Cisco SDWAN Data Plane Encryption and Key Exchange

Cisco SDWAN Data Plane Encryption and Key Exchange

Cisco Catalyst SD-WAN so called Software Defined WAN solution, where control plane or management plane is separated from the physical devices, while in the Viptela solution we have following architecture, where we have data-plane on the physical devices (obviously), Control Plane by VSmart or VBond Management tool, Management Plane via VManage and Orchestration.

As per the new changes from Cisco, Below are the new names of the components

  • Cisco vManage is now Cisco Catalyst SD-WAN Manager
  • Cisco vBond is now Cisco Catalyst SD-WAN Validator
  • Cisco vSmart is now Cisco Catalyst SD-WAN Controller

 ⭐ Cisco SDWAN Data Plane Encryption

The Internet Key Exchange (IKE) protocol is used by traditional IPsec, which is widely used in networks, to exchange data plane keys. IKE is effective for small networks, however it presents scalability issues in large Cisco Catalyst SD-WAN implementations with many of devices.

Cisco SDWAN Data Plane Encryption and Key Exchange
Fig 1.1- Cisco SDWAN Data Plane 

The Cisco Catalyst SD-WAN fabric integrates a zero trust security model in its control plane, guaranteeing that all elements of the fabric are authenticated and authorized prior to access to the network. This model is built on the use of digital certificates to establish the identity of each fabric element.

Cisco Catalyst SD-WAN distributes keys using a centralized Cisco Catalyst SD-WAN controller as compared to standard IKE, in which every device negotiates keys with every other device. 

vSmart is controlling routing and key distribution help removes the requirement for each device to handle a large number of keys.

 ⭐ Cisco SDWAN Data Plane Key Exchange

Instead of exchanging keys over IPsec Phase 1 (IKE Phase), Cisco Catalyst SD-WAN uses a DTLS (Datagram Transport Layer Security) connection to share keys between WAN-Edges. Cisco Catalyst SD-WAN uses the secure DTLS connections that are already in place in its control plane uses for key exchange. 

There is no need for an extra secure channel in the data plane for key exchange because the control plane is already secure.

Cisco Catalyst SD-WAN employs a single AES-256-GCM key per TLOC (Traffic Locator) for both encryption and decryption. This is a symmetric key used in an asymmetric way - a single key is used for both purposes on a specific data path. 

Each router periodically generates a new key and transmits it to the vSmart controller through OMP (Overlay Management Protocol) route packets.

Continue Reading...