will come to it again then routing without tunnels yes we believe that when you send a packet you have to be able to route the packet of for were the packet like IP packets so you don't need to have any tunnels you don't have to add any other fancy networking schemes you simply send a packet from one router to the other just like it was supposed to be but unfortunately that's not how the networking works right now for different reason for various reasons then zero trust security we believe in security security security security that's why svr stands with secure vector routing so zero trust security will come to all these terms in details but the basic premise is that the fundamental basis on which 120 does routing is different it's completely different from the way any other networking scheme you have seen why simply because we are sticking to the basics that is take a packet not the packet send it to the destination it doesn't matter how it how it's being sent but just send the pack to the destination but with as much secure security you can get estimates session awareness you can get and Asmus policies you can apply on it so that's what secure vector routing is all about so let's go over this again so you can see a bunch of 120 routers all these are 120 routers going from a source to a destination now what is so when a packet flows from a source to a destination we know it's a determinist that is we need to know to make sure the path take are deterministic the forward and the reverse now why that's important this asymmetric routing if you do not have the deterministic session awareness at every hop it's possible you'll get a packet from a different route altogether which is not desirable we ensure that that doesn't happen because in every stage we have sessions created will come again to a detail and how that session gets created across routers then security as packets flow across each edge each packet is encrypted as well as authenticated now that's an important piece by default we enterpreneurs and Kay the packet so if you see the payload here the the payload is encrypted the metadata is also encrypted I've come to what a metadata is now the basis of svr is the first packet processing so what is the first packet processing let's say packet comes to 120 router and it has to be sent out order to another 120 router or sent to a particular application we take the first packet and run it through a bunch of policies figure out where it has to go and then create a session for it now if you think if it's cut if a packet is coming in to a router going out locally it's it's like any other router you have a fib you they may create flows that's fine yes but when it leaves a one 120 T router and goes to another 120 router that's where the real benefit you get because what happens is we take a packet which has a payload the one in blue so this is the payload then what we do is we put something called metadata now what is this metadata the fight apples the source IP des type e sauce pour des port and the protocol those are the five tuples which uniquely identify a packet coming in that goes in the metadata then the tenancy the service which it belongs to for example of a packet comes and then we define its likes ten in red and then we say okay that 10 in red has access to the web service because it's going to port 80 then those information that will go into metadata now why does it have to go into metadata because SVR relies on using the source IP of the first router and the destination IP the next router throughout the packets that is simply how do you route it or forward it send it to this destination he can a multiple destination one destination does not matter all we are trying to do is take the packet from here send it to the second guy and what does he do he takes a packet from here and sends sensor to this guy so at the end of the day when you have two routers are out as a source IP the other router has a destination IP all we are saying is that's the transport that's the underlay transport which could be anything it could be the van it could be a LAN it does not matter as long as to 120 routers are there and they are reachable via IP we simply IP forward the packet now where the magic happens is in the is actually in the metadata so here this metadata is then every first packet so when if packet comes in and goes across all the way to this destination how do we maintain the session that is we are the metadata because at the end of the day whatever magic you do you have to do some kind of signalling it could be outer band signaling or it could be in bouncing money so simply think of svr as an in band sync signaling mechanism where as the packet goes through we carry the signaling information and keep it in every single router now the beauty of this technique is you don't you don't have to carry this metadata in every single packet why because the reverse packet will turned off so once the information is on all of the routers and why the reverse packet is important is that tells tells us that the reverse packet has seen all these routers and has turned off metadata so that's an assurance to us it's like a signaling scheme I've sent it to you so you sending me back back so for TCP it's simple syn packet goes through sanad comes through for UDP for if there are if the reverse pack is there yes it works if there are no reverse packets what we do is we have a metadata turn on packet which we turn on on a per session basis which is configured it could be ten packets 20 packets it does not matter so at the end of the day the first packet goes all the way to the destination and then from the destination we turn off the metadata and then the flows already set so now if you look at it after the first packet processing there's a flow here there's a which is with the original file temple there is a flow here which is with the ran eye piece let's say it's a van IP there's a flow here again between with the IPS between the routers so the flow is getting installed are simply the external IPS that is your IP with which you are coming and the IP with which I am my local IP now that could be CG ends in between there could be gnats in between it does not matter why doesn't matter because that's how the packets are coming in now you could ask okay the seasons can change that there let's say the IP changes does not matter if we detect if there are cgn changes and we we turn on metadata again to have it so the beauty of our scheme is whenever the flows are set up end-to-end you don't need the extra information to be carried so if you are comparing the store which will come later on the tunnel has a extra header which are carrying which is the information and we have already carried that in the first packet so you don't need to carry it anymore and the flows will flow through the terminal so mara dater could be around 150 bytes about 150-200 so you can add more stuff into the metadata depending on the features you have so that's a good part you can keep on extending it however you want let's say you want so it's around that much would be the first packet penetrator right and I'm assuming we're gonna have to adjust MSS size because you're gonna add that much in that payload even though it's only in that first packet yeah that we're still gonna have to adjust I mean we'd have to do with the tunnel anyway that's that's not a big you know not a big differentiator but sofa TCP if you think about it it's a since an AK so literally the system you may not have to you might be able to get away with it but you be taking a risk if it was a full size packet on the first if it was a UDP packet yes yeah got it right need to take that into consideration will take that into consideration okay so what we do is so just to mitigate the fact that okay so what happens is well we'll go to the reaches of a point there could be a lot of fragments if you like you said it can happen and you could even run into fragment ID collisions because a you in 16 to mitigate that what we've done is something called fabric fragmentation that is literally we take a packet have the metadata if it's beyond the size we fragment them into separate chunks so that see as two different 120 packets going through so we put two mara days of packet one with metadata packet two with the second metadata and send it through and that those have fragment IDs in it and we ourselves will essentially take it and come convert one packet and pretty much create it so it's not the fragmentation of the normal IP fragmentation we do fragmentation outside just to mitigate this particular case okay so you you as a mechanism for that do you guys honor enough so if it's tag DNF do you still fragmented on the fabric just out of curiosity so right yeah your frames let a family yeah it's from I'd be perspective they don't see fragments from our perspective will you see fragments but yes that's Jacob so yeah it's like the technical term where the fragment is right if I don't know but we fragment yes so you're a fragment from a certain point of view I don't care about the actual data cuz we didn't fragment it at all I don't know what you're talking about right that's feedback that doesn't have to go back to the originator of the packet though right doesn't matter to him I mean but they're honoring it makes sense in that case right but there are applications where I mean and it's kind of ridiculous that it gets set most of the time to be quite honest but there are applications that do care about this right whether or not you fragment the data or not I don't know if it would have adverse effect I don't think it really would I think they're mostly worried about out of order packet we see in the voice a lot right so like that that's where we typically see it so long as you deliver it in order I don't think oh we do it matter right yes so I mean that's why the session orientation works I mean because every packet we are sending from the first router itself we're sending it in order and it will be it will be received in order so we don't have any even for the fragmentation case right we have fragment IDs so we wait for it and then we reassemble it and send it across so we don't have to be inefficient with MTU is what you're saying yeah yeah awesome right can you talk a little bit about how you do the application identification on the first packet okay so application identification by itself it's it's a bigger table I think it'll be covered in the coming session but how how the identification happens is literally the five tuples the fight apples are the identifiers for a particular session now that's at the left four right so let's say you create a service and the service at the end of the day will boil down to IP address protocol and port right so when a packet comes and I can draw it if you want essentially we classify the packet and how we classify the packet is first thing as we assign 10 and C to a packet so the tenancy could be a network that it belongs to it could be simply the wheel and on which it belongs to oh it could be simply the other route of its success that's appointed and mentioned because in s we are once the ingress router has made the decision you don't have to do anything else on the other outer because he has already made the decision for you so these are three things it could be a network it could be the ingress router which is decided the tenancy for you which await us or then it could be that interface we learn so first thing we do is figure out what tenant you belong to the moment you once you have that then you have to figure out what are the services a lot for this tenant so tenant could be broader why I'm saying brought us in the moment I'll explain why so let's say you have web servers you have a database service and we have internet service um so three services available and you're going to port 18 so obviously you're going to hit the web service port 80 so now you get to the FIB which is the web service where you hit ok port 80 I've got it great now what do you do then you have a granular access policy what that does is now as I said that's what I said tannaz broader tenant is defines Network now I can say hey I don't want to let these users access the web I only want to give it to maybe from dot one 2.10 all the others I don't want to or you can even define 10 and saying dot 1 2.10 is 10 and red dot 11 2.20 is 10 in blue I only want to give access to 10 in Reds so you classify a broader set of Chanin's find what service it is access to so you'd hit the service if it doesn't have access to any service you get drop but let's say you hit the service once the service has been reached then you find out whom can I does it have access you go even more granular say does it have access if it has access then you go to the slow path for first packet processing otherwise you should just drop the packet now as part of that we also find out what policies can be applied to that service that's it's a particular web service it could be let's say best effort or it could be the highest priority for TE you can find that then you find out okay what are the paths failure and what are the SL is associated with it what are the path failure techniques so with it so you figure out all those because you're not to figure out the moment you hit the fib we know what its associated with it and you set up a flow and actions which correspond to those properties now that's how a normal session gets identified now for application identification it's a different module but I'll just touch upon that a bit there are multiple schemes we do one is a script based scheme so with a script based scheme what you could do is it's very flexible you can create IPS and port combinations and say this particular name let's say I'm taking a Microsoft as an example so they have these IPS which are available where you can query and get the list of IPs you can say exchange are these set of IPs is this for office 365 then what are these set of IPs so you have all those IPS there so what we do is we consume then we can put in the FIB and a packet comes in going there then we say classify them as that so you can see the counts of those applications then you can apply policies to those particular one that's one example the second example is sort certificate so we can also turn on the certificate feature we parse the certificates and figure out what the domain names are so you could even do a glob mass say star dot google.com I want everything to start so we pass a certificate we will find out okay this is this go in there we can deny or accept it so those are those are I'm just giving you a broad kradic but those are application identification of exam examples of application application and ooh now we also have a schemes where you can put let's say you have an application which defines whatever you can service chain it through that so send the packet to your application and you can look at whatever you want send back send it back so that's also possible so it's flexible in the sense that these are some of the inbuilt ones so some customers have their own needs of whatever application they want to run and it's simply we just hook it up and then just runs as a plugin so so those are the examples I do one more question about the actual encryption side of this yes are you going to talk about that later about what the encryption is like so yeah like how was that managed how do you manage you know the idea is it is a PS pays a certificate based if a certificate based how do you manage certificates like what what is that process for encrypting the payload of the data how do we make sure that that's consistent across the board right yes so I'm coming to that so if you're good if you're gonna cover it later that's fine I was not going to the details of but let's go to that anyway security question on this floor yeah do I understand that there are other routers in each of those clouds standard routers not 122 yeah yes there can be any number one non one Trinity which in between clouds then from from say edge to win or whatever yes do we not have IP route ability from the same router one two router 3 about one throughout it you can have in this part of the case it's just hop by hop because it doesn't have it has to go through another 120 because they are the edge but you go directly go yeah I don't know why it's not showing him but absolutely so if you have a connection directly here yeah you you'll have two hops one a direct hop here and hop this way now what happens is once you come to the next set of step you'll see that we will be calculating the best path to go there so it's possible that even if you have a direct connection here the SLA may be better to go this way so it is what you observe in terms of the the monomers the underling exactly exactly so is there other than possibly forcing unnatural paths is there a benefit to having a state it all in all those intermediate routers or what I what I just want to pass the packet directly from router 1 to router 6 oh if you have a direct connection here well I mean many many hops obviously but yeah whoa are you saying that let's say there are traditional routers there you PR whether just send it through the traditional routers and send it is that is that earlier you said and you've got state here and you've got state here and you get here and I don't understand how am i benefiting from the state and those intermediate hops okay so how the state helps us with path fellows and policy and policy assignments so let's say you have States here and suddenly this link goes down and this is this is like a one link case I mean this is going there but let's you have a connection like you said earlier to this guy on a per session basis you can failover the path for instance you have to say let's say a voice calls and you have let's say TCP 80 and you can't drop a wide-scale why it's called let's say and you have a very poor link a poor a connection between this somehow but you want to still use it so let's say this path goes down you'll try to cut off all of that to the spoiling only the voice essence nothing else so now you see the session state helps because how do you define the session it's on a per protocol port and IP address and that's why it helps I say because on both session basis you can make policy routing which is powerful so help us understand how did you set up a tenant that establishes I have a soft phone on my on my phone right it establishes a TLS connection with another soft phone on the far end how do I set up a tenant in the service to allow just to dictate the policy of how I wanted to find jitter etcetera if you know you guys can't have no insight into the actual service because it's all encrypted right so in your case let's say you're setting about TLS connection you create a so at the end of the day you go into a destination IP right so you have the file not the not the intimidate destination IP the final destination let's I mean think of it like you're talking from one line to another line at the end of it that's what it just the SD van is like like all these fancy stuff connecting them but so let's say you're going from your source 1.1.1 to your destination - da - da - and your port let's I'm calling it 4 4 3 4 now so you define a service called a 2 dot or dot 2 protocol TCP port 443 that's your service to acess now whom we want to give it access to your channels let's say you just want to give it to an engineering department not finance department so you define one option is you can create two VLANs and have one wheel and give a hole to engineering another wheel and completely to finance and simply put the tenon on that wheel and saying engineering and then in the service you give the access policy engineering so if I if you go back to what I was saying earlier what happens is pocket comes on that wheel and it gets classified as engineering tenant the broader tenancy it goes in it hits the fit which has four four three and the IP address so that gives you the service then you go to the access policy it says allow engineering so what happens when the service is a Peter pure video app and I want to guarantee jitter for that video app yeah but if there's FTP file transfer from the same two nodes yes I could care less about those services right so that's where you have two services now so a service for the video has a different port and protocol and what if it's TLS what if it's encrypted I can't know right it's still a different port ray for example let's say it's TLS it's for for what if they are all traffic from my two endpoint my to engineering endpoints right all 443 different applications okay so you are going but what about IP I mean at the end of the dough from my engineering workstation to another engineering we're collaborating yes we're in office 365 and I'm sending him a large file for him to do some analysis off of and at the same time we're video chatting as we're having the kind of that is 4:43 from one from one workstation to another workstation yes but is it the same IP destination - yes eimai okay it's Peter peer community that's okay so so sub cons so here you're talking about overlapping IPS that is in the sense you have service a 1.1.1 port 443 service B 1.11 run both board for for three device but where it finally goes to will be different correct that you agree no bill is the same collaborating with another engineer effectively a tunnel you're saying so the base gets yeah no no it's too is application so let's say I'm doing slack nuts like what's a feeder cure that slack is a horrible would say I'm doing I'm doing an IP phone I have IP phone that does TLS between the two end points just point to point there is no controller in the middle maybe there's something to set up set up the stash in between the two but other than that is peer-to-peer communication and then I'm using SFTP to transfer files at the same time sure and they all use for fourth resource point-to-point i want to guarantee the voice traffic but i could care less about the SFTP track right but yeah so again it's the same ip same memories same port right but how how the application figuring that out at the idea final end and so then when I'm setting up the connection between I people I'm gonna ow it'll be 443 with some some funny you know port or whatever I don't know that's the thing so at the end of the day even if you are doing all this your final application should have a unique type of the port itself is I can define I could use that port exactly that's the answer that's exactly an so so so a big little neck so so literally what you explained is what tunnels do so literally what they that's what that's exactly tongs so you create one tunnel and shove everything into it and it comes out the other way right that's exactly what we had why we're different because we separate that out so when you define the application or the first question is is how does your application so we look from map that's why it's application centric that's why the are questions all of our questions will be how where is what support and socket does it live on okay so for four three the other one can't be the same thing because you might have the to think as they can the application exactly so that separates out that becomes the service that's exactly what it is you create an application you create a service give access to tenants you are in okay so a lot of we're talking about in terms of creating a service and understanding who write access to it yeah probably already exists in most of your customers and their firewalls yes you have a way to map those firewall controls into your system or is it still I've got to rethink this for 128 so for example in one of our customer network it was Cisco so Cisco had access list which is like a firewall so what we did was we literally wrote a script which converts a Cisco configuration into our configuration now the differences you can slice and dice it like ten different ways however you want for example in that Cisco config you directed 10.1 access 10.1 access 10.2 exit no.3 it's like you're like it's like it's like obeys law so we created all these internal them this doesn't make sense can you say slash 24 yeah so they said yeah we were just adding it willy-nilly kind of thing so yeah that's worth it so that's an example so we took a Cisco config we ran a script and created the services and pressing that these are the three different three four different ways we can create the service and and they were happy with that so that's and that's an example so similar I mean we don't have it for every single fire out there but at the end of the day if the fiber can dump something it's simple for us to convert it into it so that's exactly how we do any other question I don't know that we ever got to the encryption quest no I have ok so let's go to the encryption question um encryption so there are a few things ok let's go to how we encrypt it we encrypt the payload and we include the metadata to and a is 256 or a is 128 you can use either one of you can choose one of them a Stooges of course very secure so that's what we what we used by default now how are the keys distributed I think that's mainly a question it's not certificate based it's literally the geese are distributed so we have a security key manager which generates these keys and they distribute to all the routers and when he initially started just to make it work it was part of the conflict it's no longer there right now is just security name is part of the conflict but the keys are randomly generated and distributed to all the routers in a secure way so this way what happens is none of these keys can be really learned because it's really in the process memory it's not dumped anywhere it's not accessible anyway so you know if you happen it is in the process of memory so if you're in a root and then try to figure out the process maybe you'll get it but it's just it's not possible right it's not easy it's not it's virtually impossible but yeah so so that's where it is so literally we create generate the keys and we distribute all the routers and let's say you create a security key called a web security which you want to apply to let's say all web related services maybe then we will create a key and distributed to all all the routers so now they know what that web security means so that's how we do it are you doing rotation of those keys yeah so it's like a Ricky that's a Ricky mechanism with which if you turn on Ricky then periodically we can basically assuming there's a default timer is that something that an operator can change yes yes if they want to read after an interval right right yeah we used like a external key management system that you guys can tie into or is this just so right now it's what we generate but it's easy enough to integrate with an external key management book are they another day it could be like a script we can call and you can fetch it and come and you just have to make sure the external command is a connectionless second that's all at the end of that if it's secure then we should be fine yeah these are just the ingress and egress routers so that it has no that's that I was coming to that you actually went to the next point because that's an important piece of this technology because consider any encryption or tunneled stuff let's say if it's a point-to-point point-to-point point-to-point life what happens comes out decrypt it encrypts it comes out decryption encrypts it comes out decrypted we don't do that only the ingress encrypts it and then everything is a pass-through and then finally it comes here and then he only decrypt it so the ingress encrypt said the last egress decrypted so that's the beauty of this so why if one compact tunnel discussion will come later but that's one distinction a to understand tunneled or no tunnel doesn't matter when you have a point-to-point link any of multiple point-to-point links all they know is they're a bunch of packets come here I let me declare it apply the next access policy that's also the no access policy I can apply it because I already done on the ingress his firewall is letting me through that's a network right and encryption earlier the ingress so that from performance perspective or from management perspective everything that's that is adi the unique factor which we have which all other none of the others have because you can do it with tunnels to same then you'll be n square problem right you have create a full mesh so what about the metadata because you said the metadata then it's inspected along the path but you said the metadata is encrypted is yes unique in that that gets decrypted a t-top along the way yes the end metadata absolutely the metadata gets altered again decrypt each path because we need to know what the contents are but that's only for the first packet right so once that's done you're done so it's it's not a problem right so but just to continue on that the why the other routers need to know about it you never know that that could be a local session starting from here and ending on this guy you don't know that from from because it's possible that you may want to go locally from router one throughout though they are hops sitting out there it's perfectly maybe it's for a ping utility I don't know it's for it it's for logging in to figure out so all those have to be secure so we can't assume anything but otherwise you're absolutely right that's true you don't need to know it but it's a generic architecture so we just push it down but we could make assumptions if you want everybody gets the keys then yes everyone gets a kiss because you could change that policy any time to do whatever so that's why we push it everywhere we security key manager function part of the conductor yes it's part of the conductor we've heard a few times about low overhead no overhead advantages yeah doesn't here use of AES suggests that you're gonna have to do some buffer padding there is a parting that's true because if you don't come to the full alignment you will have to power it up that's that's there for the encryption is but I think any encryption blocked encryption you use the good part of you're using block encryption which is efficient rather than like yeah so so but unfortunately that's part of the block encryption so that small overhead will be there you're absolutely right realization vector is same as anyone yeah yeah I be the same but but yeah it's your right for an intermediate packet then I mean that might push you over a frame size sometimes a little it could a little but we have arrived fabric fragmentation so for the most part what we see is that doesn't kick in it's like less than thousands I think the packets being sent a thousand three thousand four hundred so we have at the edges it's okay but yes if it's a big boy so video coming in weevil in the world this is the difference between nothing extra or what 15 bytes yeah pretty much exactly we 16 bytes so based on it'll be if there's something then we have the remaining so that's the padding yet exactly yes so have I answered the question for the security or a security question yeah that was that was exactly what I think it is so yeah so I think to session awareness is there but two important factors to understand is like the firewall features are done on the ingress any identification any service any policies that are non-english just once and the remaining routers trusted and you can take a so you don't take the extra hit on any other router even for the first packet or subsequent pack second the security which you brought up rightfully so again the first router does it yes the first packet metadata needs to be encrypted decrypted but otherwise will be just going through Asus that's the that's one thing which makes us different from any other technology are two things actually which makes a difference for technologies there are many would okay and is there any kind of you're doing a lot on that first packet you are long is there any kind of like buffering mechanism or something that it's gonna keep it there while you do also lookups and no no no sorry uh whenever I said it hard I mean not that much but so so how it works is most of the determination is made at the fast path most of it because again find the tenancy it's a hell p.m. lookup then once you have the tenant you look up using the tenant in the IP and the port another fib lookup so that's also the fast path you find the service then using the source IP you look at the access policy so once it's all done so now you you already figured out the service you figured out the tenancy everything is there so once you come up all you have to do is set up the sessions and with the right policies which will be associated with the service anyway so there's not much processing happening there it's it's yes it goes to the fast path because we want sorry slow path because fast path is doing what it needs to otherwise it just sets up the session and the policies this is already determined when we did the lookup so there's not many lookups we have to do from that perspective okay I think yeah this is what's happening under the hood some well we kind of went through it but so detect a new session that is a packet came in yes associate tenants and services we talked about it first you hit a so look up table figure out what the tenant is based on your network or on the interface then you go hit a fifth table you figure out what the services are available to that tenant and then you hit an access policy to make sure these tenants have access to it so then what we do is we preserve the original IP addresses in the metadata which is what we are carrying and that's a session key in the fight apples plus the tenant information forms our session key across or so for example if you have same IPS on to so I mean I was coming to that example if we have say my piece on two services for whatever reason because you get knotted at the final end you can do that but with different tenants because that's the ten because an IP port protocol with the same set what distinguishes them will be the tenancy at that point so you could have the same thing hosted at two different VLANs and your other data center but two different tenants accessing it so it's perfectly fine because we will create a unique session for them a unique flow for that so it they won't collide and it's easy to manage them instead of creating all these access policy rules for that so yeah so the metadata is put in then so we preserve the original address in the metadata and then we put the waypoint address so waypoint is simply the source IP of the originator and the destination IP of the destination router that's pretty much it it's it's it's very simple how do I go from router a to router B when you use your source IP and you use this destination IP it's as simple as that that's all what it is that's all routing should have been unfortunate is not that's all what we're trying to do I mean I'm not saying like let's say you're creating a tunnel they are doing the same thing it's like source IP destination it's the same thing but at the end of the day we are having separate session we create a waypoint when I say the waypoint there's a way port also Waypoint is a combination of four things it has the IP address source IP - IP source port despot so the the trick there is which actually he came up with the trick there is you are you have the high port 16 k2 65k and you can have like 50 k so sports 50 K desperate community of almost 2 billion combinations so from one source to the other source if you're even leaving 16 K ports away and only use the high ports you have 16 you have 2 billion combinations of flows you can from one place to the other place so if you have 2 billion combinations of flows where you can have different DHCP bit marking if you want you can have different policies you can do why send it through one why send it through like one set of ports and IPS that's pretty much the what the technology does in a basic deployment if you had 128 routers distributed throughout that cloud yeah with the the involved waypoints be just the two at the edge so or would we under normal circumstances still go get this I click through so that really depends on whether the 122 routers in the same Authority or not for example let's say D let's say these two you've gone through your thought or thought is like a domain let's say if to 120 routers define the domain at that point any 120 router communication is holy through waypoints because that's what we believe in it's like it's secure it has all the properties like secure vector routing the security it's directional and it just normal routing now let's say you had another I'm struggling with a mental model here I'm sorry I think I get it but you know I would never build a GRE tunnel this way I'm not quite there yet but oh yeah you sure definitely yeah so so let's say why I'm startled the thought is let's say you had another authority here which let's say it's AT&T is sitting out there or any service provider and we had no clue about it let's say because you have one 123 router you have one finish this is an underlayment someone is doing it and he's also using 120 mm just like Cisco routers anyway 120 year old us in that case SVR will be between these two routers because we don't know anything about that router but the moment we peer with them if they become our adjacency in our terms like in in the tradition world you say okay it's a BGP neighbor or in neighbor for in our case we say it's our adjacent router if it becomes a p120 peer somehow then yes we will use waypoints so now just to in a GRE tunnel for example you would create it from this end to this end right and if you have multiple ones there you don't care you only care the destination the end ends the difference there is let's say you have five of them it becomes an N square problem if you really want to go all of them right because you have you need a full mesh here it's not an N square problem because it's just IP reach ability and another day well in your keeping stay run flows rigorous it is so however many flows there are that's how much they you have yes but no matter how many peers there are right but that but but but if you look at from the maintainability maintain employee perspective even if you have five routers here irrespective that's how we work that's so if a router works the way it's session over into the router that's how he works it doesn't matter what happens we create session state so the N square problem doesn't really exist there because you're just doing IP forwarding and then other day for us it's an IP packet we don't know it's because of n hops it's coming or one hop it's coming it's a packet coming to us has it like gone through all the metadata does it have metadata great that means and can I really decrypt an authenticated that means someone at the English side has made the decision that it's valid and we can't create sessions and pass on yeah just to be clear though because I passed earlier as well you want Oh make sure you okay if you want direct bypass from an ingress to a without going through any 120 ATS in the middle right and you just won at 120 to 120 T you can absolutely do that that's just the policies that you've configured for route right just like as long as they have reach ability over IP of course they can talk director it happens is that a lot of our customers don't want it to go direct so they want branch to branch traffic for example a frequently to go through their data center even though from an internet perspective or IP perspective they could absolutely just send it directly from branch to branch yeah and so we allow them to have those policies that they can force traffic to flow however they wish and typically it's because they wanted to go across you know either MPLS network or some sort of backbone that they control or maybe they wanted to go through some boxes that monitor their traffic or whatever it is whatever their reasonings are but they can they can force it however they wish gotcha yeah I'm not making the case that I want one of the other just trying to write try it on yeah your model and the the idea that you would do way point away point away point many many many hops you know taking advantage of that feature at every point mm-hmm that that was not a to ative to me okay thanks question on fast path versus slow path yep yeah so well it's the differences you can pin threats you can pin course for Fastlane for example you can have cold as where your fast path runs a scoreless where Linux scheduling will take care of it in some cases you don't have that much traffic and use it or you can really pin goals for fast path processing when you do that it's all it's doing is just fast path processing right because you need a throughput if you really need let's say I want line rate if you're saying that so we really need to make it work and so make it work really fast and the slow path all it has to do is set up the sessions and send up it's not doing a lot but it's just enough to step it's an extra step it has to do so what we do is we just ship it off and because most of the packets are I have to be forward forwarded in the fast path because you have already set up the flows and then the remaining package sir the other was the first packets coming if you have like a lot of first packets coming yes it may have may not have enough to do but at the same time you're shipping it up and once it's injected fast path is still sending the packet out so even we go to the slow path it's just setting in the context and sending it out now it's a no it's not like I'm so you let's say if you take any other routers you have like some other some lots of interrupts path a fast path in trip path and then you have the slow path something like that all this is doing is why we're calling it we call it service area it's a relatively slow all it's doing is taking a packet and setting in the session table and injecting it back that's how I report it is so when it's injected back who picks it up the fastball picks it up typically if I deploy one of these boxes that am i installing 120 80 onto bare metal you can yeah yes yes I can in other words I don't have to but you don't have to if there's a performance concern maybe that yes yes yes and then you'll get the full performance there and you can also do a PCI pass through if you have a VM and if it can actually keep up the VM then yeah so that's it's at the end of the day it's those there's no magic that's like scheduling so you give the thread you give the thread completely to a call so one thread runs on one core then it gets a maximum performance so we are not change anything then we just so it's up to so if example f3q there are cases where you can put three cores to it and and why again that's going to entail DPD kmo mostly because we don't have copies even when you goes too fast but there is no slope are there's no copies we literally take the exact same buffer and that's linked its shared memory so it works on that packet information so we don't have to matter plate the packet day at all because as I said all it's doing is taking the packet metadata information creating the session table and injecting it back so the packet is hanging the same place everywhere so that's why it's fast too okay so the waypoints we talked about the four things IP address or IP address IP the source port that spot wits are going to be a combination of them you have two billion combinations so with one set of IPs and you can have more then essentially this is nothing but saying that you apply the access policy the security and finally send the packet out at the egress end what we do is we have to decrypt the packet and send the packet to the destination so that's pretty much the again the two important factors are any access policies any final decisions are made at the ingress site only and the English sight sensor so we don't have to make this decision at every point that's number one number two encryption again is only done on the English side so had you can just pass it through and only are the decryption are the finest idea to do it now this is a when when you like sorry I wash yeah one thing you do want to mention on that I'm always slide we were talking about the Waypoint addresses and ports one of the reasons we focus on that is because unlike a tunnel in between even routers that are in between like Cisco's or whatever won't treat it as a single flow because we're using different source des portes five tools for every single one of those little flows so if you're going across for example ecmp paths or link aggregation or anything that does any sort of hashing based on flow information from traditional routers or even an Ethernet switches they'll treat our flows is a bunch of discrete separate flows and you can get much higher for throughput bandwidth whereas if you usually go through a tunnel that's one big elephant flow for glasses in between and they usually throttle that bandwidth quite a bit because you're only going across one of those ecmp paths the good point you just have to make sure you're hashing is down to the port level of course yep make an elephant flow with this right and if a tunnel becomes an elephant for prop right it's keeping a lot of mice reading mice yeah that's right okay so this is again just to make it clear what we're doing we are not adding any header it's just matting the packet so the ports are from 16 K to 65 here that's why it's 50 K combinations which is simply an adding the packet here and the original ones are kept in the Meritor here now these are the benefits we talked about security we talked about direction now the directionality is very important from a fact that not only from a service perspective even from a waypoint perspective the directionality is there meaning when a router one talks to router to router one allocates away points and senses are out there too and went router two is try to send packets originating from router to router one router two was the one allocating the waypoints not out of one so the scheme with which we allocated like even-odd scheme we've come with different schemes but that directionality is important to who allocates it the one who's sending out allocates it and sensitive so he just creates a flow for that so that's why it's directional - so the way I send the packet to the other router has drawn the same set of ports which was the other routers gonna send it to me and hence coalition's are not there because otherwise what happens is same source same same source IPS type II right if you really think about that could be coalition's so the usually question I get is okay that's great but why don't they know collide because the scheme we have makes sure that they don't collide even with 2 billion of options and that's the trick it's like the even and odd scheme helps us not to have collisions and that's where the directionality is important - I go to you and you come to me the even local or remote that's that's a scheme which we use pretty much we we had acknowledged the fact that you know a unique ports get assigned to each flow how does the originating round or get learn about what the new destination port is for that flow is that sent back in the first packet on the way back oh you're doing you'd allocate it so oh it's allocated at the source yeah that's that's messing that yeah how do you know how do you know which are available and not already in used by something else so the the source router tracks that in the sense when the session goes away we release that point release it boats back so I I guess I'm still understanding so I have my source router my destination router yes packet goes across yes it's gonna be a unique port on the destination router which is what determines unique odd port unique artwork but you will never use as a source port on his side because understood but if I have router seed that's also sending to the same desk as I definitely different IP in Susa so that's the difference we need any part of that five tuple to be discriminated one one one has to serve as a disc so you have the entire port range for IPD combination that that make sense so that's the thing we just made it we were like we want to make sure it doesn't hire boats are used so yeah you can you can configure to say I don't care the others are not that you can change it to one zero two four two six five three five you can but we said okay let's leave them for the others and that's super efficient yeah right I said the coalition the question of collision ever comes into play yeah from that perspective between any two waypoints on the internet yeah you guys wind up exercising the transport port space quite a bit yes what sort of funny things have come out when you mean you talk about surprises that we learned you're going to exercise you know all ECM yeah we found some things up Nats and you're gonna find I don't know maybe maybe traffic is being you know on certain port numbers as being you know snarfed up by a by a something that slows you down or maybe if saying that like what kind of weird things happen how can you tell that it's weird not necessarily between two endpoints or waypoints but just on that pole just that board number or the gods that's because of the session yeah yeah you can certainly observe the difference but right you're able to determine that so oh yeah that just happens to one flow yes it's not a difference exactly so one of the examples I can give us TCP we were seeing that AK problem right yeah yeah so it was a I'm not sure which carried who has so yeah so we were getting this weird packet after it was after after the session was closed I think after even though the session was closed we are getting an act packets we were literally getting act packet from this guy we have five minutes later it didn't make any sense so like things so they say okay the flow is things aren't working so we were trying to understand what we cut over the next transport it worked I mean it wasn't promised so but we fought for this particular set of flows we were getting an act even after the TCP has really closed but we have a TCP state machine so that's why the per session thing helps because we could pinpoint which exact session was running into it and why that and and that TCP act after a closed went to an invalid state because it is an invalid transfer if you have fin fin act you go to in value so that's why it helps so now we can pinpoint a session and say hey this is not working so let's say our customer says my service and web service is not working and you've really granulated it to a particular application and said mine works his doesn't work we're gonna same place great what is the difference what's your source IP just put it in you are able to directly get what happened to that session what are the tcp state transitions if at all or what are the counts packet counts so you can say okay the packets actually going out nothing is coming back so on the other outlets it's getting in nothing is coming back so maybe someone has blocked it for that particular site so at every router this is why the session hell's you can know where the packet got dropped why it got dropped I mean which at the transport layer I mean you respond you weirdness in the underlay like that I mean I imagine you know port 3 1 3 3 7 might give you funny results no so we the TCP state machine does some checks which you can relax also if you want but we don't like we just drop the packet is really in valve but we don't really respond to anything there are some other features where we have to like if there's a very bad link with TCP we make sure we treat transmit but that's a feature we turn on for example piece at links right it's very bad so we'd have to retransmit the TCP so we cache and retransmitted so there's something called session optimizer which can be in a separate session we can discuss that but so we don't change the ports or stop using port somatically like that just because of that I mean except for through when we detect our Nats and with NAT firewalls in between us in between our routers that's a slightly different topic but and we have a discovery feature to do that and everything else but in terms of what you're asking know if there's some funny business on port 1 3 3 7 or whatever we don't just automatically determine it but if you you know you can set us to avoid those ports another example the UDP transform so that's that's again unique to 123 it's so what we do is do there is um if the TCP there are like some firewalls in between which doesn't like these metadata stuff so usually if you plus ok what are these firewalls stop you the good part is we figure that out because maybe it's an act packet or even in a syn packet with metadata act packets any packets we detect that and then what we do is we UDP transform the packet now what we mean by UDP transforms literally it's transforming into the the TCP header has changed to UDP header that's all nothing else is touched so it goes as a UDP packet and it's happy it gets the other side and we will send it out so that so if you are you asking have you seen issues we have seen issues and that's why we had to implement that we've seen issues were some firewalls we're not happy that we were sending these especially on path failures for example let's have established everything everything is great now let's say this path fails we have dynamic path failover so we so let's say there are two paths here let's say there are two paths p1 and p2 let's say there are two paths here that's a path one goes down as below SLA what we do is we detect that and failover the path to the a packets to the second path now when that happens if it's a mid flow TCP it's possible that some firewalls because now how that happens is it's important that we send metadata with it so first packet metadata is not only for the first-ever packet but if a path changes how does this guy know that's a different path because we are using a different way point transport right like you are saying this that says W p1 w p2 we may be using w p2 to get here all right so the IP has changed so he has no clue so we turn on metadata now now you know TCB act packet with all this beautiful sequence numbers and suddenly this metadata is here and the firewall see what's going on it's like the size doesn't match and can drop it so we have something called firewall detector which we run periodically and figure out from the parts if this can happen because we send all these type of packets and figure out initially well once our path comes up we'd figure out okay is it is this possible to sense as packets there if not we will use something called UDP transfer that is we will get this packet will simply change the UDP header and the good part is for each protocol another two billion combinations for per protocol so so we have run out of ports so you can create for UDP also they are the same combinations let me set it up it's the detection happening with with the BFD no it's called firewall detector we actually sent TCP packets between 120 router so it's own what it synthetic transaction that you're doing just that's right see what's going on right so we sent sin we send act package we send different combination of packets with metadata we thought already to make sure does the other guy get and he's able to act back so if that's possible then we know there's no fiber so there's a bunch of combinations we run on this to figure that how often does that happen is it just a blink setup that you send a bunch to figure that out and then wait for a change oh it's configured yeah so if you want to run it initially veronik like every minute it was crazy at that point so we just write it's probably a bit too much it's like what is going on so he was like saying okay I see all these TCP packets so yeah we are TCP packets actually that's the those were the funny packets you will see in the network because we have to send those funny packets to figure out the network is bad it is that configurable based on metrics so for example if you suddenly start to see higher packet loss or higher jitter or something along those lines it's alright no it's it's just a hard number but yes we could make it reactive but people have an ask for because usually the cgn switch change etc may not be that much so we have a number which we put it's just a timeout number so you could put it on our half an hour however you want our people put for a day because they don't expect network to change that much maybe right you can change it up in a TCP flow the encrypted one does it look like a TCP syn with a payload that's the firewall problem is yes you know oh my god what's that yes some firewalls and out and also also the path failure and AK because a sequence number right that's the thing that's why we had to do the because either you do a proxy TCP proxy or do this this worked much better than creating a proxy in creating States for proxy so yeah that's the other case so you path failover you go with an ACK and then you're done with that so talking about path conditions what happens if waypoint to fail okay so if both the boat parts fail if Waypoint two fails the old system at the second at the 120 80 at the other end so one sorry are you saying I'm sorry you mean in that scenario where there's there's just two routers peering with each other and they only have that one path no just if you're talking about I've got my source way plane 1 and Waypoint to is the egress where all the decription and stuff is happening what happens if way point 2 fails that give me the IP disability is not there yes that one that's only so bad you have right if you have a secondary bug will fail over at that point our BFD session will go down because it's not reachable and we will say it's just not reachable at that point and say you'll restart and look for another way if you will look if the configuration allows for other sorry yeah if the if the configuration if there's other paths configured to be available it with a higher priority or lower priority I guess then it will advance through those options if there's no other options you know it will fail I so obviously if I'm doing net capability between the waypoints between the two peer devices and I have another path but the other path isn't a path that I can share create a waypoint Pirie relationship with the that other path is also point me to make sure that it's secure because I can't the the conductor and all that isn't setting up any type of special connectivity between that right now so a typical example would be McKay let's say in some cases people use MPLS in some cases nor some private network their private network you use a sphere for broadband LG everything and the rival Network you could use a sphere you could directly send it to it but with SVR the good part is you'll get the session orientation otherwise you won't get the exact same session or initialism because when a packet now you have to make sure your network works well because when when a packet comes to second router through your means you are losing the session or any because your source not in the packet right so you lose that second that's why the SVR is important even in the time you can do it but you won't get the same benefits that a sphere gives you so eventually the path to displace in the thousands of routers is that as I trust Waypoint more more yeah my concern is necessarily the Waypoint going down out just every done it see you now it just makes me bigger more redundant box sure yes that's that that's right that's right because usually the head ends the have multiple eyepiece and distribute across so they can reach yeah this is just step quick a layout of the metadata so just to show that deep dive saying this is a Meritor cookie the question is how do you know it's a metadata packet we talked about all this metadata that's because there's a melody that cookie signature we put in there that's how we detect that's a metadata packet then there are merit of flags which are unencrypted this is because metadata just opens up a lot of other possibilities like turning off metadata turning on metadata that because when a path goes down there are cases where you may have to have the first packet go to a different site so the unencrypted portion helps because you don't have to run an encryption or decryption on that this has just flux on it but authentication will still be there so no one can in the middle can really change it and then the payload payload is what the actual contents are yeah so I think this what we talked about is simply SVR which is the data plane how our data plane works between 2:120 routers now we're going to see how the data plane gets set up is in from the control plane perspective but any questions on this what problem is the cookie solving Oh detection so how do you know any port number 16,000 to 65,000 128 router is that's right yes so the destination port definitely it is there but this is so that there are two factors to it one is one is to make sure that it's a valid one Trinity packet which we are sending so we have the authentication on it but it's possible that people can turn it off the authentication can be done it's configurable turn off because in some cases people say I don't care it's my private network like he was saying I don't care about authentication so if you turn it off we can't force them to turn it on for this so we need a mechanism even without encryption if you are using a private network when you're doing s we are we want to find out what the metadata packet is so the port itself is there but let's say in that case if this somehow sending like you said not as we are but another one what happened to be that port we want to distinguish that from this that is for whatever reason the it's coming with a particular port for a different tenant so that's the thing let's say you have a wine interface and you are coming from internet to access it I'm just saying port 80 our port 616 K it shouldn't be but let's say it's 16 K and you're also coming from the other side for 16 K with metadata at that point you can't really distinguish one message there the metadata cookie will indicate what the differences because at that point is like a coalition because you don't you can't you have to choose one versus the other but the Meritor Coquille indicate what it is because you can have other ports open on that same interface so any questions on a sphere I think that's like the fundamental thing what we do which is different I hope you understood why it's different in certain case again reiterating everything is done on the ingress then done at the aggress security getting ingress the egress we just use all those two-bit in combinations throughout between ones failover as a different IP different set of ports policies session awareness its directional secure so those are the important I mean secure vector routing encompasses all that

Info

Channel: Tech Field Day

Views: 1,631

Rating: 4.5294118 out of 5

Keywords:

Id: WtLXJibOzFw

Channel Id: undefined

Length: 66min 34sec (3994 seconds)

Published: Thu Jul 25 2019