offering, can provide network administrators with additional levels of control. By creating overlay networks using IPsec tunnels, network traffic can be grouped by application type and rules applied to route traffic for best performance. The creation and management of tunnels, however, have their own drawbacks and added overhead, “and like the managers of railway networks who can’t manage journeys, you are not seeing and optimizing the individual flows – the sessions,” argued Peronkov. The relatively new technology called session smart routing, meanwhile, eliminates the need to build or maintain overlay networks of IPsec tunnels, while determining the best route for an individual session and the user at a given time. The upsides, say proponents of session smart routing, include lower costs and a simplification of the centralized management of remote sites enabled by softwaredefined networking (SDN). Initially developed by U.S.- based software company 128 Technology, which was purchased by multinational networking company Juniper Networks late last year, session smart routing effectively replaces the need for tunnel-based network overlays and less-efficient provisioning systems and directs traffic based on application sessions – taking key information from the originating and terminating IP address and the session application identifier – rather than individual packets. It provides distributed control, intelligent service-based routing, and inband session-based signaling and is compatible and interoperable with existing network protocols and architectures so it can be gradually introduced into an existing IP network, said Juniper. It’s also becoming a key differentiation point to Juniper’s enterprise SD-WAN strategy. The technology involves two primary components. A software-based Session Smart Router – which is deployable on white-box CPE, data center network servers, and the cloud – combines the service-centric control plane and a session-aware data plane to provide IP routing, policy management, visibility, and proactive analytics. A controller (Session Smart Conductor), meanwhile, acts as a centralized management and policy engine for all the smart routers in the network. It provides orchestration, administration, zero-touch provisioning, monitoring, and analytics for these routers while also maintaining a network-wide, multi-tenant service and policy data model. Together, the two components implement what 128 Technology called Secure Vector Routing Tunnel-Based vs Tunnel-Free SD-WAN Tunnel-Based SD-WAN Tunnel-Free SD-WAN l Tunnels forward packets instead of sessions, which leads to a static nature of connectivity. For session awareness, additional applications need to be added such as DPI. l Stateless L2 and L3 network fabric. l Sessions are forwarded, which leads to stateful and dynamic routing, resulting in intelligent and distributed fabric. l Stateless L2 and L3 network is transformed to session-aware data plane. l Additional bandwidth tax that can be as high as 123%. l No overhead means no bandwidth tax. l Risk of fragmentation if IP packet size reaches close to 1,500. l Fragmentation can result in packet drops during reassembly. l No risk of fragmentation (because of SD-WAN) as additional compensation for overhead bytes is not needed. l Scalability issues because of tunnels that necessitates hub and spoke configuration instead of mesh; suboptimal design for real-time traffic such as VoIP and video. l As there are no overheads, there are no risks of scalability. Thousands of sessions can be created. l As scalable as IP. l For large-scale networks that demand more granular segmentation, static and complex to implement/maintain segmentation. l Hyper-segmentation based on sessions. Much more granular, easier to implement and results in better utilization of MPLS links. This can potentially reduce MPLS link costs. l Security risks can happen because of fragmentation. l Evasion by tunneling can be a problem for network-based security devices such as network firewalls, IDS and IPS. l Inefficiency because of potential double encryption in traditional SD-WAN and of re-encrypting customer’s traffic even if it is encrypted. l Zero-trust security is default. l End-to-end stateful session management and encryption. No need for IPSec as encryption can be done on the payload using AES-128/256. l Adaptive encryption by detecting encryption on the customer’s traffic; no need to re-encrypt the traffic. Source: ACG Research 32 THE CHANNEL MANAGER’S PLAYBOOK
RkJQdWJsaXNoZXIy NTg4Njc=