SIMPLER, SMARTER NETWORKING WITH SECURE VECTOR ROUTING

HOW TO BUILD A NEW KIND OF NETWORK

How to Build a New Kind of Network | 2

Table of Contents

Service Federation:

Creating Networks Without

Borders6Session-Aware Data Plane:

Simpler Networking with

Better Security and Control4 We Do SVR7

Secure Vector Routing:

Simply Smarter3

What Happened to

Networking?1You Can’t Get There

From Here2 Building Service-Centricity

into the Network5

How to Build a New Kind of Network | 3

Routers were originally designed to

connect networks together.

That’s it.

Along came application models and

services that enabled the complex,

interconnected mobile and cloud-

based environments that run on our

networks today. Bolt-on middleboxes

(firewalls, load balancers) and overlay

and tunneling solutions (MPLS, VPNs,

etc.) were introduced to boost basic

routing capabilities, that is, to manage

as many packets as possible, rapidly

and securely.

The result? Networks that are hard

and expensive to manage, provision,

and (ironically) secure against

malicious threats – or just plain old

human error. There are no end-to-

end policy and security models;

managing devices and overlays

leads to virtually continuous

spending; and legacy network

models restrict business flexibility

and growth.

What Happened to Networking?

There’s got to be a better way

to build a network.

How to Build a New Kind of Network | 4

You Can’t Get There From Here

History has shown us that things don’t get any easier

by continuing to layer more stuff on our networks.

Current networks already inhibit business agility by

making it hard to deliver services across private and

public networks that support greater mobility and

interconnectivity.

Looking ahead, managing and routing traffic will only

get harder as we move into richer communications

driven by collaboration, video streams, and virtual

reality, as well as the increasing volumes from the

“Internet of Things.”

Why aren’t networks just smarter? More cost-efficient?

¾ Networks are not “session-aware” — they lack visibility into the

unique two-way exchange between source and destination

endpoints

¾ They provide packet flow information without any context

on how they are related or how traffic is tied to business

applications

¾ Security is not native and not granular enough to make every

link on the network secure

We pay the price every day: vulnerability, poor

performance, and yet increasing costs. There is a path to

simpler, smarter networking: Secure Vector Routing.

How to Build a New Kind of Network | 5

Secure Vector Routing (SVR) is not

another device nor conventional

software defined router. SVR is

a session-oriented approach for

building context-aware networks that

can easily, dynamically and securely

stretch across network boundaries.

SVR is built on three fundamental

capabilities not available in current

routers or software defined networking

technology:

1) Session-aware data plane: Visibility into

and control over key information describ-

ing a unique two-way exchange between

source and destination endpoints

2) Service-centricity: Service topologies

and policy frameworks that exist within,

not on top of, IP networks

3) Federation across network boundaries:

“Virtualized” network federation with end-

to-end, per tenant network and

services control

Taken together these three capabilities

reinvent networking.

SVR does more than eliminate the

costs and complexities of provisioning

endless middleboxes, or complexities

and risks managing additional

tunneling and overlay technologies.

SVR delivers the real end-to-end

service functionality and

business economies

needed from today’s

network:

¾ Context for breakthroughs

in simplification, control,

and security

¾ Simplicity for easier

management, reduced

costs, and greater agility

¾ Extensibility for easier

scaling across network

boundaries

.

Secure Vector Routing: Simply Smarter

Secure Vector Routing: Simply Smarter

Service-Centricity

Federation

Data Plane

How to Build a New Kind of Network | 6

Session-Aware Data Plane:Simpler Networking with Better Security and Control

Nearly every use of a network

involves sessions — the

symmetrical, bi-directional exchanges

that take place between source and

destination endpoints.

Continued on next page...

R3w

R2w

R5w

R1w

R4w

How to Build a New Kind of Network | 7

Session-Aware Data Plane continued...

However, the existing routing

technology has no understanding

of sessions – and advanced network

functions, such as firewalls, load

balancers, and network optimizers

have incomplete concepts of

sessions. In order to be session-

aware, routers must understand

and correlate:

¾ The fixed addresses of the endpoints

¾ The two corresponding

unidirectional flows in opposite

directions/vectors

¾ Directionality – which endpoint

initiated the exchange

¾ Other parameters, like desired

service/tenant or policies or QoS

metrics specific to that session

An SVR network has inherent

access to this information. It can

associate all packets and flows

to a unique session, and control

that session end-to-end. Session

integrity and security is protected at

every waypoint through “first packet

processing.” See sidebar.

SVR incorporates advanced network

functionality like firewalling and

load balancing into the act of

routing itself. With it, you can:

¾ Eliminate tunnel-based overlays,

but still enforce path selection and

segmentation

¾ Offer zero trust security and adaptive

encryption

¾ More tightly align applications with

the capabilities of the underlying

network

¾ Manage many simultaneous sessions

dynamically and intelligently end-to-

end

First Packet Processing

SVR uses an in-band signaling technique that recognizes the first packet of a session and controls the session based on the key information in that packet. This is done by translating the original source and destination addresses to “waypoint” addresses. Waypoints are locations along a route that are recorded and stored so they can be referenced later by the 128T router.

Then, metadata is added to the first packet, including the original source and destination addresses, along with other policy and control parameters. The metadata is then signed with a certificate, optionally encrypted, and forwarded to the next waypoint address in the route.

When it reaches the last waypoint in the route, the original packet contents are restored and it’s delivered to the final destination.

In short, you can quickly create

a network that is fundamentally

simpler and smarter.

How to Build a New Kind of Network | 8How to Build a New Kind of Network | 8

Service-Centricity

In the data model for an SVR

network, services represent

applications reachable by

an IP address (such as a

web server, database server,

logging service, etc.).

Services are grouped into

tenants, which are sub-

networks that maintain

their own sets of policies,

access controls, and allowed

network paths. To access a

service (or services) within

a tenant, you need to be a

member of that tenant.

This approach turns the

access control list (ACL)

concept on its head, and

drastically minimizes the

configuration required for

access control, or other

policy applications.

Building Service-Centricity into the Network

Routing has traditionally relied on IP addressing and device topology in applying

controls and policies to the network. Modern routing must evolve beyond this –

and enable a session-aware data plane to make dynamic routing decisions based on

fully distributed knowledge of services topology and policy frameworks. In other words,

routing needs to be service-centric.

SVR does this by using a new kind of network data model defined in terms of services,

tenants, and policies. Tenants can only “see” or utilize services as policies allow. Access,

Quality of Service (QoS), and security related policies are defined for tenants and

services, with policies and permissions propagated automatically throughout the

network. See sidebar.

The focus on applications and services doesn’t end there. In an SVR-based network,

business logic drives network architecture, not the other way around. In this schema,

all services and service routes are described with a Qualified Service Name (QSN)

instead of an IP address. Network administrators are no longer struggling with

numbered IP addresses, overlapping VLANs, VXLANs, VPNs, etc. Think of this as “routing

with words.”

What’s important note is that this approach takes place within – and not on top of –

the IP network; the network itself is built to be service-oriented.

Security

QoS

Access

QSN://Subtenant.Tenant.Authority/ServiceGroup/Service

Hierarchical Tenant Descriptor Services Descriptor

Enabling true end-to-end network

services requires the ability

to stretch virtual networks across

boundaries, from the data center to

the branch office, to the cloud. Doing

this using current techniques require

complex “stitching” or overwrought

orchestration schemes.

Secure Vector Routing enables

delivery of applications and services

across multiple networks and

network segments, including address

domains, security zones, firewalls, and

private-public boundaries.

This is done via STEP (Service and

Tenancy Exchange Protocol), a

new kind of protocol designed to

complement existing dynamic

routing protocols with a global

view of services, tenancy, and policy

information.

STEP provides a number of benefits:

¾ Dramatic simplification and scale-

out capabilities for provisioning and

maintaining network wide services

topologies, QoS, and security policies

¾ Virtual network stretching across the

fragmented infrastructure including

data center, wide-area network,

Internet, and the branch

¾ Automation of interconnect between

different service providers, cloud

providers and enterprises

The result? Greater simplicity,

more flexible deployments, and a

significantly expanded service reach.

How to Build a New Kind of Network | 9

Service Federation:Creating Networks Without Borders

How to Build a New Kind of Network | 10

We Do SVR

In fact, we invented it. The new SVR paradigm

easily replaces or augments complex overlay

networks and provides native advanced network

functionality, improving security, control, and

agility.

Implementing SVR does not mean you need

to rip and replace your existing network. SVR

is fully compatible with existing TCP/UDP

network protocols and architectures. Existing

components: routers, firewalls, IPS/IDS, load-

balancers or any other devices can stay in place.

The SVR network can work seamlessly with

existing architectures.

The point is, you can – when and wherever you

need to – bring intelligence throughout the

network.

To learn more, visit us at

128technology.com

How to Build a New Kind of Network | 10

Control Agility

Security

200 Wheeler Road, Burlington, MA 01803

781.203.8400 | info@128technology.com

128technology.com

Copyright © 2016 128 Technology.

About 128 TechnologyThe company is focused on creating innovative

software solutions that address a broad range of

networking challenges across enterprises, service

providers and cloud services.

We are a group of technologists and entrepreneurs

who enjoy tackling big problems and aren’t afraid

to defy convention and raise a few eyebrows. Our

core team has a successful track record in creating

disruptive network technology for delivering secure

connectivity across global IP networks.

128 Technology understands that for many

companies, networks are a core part of their

business — and in some cases, the network is their

business. The massive, rapid shift to cloud and

mobile native applications places the importance of

the network into even sharper relief.