128 Technology Solution Overview

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
we look at traditional networks virtual networks are built in very siloed fashions for example you have routers your firewalls load balancers dpi if you want to move things in one direction over the other you have tunnels to you know expedite packets flow ins in certain directions over the other all of these functions in the network other than the route there keeps tape and they decide based on what they want to do based on flows what we decided is if we could collapse this functionality into the router itself then we could have all these functions in the router as well as we can do many cool things for example we can do tunnel free routing and we're going to talk about that how we do that in in a few minutes but the idea is basically we collapse these functions we are a software router we bring sessions awareness to routing so the world of routing for us the world the way networks look like for us is based on sessions we look at everything in the network as a two-way communication between two parties on the internet for example if I ask YouTube to send me packets and YouTube sends me packets that's a two-way communication between me and YouTube we look at it as one session sessions have directionality who can inter initiate it they can be bi-directional for example Skype sessions they can be by direction and both bodies can initiate it but directionality also gives us some inherent capabilities for example we know who is allowed to initiate it the first time if I ask YouTube for packets and YouTube sends me packet that's a valid exchange if you do some sensory packets without me having asked it then it's an attack and so on we can figure many things out like that in any situation we look at flows and each flow we keep state for that flow in the sense these are transient States these are not done kept all the time but when a flow occurs the router maintains the state and forwards based on that state and we'll come to how we do that we of course have will follow traditional routing protocols like BGP ospf eyes--eyes and other things we learn routes from there and we learn how to communicate with everybody in the existing network based on those routes but we forward based on what we call service routes which are created at runtime based on the flows we see and the policy associated with those flows the advantage of doing that is we have very high scale compared to any tunnel based solution we have thousand order of magnitude better actually not a fair comparison because we don't use tunnels we also have name based routing which is basically we bring named services to routing from day one so you don't have to worry about always connecting 10.10 and 1.1 you just think about services and the way services are connected in your network and you configure networks based on that let's look at some of the capabilities we have in our router there are four basic capabilities we have brought to our router which is different from traditional routers one of them is session based routing we recognize source destination and other addresses as as flows this gives us the ability to have directionality to have C sessions each session if for us is a hyper segmented flow in itself in the sense we don't aggregate packets into a single tunnel for us each session itself is a hyper segmented flow we can give it separate policies we can fail them over separately and we can have full control over over these flows the other thing we have done is like I said we have routing with words and for us everything in the network we believe that the network was developed to deliver services you wanted to have people connect to Facebook so you develop the network to connect to Facebook and so on so the way you should configure networks is based on services so in our world when you configure networks you configure based on services for example you think about the services you have and based on that you configure the network the entire network after that understands how to how to forward the packets accordingly one of the advantages of doing it this way is we don't have to worry about ecl's and we don't and all our policies at global policies in the sense woofs and one router do not mean the same as works on the router unless the configurations match and you do things accordingly in our case their global policies tenants and services and we'll talk about the data model but their global policies and they help us direct flows accordingly we also forward packets once we see a new session we forward packets based on what we call waypoints waypoints are analogous to what you do in segment routing each Waypoint is the interface address IP address of the router itself so we send packets from one Waypoint to the other to the next and so on then we keep state which tells us how to forward these packets along without having this information in each packet itself so we don't have any overhead the other thing we have done is obviously we need to have a logical understanding between endpoints because we're not using tunnels we have done this by using an intelligent metadata or a cookie that we put only in the first packet and I'm gonna go to a sequence a day in the life of packet two to bring all these thoughts together which I've talked about but the idea is we send this in the first packet and that establishes a logical connection between the two routers and tells them what to do and how to forward and that packets accordingly we also can have an enhance this metadata to do many cool things like it can do you know pass other information like security settings QoS settings and other things you can tell a lot of cool things to the network's about loads and so on and by doing this we eliminate the need for tunnels but we also have established a logical connection and every private router knows how to forward packets along the path what I'm gonna do is I'm going to go to a life of a packet kind of thing to tell you so that you then then that's gonna make it a bring everything together what we have done and make it clear let's say you have a source and a destination you want to send packets from the source to the destination you have two of our routers on the path you can have many the more you have obviously the better control of the paths you have but you can have just two in this scenario we're just showing two packets what happens is let's say the first packet comes in it hits our router we decide there is no this is a new flow I have not seen this flow previously so this is a brand-new flow that I'm seeing for the first time I check whether we have a deny by default policy in the sense if there's no services configured we would act like a firewall we are a layer two to layer four firewall and we would drop those drop those packets but if there is let's see a valid policy configured for it we figured out what we need to do for example we need to encrypt the packet we need to give it certain certain QoS and so on we work on all those things finally we do an at what the knot basically does is takes the source and destination IP addresses and converts it to what we have Waypoint one and Waypoint two desert two interface addresses you see what we also need to do is now we need to tell the other side what not we have done and how to restore the packet back because the application obviously doesn't see any of this what we do is we take those addresses we put it in the intelligent cookie that we have and we put it in the data portion of the packet of the payload and we recalculate everything we can form the packet again then we do the NAT and we send that packet out the advantage of performing it this way is NAT is a very is not a very expensive operation compared to encapsulation encapsulation requires will cause the scale issues and other things and we're going to look at what the differences are but having said that what we will do is we will put this information in will do an ad and we'll send that packet out of course if we need to encrypt or do any other things we'll do that with the packet and finally send that packet out once the receiving router receives this packet it's gonna remove that intelligent cookie from that it knows how to map the packet back benighted back we send out the packets to the application advantage of doing it this way is we can go through network boundaries we can go to any translations and it does not affect our the application if there's fail overs if we go to another path we can recreate the the session without any instantaneously without any setup time without any delays and we can send those packets out technique and I'm gonna he's said this but I want to emphasize it is these cookies just like they go through everything they go through ipv6 ipv4 carried great Nats they go through firewalls they go through boundaries so we can route from a private network through one or more public networks into a private network and that cookie goes the whole way it's just like when you're using your Gmail and you close your laptop and you're you having webmail you close your laptop you go home you open it up you're right where you left off that's how this works if we and and so emphasizing how amazing it is is that it does go through all those boundaries this this these routers could be operated by gnats and networks and all kinds of stuff between them and it still works I think I'm missing something here because yeah what I'm hearing and what I'm seeing on the slide to me it looks like an overlay or a tunnel so we're some people call it tunnel compression who were really smart engineers and say oh you're just avoiding sending the tunnel addresses some people say that each and every TCP UDP flow has a unique 5-tuple address on this network unique and we didn't talk in great detail but it's ascending Waypoint allocates both of the 16 port 16-bit port addresses on the left side giving us 4 billion flows between those two routers and so it that's how it works so every flows hashed on its own pathway and there's no it doesn't have a lot of the problems that tunnels have with being having a bad hash for a while or something like that path we're doing it with one packet and now we've got context now the packet that that metadata is is signed by the originating router and the receiving router can text the signature before it accepts it so it's almost you're writing from one private network to another it gives you an authentic a session by session TCP UDP session by session authentication what's amazingly powerful and yes we're doing a lot of work with with our our US government and they're very interested in some of these techniques so every single session and on and you can have a lot of routers every single router to router TCP UDP session is authenticated are you are you guys gonna be diving into what the overall headers look like or anything like no this is this is as low as we get this is so the the challenge here and I think the explanation that needs to happen is ok so you have two routers the way we're familiar with networking today we have source and destination those routers right and if there's gonna be any transit in the middle they're not gonna talk whatever your proprietary that's correct over like that's correct so that's a tunnel that's encapsulation it's fine that's why Dino Dino and Ferran AG and get into but it's not a tunnel in the sense that it is not an IPSec tunnel there's no encapsulation there's no extra overhead it's hashed individually on a session by session basis you don't run into you know the aggregate tunnel problem but it has to be encapsulated because then it's not in calculated so let me let me just come so explain yeah Madeleine its NAT 'add the source and destination addresses like ipv6 segment routing are changed to the interface addresses of the routers the ports are changed to whatever they want to allocate on the source side so that five tuple on every UDP session is unique every TCP session unique and when it gets to the arriving router it uses that same uniqueness to not to recognize it and unscramble it if it needs to right put a be the difference between a tunnel and us is that we a tunnel requires two headers you're going to encapsulate each because you it stateless so you need to put all the information for routing in the in each packet itself so you're gonna add let's say a 76 byte header put per packet we are not doing that as you can do this only one habit eyes in the state on the first payload and that's it correct well until it until we know it's been received that's correct but the only the only way you do DDoS is used to of all six it's sixteen to the sixteenth bit 64 billion yeah right yeah well well but I mean that's but for all of you smart guys and we don't usually pitch smart people oddly well in the sec field day guys I'm willing to say yes there is an overlay and I'm also willing to say yes this is like tunnel compression but if you look at it on the wire these are unique session I understand what you're saying there's not a tunnel you're trying to disassociate that's right yes it's not encapsulated yes that's correct it really is a fine point because you say it's not encapsulation but now it has to be encapsulation there's no if you're going to traverse it all if you go through a firewall is there encapsulation of course not no right that that's what this is doing it's nodding their addresses and the men put in encapsulation would have required adding another header to this header or having two headers we have only one header yeah so okay so a whiteboard right here I have a slide showing and I okay yeah you're saying it's an activist you're gonna come that out so there's a state table right there's a source at least in the in the source router that's correct is that then is that state table then communicated to the destination router so the desert it knows how to on translate it goes in the cookie yeah it's in the metadata so from the metadata he the destination router he extracts the source and destination IP addresses the original source and which he needs to map back to an N maybe some fields which you know which tell it what what else in a cool things that can do but main main idea is to recreate that packet back so it'll it'll extract that cookie from this thing he knows and from now he also has he keeps state and he knows for that flow what I need to do that map T and mappy yeah I'm sorry I'm sorry to grasp it and that you're using port do that's great that's correct once you get the router to router hop that gives us the uniqueness that we need to and every router in the middle is only gonna see the traffic source is gonna be your source router destination destination writer right and then in there the port is gonna differentiate which flow it is and that gets translated on the farm not a cookie I want to emphasize goes in the data payload portion of the of the transited packet so you don't need out a house not in a header it's not in others no I change the IP headers right yeah every now exactly you can only send that cookie you can only send that cookie when you know the next hop router is going to understand it because you'd break something right yeah so because that's another reason why when we change the addresses for the waypoints we know where that pepper that cookies going we sign it to make sure it's secured if we're out we're regular router bgp OS OS PF is is we do the regular underlay networking protocols and we can route to regular underlay addresses simultaneously to doing this technique so if some routers are not right there's no one pin deity upstream to out there we cannot do this could be an Internet edge you actually send things out of it but also sent to another 128 correct which is gonna be another end point and we just do this whole merit not like translation right that's definite let me just wanted to make sure you guys this is what foundation to this how do you secure the payload just by off cos alpha skating it we we do all sorts of encryption techniques aes-256 and so on we have 1/5 140 - - so encryption is separate from encapsulation we do encryption just as any other route that goes in the routers our peers right so they have an encrypted peering relationship right and then each individual flow at each individual context could have a different key could have a different address space that's at the end you great encryption technique is standard what's really cool saturating the route table from from the parent relationship this way you're doing well what you can carry it what's really cool about about you can carry the tog rafi I'm a fan of that actually all right what's really cool about this technique when you have an IPSec tunnel and you have a security association you have to encrypt every packet on that tunnel what and an 80% or 70% of the traffic's already encrypted anyway so you're double encrypting then cool thing about doing our approach on this session by session basis is there may be traffic that already is encrypted and we won't we encrypt it just let it go you can done on adaptive and efficient I'm a huge fan of like in band oh yeah yeah you know like that stuff totally makes sense I mean most people are gonna do that cuz they don't understand understand it these six extension headers and everything okay right with it but I I get that part of it I just sort of curious I mean from a state-by-state basis the transparency of 128 to 128 relationship versus a 110 or eight to a BGP peer for the public Internet side do both at the same time do we should be Pierre du Bois you whatever your device is going to understand that what's the BGP upstream device going to understand in terms of its its yeah I mean for the for the BGP peer we don't add the metadata who understands yeah so just I mean just in terms of like realistic for deployment for a large scale I mean this isn't something that's gonna surpass what we're doing today in terms of BGP routing our customers like it cuz it's a blend right I mean if you like the overlay word you could say it's the best blend of overlay and underlay that you can get because you can pass it through you could carry it I almost see it as like the next generation of like doing communities correctly but that's that's a very that's a really astute comment really astute I'm gonna do a comparison with IPSec so you'll get to see the headers is that mapping some of the unities is a is an interesting idea before I go to do the comparison and bring out some of the advantages and we we can discuss more on the advantages we have a very service centric data model like I said we can figure out routers based on services so everything and the service routes they have you know individual policy associated with them you tell where the services are hosted for example you can tell Facebook is a service and that's hosted on the internet and that's every after that once you do that and once you tell the router where it's where it's located all the routers in the network understand how to forward packets to that to that service obviously you need tenants to have access to those services tenants can be defined in different ways they can be interface addresses they can be virtual addresses they can be soul said dresses and so on you can define a tenant based on that and you say this tenant has access to this service and all the routers in the network understand how to forward packets to that you can also load balance to different tenants for example you can have many service routes many service routes and different location you can do them dynamically you can bring them up and down you can remove services elastically and the advantage of doing routing this way is that we make it global policies and we're gonna show later on in the demos and other things why this makes it so easy to configure we don't have to go into every router and configure ACLs or any policies in fact we did a comparison with with a large retail store who has routers today and they have three thousand ACLs and when you bring it down to RCR configuration it's about ten lines because we only need to worry about the services we don't have to worry about directionality there's all that is taken care of in each context let's look at how a deployment would look like in a general world I mean we are a general-purpose router ran is one of the most popular use cases we have but having said that we can be ubi used in many different cases we'll talk about it in the deployment section on different how we are done so you have our routers you can run them the you can run control and data together you can run them separately you can run them separately together and in different forms but having said that let's say you have routers we have a network management system which we call the conductor based on our rest and that kampf api's they which up which are standard api is they available to everybody and you can you can actually create them yourself we only make software we of course leverage the PDK and and other other stacks so performance obviously is great on x86 but having said that the performance of the system depends on the number of cores you will give us the more coals you give us it scales higher and nothing else matters in terms of them so forwarding performance you can run us in a virtualized environment you can also run us Don's gonna show a demo you can be ad in the Amazon Google as your clouds you're already available in the marketplaces you can use is there or you can run us in any word should form use as well we service based so the routes and flows all directional we do routing with words it's location independent in the sense we only worry about where the service routes are located if the service routes change then obviously the routers understand how to forward packets in that direction and the application aware we can recognize thousands of applications you can bring policies you can have services based on those applications you can do them all in our GUI or you can do them of course based on any configurations as well I have a question about this go ahead sorry yeah so you're mentioning services a named a services that I'm running based off this idea so I'm just trying to translate this back to what we do today right so the things were I thought that might be yes right so I'm a host and I need to talk to a host at another end yeah if that service isn't a defined service today that's just routing I know one IP address I know where the site or block right exactly and that's done via routing protocol and I have two routers that then exchange that information back and forth mm-hmm first how does one 128 router know about another 128 sprouter is either services or networks that exist behind it so the concept of tenant which is the client and the service which is the server the concept of them is mapped locally using traditional potentially traditional techniques like this VLAN is the point-of-sale register or point-of-sale equipment this VLAN is the video monitoring equipment or whatever your your set network segmentation is but then those are mapped into a word that we call a tenant and that gives us the the client-side definitions of what of the policy and then the services are similar they might have a cider block that might be as last 30 to route they might a 0.0.0.0 Internet service I mean they could be as wide or as narrow as you want by them how you yeah and then wherever those are located in the network whatever whatever routers have that as a as a as an available policy they're all shared and then that's how they share what they have and then the policies the words the tenant service model connects them is this the conductor so it's like a pseudo controller based no no no these routers all run independently the conductor just you is just distributes the configurations a lot lighter weight than your typical controller pseudo cuz it yeah it doesn't it doesn't feel like your typical it doesn't Bend adopting yes there's a JSON file be some exchange that happens between the 128 routers to know what services tenant yeah exist so they can what is that exchange like there's like local configuration on every router Netcom and there's there there's global configuration that is all the policies and services so the local stuff might be VLANs or interfaces and then the global stuff is uh and we're going to show you all that in our demo yeah when you want it when you're gonna share it between routers its neck cuff right there's a yang model you can arrest API is additional that's great what I mean so like but how does a 128 router know that another site has a 128 router like we have to know that I can exchange you shares I'm hearing address you know that's actually all done automatically in the internet ok and we will cover all think in the demo I think that's a very good question we do a lot of a lot of stateful functions in the file in in in the router itself like we are a layer 2 to live for firewall we do van up we do load balancing we with all sorts of load balancing algorithms and so on we already spoke about a data encryption if if a flow is already TLS or IPSec encrypted you can turn on a setting and say don't rien crypt it saves a lot of a lot of processing power we among our routers among all our routers we monitor paths we monitor delay jitter latency SLES bandwidth usage and so on we have lots of traffic engineering QoS mechanisms you can load balanced flows you can you can also perform monitoring of the flows themselves for example once they're established sessions we monitor of course those sessions and we have all the data from that from that session itself you can migrate sessions from one path to the other all migrations for us are instantaneous because we don't have to wait for an internal creation or any backup tunnel being established in ahead of time we also do session redundancy which is basically you can take packets you can send them over to paths are the same packets over to paths and remove the duplicates and stuff like that all related to fault tolerance and and and other mechanisms so can I sure go ahead can I get a sense of the essential value proposition you're saying that these software routers get rid of your firewall get rid of your s deal and get rid of your load balancers you could depends on on everything you wanted to do the value prop I'm just gonna well just to be clear we're not a application layer on our wall so I was gonna say is they open zone network firewall capabilities faithful yeah and right people want real application they are firewalling so we do have a partnership with Palo Alto and and we can service function chain we basically alert and Z scalar so we do that what everybody else does we do it I guess I'm just trying to we've talked a lot about the how I'm trying to understand the why now why what problem are you so I'm gonna be are you bringing I'm gonna jump don't want we don't want any deal details or anything we want the hell on the Y that's all the other thing I was gonna say is that we have great visibility because we do everything based on sessions and we monitor each session for each session we have detailed session records what happened to the to the data or whether there were retransmissions losses delay jitter we can figure we have a lot of data which we can export obviously to Big Data to see the things and you know what he said he said we have TCP retransmissions you have to be TCP stateful to detect that and we count them so let's just talk about the comparison with IPSec or any other overlay what we really don't do is differently is we don't add that second IP header so if you look at what I'm showing here is an IPSec Paquette a standard IPSec packet you would be adding a full IPSec header per packet in an IPSec tunnel plus you need some sort of way of distinguishing things so you would add like a DX LAN or VLAN ID or something like that so overall it will be loved but roughly about an 80 bytes per packet that you would add or packet in our case you don't do that for any packet only for the first packet we send a metadata which is also very small but you don't have to do per packet any of the additions like this the advantage of doing that is bandwidth reduction immediately you will see a 30% lowering and bandwidth usage in your network we say 30 because you know considering I mix tile packets if they are voice packets obviously the savings will be much higher almost hundred percent but having said that thirty to fifty percent is what we say based on ionic style packets many of our customers like when you have low throughput links like satellite links and so on they immediately see this reduces congestion improves their application performance and improves their end-user experience it also eliminates backhaul in the sense currently with IPSec there is a limitation on the number of tunnels you can have four small routers obviously if you have thousands of routers it's difficult to do a full mesh all the time if the loss scale is large in our case we don't have those issues we also do multipath optimizations these waypoints which we talked about don't have to be just on two routers they can be on the path and we can follow a path of Waypoint to Waypoint the Waypoint and so on just like segment routing and we can also switch flows we monitor all the flows and what we do is anytime we have a service come in a new service we look at all the flows all the paths we have what are the SLA is on each of those paths which fit these SLA is your service requires and based on that we will choose the path and load balancing algorithms will also come into play and then we will choose the best path for that session we can do session policing we have high scale and other benefits compared to tunnels this is just a snapshot of how a comparison looks like when now when you send a flow using SVR which is our technique and a flow using IPSec this is this is based on I mixed I'll packets roughly you'll see a saving of a 30 to 40 percent because of in-band improvement 7x application provement it's a very difficult thing to men to measure how much the application or end-user experience is improved but our customers have told us this is from an oil and gas experienced customer who has told us that their end-user experience is improved by 7x but it's a very difficult concept to measure obviously I mean all of this assumes right that we're removing IP defect that's correct but a lot of the market right is heading towards the idea that I can use Internet as transit and I don't necessarily want all of my internal dated non-encrypted like so so between sites and so I mean this would be fantastic like if you were looking I guess of an MPLS Network or something but if I want to use Internet as transit well this does the encryption you've got addresses Nats I mean it helps solve so many challenges you know it's my policy what we are not doing is encapsulation we are doing encryption encryption is just as any other router does we have like I'm like I mentioned we have FIPS 140 - 2 certification AES 256 AES 128 H max sha whatever you choose your encryption mechanism will do the same will scramble the bits it's actually I would argue it's even more secure than IPSec the reason is you don't have the IP at the inner IP addresses from the header so we fully masquerade your your network but other than that encryption wise it's exactly the same as you're encrypting the payload yes policy based really you can yeah you can or can't depending on what you said absolutely then keys are distributed or something along those lines yep the keys are distributed by the routing protocols so we aren't encapsulating the hole underneath packet just raiding it no I that's what we're getting to say in fact it's gonna look like a DTLS packet right yeah or a yeah okay yes correct that's great yeah so do you support MPLS or no we don't terminate MPLS today on our route dos but of course you have T 1 we have t1 connections or any others but we need someone else to terminate if it's a beacon give us an MPLS label and we don't terminate it today we have all of our customers use MPLS bike carrier delivery in how about private circuits you have to net on those private circuits too I guess yeah we can be a yes on the van ideally we would do so just because we want to establish this relationship yeah that's got a wait so you're saying you can do céu can't to be that's correct in an immediate letter network yes carry VLANs in context I mean it's you know I used to want more of that and I don't anymore after using the product for a couple years so it's it's what you find is that that you have a diminishing need right once you can carry context work with different address spaces in different VLANs or different different segments anywhere around the network you just sort of you know like you lose that desire to want VRS basically right but I mean the problem with that on that on that right is that when you're when you're a large enough net and you've got 10.10 10.10 15 times in your network well that's why we named everything with work number one 10.10 through ten right and then you just say who gets access to what or you know yeah one 10.10 to ten to ten is trying to talk to 10 to 10 to 10 to 10 then you got a real structural bro well we also you know what we also do source and destination also policy-driven so I mean because normally something in between is taking care of that particular problem yeah you could you could so you can do an egress source matter if you have to into the address space in the target address space we could do a v6 to v4 so if you had like two shared ten spaces you want to represent was six you can do that I mean it's kind of like if there's anything that you could think of in the IP PlayBook to make it work it should be able to do it product so yeah comparison to generate tons there are many enhancements which are there but anyway just to compare generally if you want to feel over quickly you there are only two ways to do it you have backup tunnels or you create tunnels on the fly in our case you don't have to do that what we do is when we switch over to a new path we would just send packets out on the new path using a matter and insert the metadata again and of course the router on the other sides understands that the session has moved and he should recreate the packets back by doing that we make when you go through any Nats of public Nats or any other other issues in the network or fail overs the application never sees that failure in the network and it's seamless it's always seamless to any offer just clear up one issue with that so the each session has an identity a unique ID in the metadata so when the metod is inserted to go on the new pathway itself heals when it arrives at the destination that says oh this is an act this is a session or as I already have active and in it actually self heals and that the time for doing the switchover is the next packet the very next packet and and everything's moving the new way this is the hard thing I'm trying to get my my head around is that if you're you know if you're running these session cookies on on your internal network or went on and then that that link fails and you're now going over public for GE yeah completely different right completely for nervous presumably there the you know the they're not running your software so what is the change that go out in the industry so a lot of customers have an LTE modem that you see hosted in the same platform that we're in and so when that new session goes over the LTE modem it has the same cookie with the same identity that but different you know same identity that's reinserted in the very next packet so you don't have to start a whole new session it's just oh I got a new pathway put the cookie in you lose one packet payload you know you don't even lose it one you don't lose any pass the metadata is added to that packet it's just add anymore that's correct and the only thing what I was gonna say is that the only thing we need is it to reach that other router if it as it reaches even though it comes from one of the interface another heterogeneous network that's fine it has to get back to their browser just get back to it and then we will in the router understands well this is a match because the session ID is from there we understands how to we can do it somewhere along though yeah you know the cool thing is is you can fail some sessions but not all of them you could move the voice but not the video you can you can choose what you want to move I'm just gonna do a quick overview of the Donald versus Donald free even though there are other things we wanted to show so this is going to be I'm just gonna quickly do it in Donald's scale form first for a small let's say a fork or a processor is in hundreds of thousands hours and millions and it's not a fair comparison like I said we are not doing tunnels we're only doing this overlay what happens is when you have when you can when you're restricted by the number of tunnels you can create of course there are ways around it you can you can do many things but hub-and-spoke is one way to do it we don't require any of those architectures we believe that the deployment should be a effective the deployment architecture should not be guided by the limitations you have there's a battle that's obviously a bandwidth saving we talked about that because of the IP header not being there when you have IP headers and you add a lot of IP headers to big packets obvious fragmentation issues we actually don't see any of that in our Irish our deployments we already talked about the tunnel fail overs donald's also create some many many issues with with security there's an RFC for it we don't see any of those direct issues with our DAR way of routing let's talk about this the the global policies that we have Don's going to show some cool stuff in the demo but having said that if you let's say have that work segmentation in traditional networks when you have you have works which you need to map to each other and you took make sure that you're able to get those packets mapped to different works and to the endpoint that's one way to do it we believe that this is very intensive it's not end-to-end it's not directional you have to have you know different ACLs to make it directional it's very static even though now there arcus traitors available which which can push policies out but it's a very flat topology the way you look at services in our context is like this is an example of a service let's say for a store you have the corporates to corporate which is an authority which is the store itself it can have different services for example sales surveillance Unified Communications and the different services have access to different service routes policies and so on or devices and they all are segmented in a hierarchical fashion the way of doing the advantage of doing that is it makes configuration very simple easy to add remove modify services on the fly we believe this is very end-to-end a directional dynamic and obviously hierarchical makes it easy to understand you can visualize this graphically in our in our conductor in the indirect management tool and so on and let's talk about security we said we are a layer two to layer for a firewall one of the thing we do is we do deny by default and we work like a firewall the difference between a traditional router and us is traditional routers don't take into account many things like they are they owned a you create a walled garden on the far wall and you assume everything inside is secure I tell this to my network guys in our labs they go and work in Starbucks and they take their laptop they go to Starbucks let's say they get a virus they come back into the lab and directly plug the you know the ethernet cable into the into the router I mean you have just bypassed the secure file wall we had setup and stuff like that that reads the the idea is today that bring your own devices this that things have changed so we need a parameter less model we believe in our our way of doing routing we have hop-by-hop authentication we were active encryption we are a fully distributed firewall so any router if it doesn't have a service associated with it explicitly will drop packets and block networks we have denied by default and like I said directionality helps us in many cases I call always like to give the example of a point-of-sale terminal if it doesn't have a route to reach the internet there's no way you can spoof it and make it go to the Internet those packets those packets will be dropped as they hit the first 128 d router before I go to deployments we have all the other great stuff as well but we're not gonna go into that Don's gonna show some some things in the demo its centralized policy management we have zero touch deployments you can have you know you can send a box it'll reach out call home get all the functions get the configs and so on it's all zero touch we have open API is in analytics a lot of our code is available on github a lot of our api's are available we have all rest and that comes standard api's the truth is you can practically write our own hard whole CLI if you wanted using rest and that comp and do it right any commands you wanted on your own we have complete application visibility and control because we monitor each session and we hundred-percent software based we don't make any hardware we have partners whom we can recommend you to or you can get hardware on your own and like I said performance depends on number of cores mainly on what you will give us it's a distributor and non-destructive deployment let's talk about some of the deployment scenarios we have that'll give you a better context of the customer base we have and and whom we talk to and what we do before we move over to the demo we usually have three classes of customers even though we made it as a general-purpose router we the market market demands drivers towards these three silos one is SD van virtual edge VPN replacement and so on those this is one category of customers that we have it works the best when there's large number of sites or there is lossy links or low throughput links that's when our technology really shines through if you have ten sites it's the same and with good grade connections you could probably do IPSec tunnels and everything will be great as well there's not much differentiator you can see in terms of performance and an application improvement but in those cases our our product really shines through multi cloud fabric connecting multiple clock crowds hybrid clouds or public clouds or datacenter interconnect we have some customers who use this for data center interconnect they publicly referenced as well some of the press releases are available and of course if anyone wants to build a zero trust network like I said bad already mentioned that we don't do layer seven or anything else for those capabilities we have partners but other than that layer to to layer four we do that kind of firewall functions and we have certifications for those do you have virtual points for the multi cloud like you can drop an AWS or a yeah yeah we are available in all three marketplaces today okay AWS as your a demo might show you that yeah and we're gonna show that in the demo as well yeah I took three different really different use cases and they of course have yet to go for public reference these cases only so so that we could give you an idea of what they do CMC networks is one of our customers they are the largest wholesale service provider in Africa their customers are coca-cola US enterprises and so on who have locations in Africa World Bank and so on they want they currently have a largely currently not currently previously had a largely o2 network which they used and they were already encapsulating traffic one of the challenges they faced is that any time the way that contracts are works with their end customers is that anytime they have a connection and they are not unable to meet their selys which are in the contract they have to pay penalties and the way it works is they pay some penalty is get some money back and that's the life works because networks there have a lot of issues bandwidth support costs a high they tried a number of SD van vendors but overlay on top of the overlay was actually making the service even worse and they have actually tried on our solution and they actually have it commercially available now they've already deployed and they offer our SD van service to their end customers and the benefit is obviously it lowers their solution costs overall they have studied they have done is just because they don't have to pay the penalties to the end cut end and users they have the the DES demand deployment is going to pay for itself within within two years its its support thousands of sites improves SLA is and obviously meets the requirements they have and you know it's ironic about those guys every single packet we're out is an IPSec tunnel packet ironically yes yeah it is only an IPSec it's already in and they yeah so putting it in another IPSec tunnel was causing even more trouble so the other like other use case I like to give is Parvati riyals there a building manufacturer and I'm I have some slides next on on so I'm gonna go in the use case but the idea is they have a wireless point-to-point wireless network which they use and that causes them a lot of issues to switch over failover and so on and they have been using our solution I'm gonna just hold it for a minute because in the next slide I'm gonna go a little more detail about them they're all one for interior ignore in their entire brain yeah and their network and yeah their entire network currently is based on only our our solution bar networks they actually have a TV screen on their reception which I like to tell people about it has our conductor page and shows everything going on variation systems their cloud communications provider they connect about 300 hospitals they provide unified communication services one of the challenges they faced is anytime they provide these these connections to their their the hospitals the hospital when they don't have good connectivity or when there's issues they call them up and they say hey you know your service doesn't work and they debug and everything else and their service is working fine it's the provider in the middle who doesn't have the good connection and there's nothing they can do about it to control in many places because they don't have control over the middle network so what they have done is by using our solution and by using Elte backups and fellow was and so on they are now able to extend the SLA from dead Edison to the customer edge they actually say that and we have a lot of videos and and case studies written about them but the idea is because of the savings of bandwidth and also the quick fail overs they were able to guarantee SL is to their end customers and that has improved their network and their solution let's talk about bad materials they have sites some of these sites are remote sites they they leverage a point-to-point wireless network and of course DSL connections in many of those locations but what happens is they have these video feeds they need to see from these sites and the video feed is very important to them because it tells them how many trucks are passing by if they don't know how many trucks are passing by they don't know how much materials they are gonna get and if they are completely in the blind for example if ten trucks pass by there no ten times this is how much materials is coming if they don't have that information they don't have an idea of what's happening in their in their business not in the network but I don't have idea what's happening in their business and usually what happens is with the solutions they had and the solutions the trial is that the ones that wireless network gets congested it's impossible to get this video feed through they were actually they actually told us when they original matters is that we just need to make sure that video comes through everything else if it fails that's fine I mean just stop every other traffic but make sure that video comes through the issues they faced in general when we compare two networks is obviously they were having high cost CPEs you're unable to monitor the links in real-time they have limited aggregate bandwidth and don't have quick fail overs one other one of the issues they had is video fails obviously video recovers over time and and networks converge but they don't immediately they have lost there's a blackout period and as they have lost what happen and they want to obviously prioritize this this video feed over anything else and they won't have centralized monitoring with 128 solution they actually host our conductor in the AWS cloud they just use it for monitoring it from there they use Q s and T for rate limiting prioritizing flows they have instantaneous failures with their LTE network in fact this is one of the major reasons they wanted us because the instantaneous failover because they can't lose that your feed they have real-time monitoring of traffic they use of course white boxes today they have told us that there's about a thousand dollars saving per truck per day just because of doing this to their business from the business side it provides an improved connectivity of course multipath optimizations lower cost
Info
Channel: Tech Field Day
Views: 1,445
Rating: 5 out of 5
Keywords:
Id: zc1e4e_5IiQ
Channel Id: undefined
Length: 47min 9sec (2829 seconds)
Published: Fri Mar 15 2019
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.