SIMPLER, SMARTER NETWORKING WITH SECURE VECTOR ROUTING
HOW TO BUILD A NEW KIND OF NETWORK
How to Build a New Kind of Network | 2
Table of Contents
Service Federation:
Creating Networks Without
Borders6Session-Aware Data Plane:
Simpler Networking with
Better Security and Control4 We Do SVR7
Secure Vector Routing:
Simply Smarter3
What Happened to
Networking?1You Can’t Get There
From Here2 Building Service-Centricity
into the Network5
How to Build a New Kind of Network | 3
Routers were originally designed to
connect networks together.
That’s it.
Along came application models and
services that enabled the complex,
interconnected mobile and cloud-
based environments that run on our
networks today. Bolt-on middleboxes
(firewalls, load balancers) and overlay
and tunneling solutions (MPLS, VPNs,
etc.) were introduced to boost basic
routing capabilities, that is, to manage
as many packets as possible, rapidly
and securely.
The result? Networks that are hard
and expensive to manage, provision,
and (ironically) secure against
malicious threats – or just plain old
human error. There are no end-to-
end policy and security models;
managing devices and overlays
leads to virtually continuous
spending; and legacy network
models restrict business flexibility
and growth.
What Happened to Networking?
There’s got to be a better way
to build a network.
How to Build a New Kind of Network | 4
You Can’t Get There From Here
History has shown us that things don’t get any easier
by continuing to layer more stuff on our networks.
Current networks already inhibit business agility by
making it hard to deliver services across private and
public networks that support greater mobility and
interconnectivity.
Looking ahead, managing and routing traffic will only
get harder as we move into richer communications
driven by collaboration, video streams, and virtual
reality, as well as the increasing volumes from the
“Internet of Things.”
Why aren’t networks just smarter? More cost-efficient?
¾ Networks are not “session-aware” — they lack visibility into the
unique two-way exchange between source and destination
endpoints
¾ They provide packet flow information without any context
on how they are related or how traffic is tied to business
applications
¾ Security is not native and not granular enough to make every
link on the network secure
We pay the price every day: vulnerability, poor
performance, and yet increasing costs. There is a path to
simpler, smarter networking: Secure Vector Routing.
How to Build a New Kind of Network | 5
Secure Vector Routing (SVR) is not
another device nor conventional
software defined router. SVR is
a session-oriented approach for
building context-aware networks that
can easily, dynamically and securely
stretch across network boundaries.
SVR is built on three fundamental
capabilities not available in current
routers or software defined networking
technology:
1) Session-aware data plane: Visibility into
and control over key information describ-
ing a unique two-way exchange between
source and destination endpoints
2) Service-centricity: Service topologies
and policy frameworks that exist within,
not on top of, IP networks
3) Federation across network boundaries:
“Virtualized” network federation with end-
to-end, per tenant network and
services control
Taken together these three capabilities
reinvent networking.
SVR does more than eliminate the
costs and complexities of provisioning
endless middleboxes, or complexities
and risks managing additional
tunneling and overlay technologies.
SVR delivers the real end-to-end
service functionality and
business economies
needed from today’s
network:
¾ Context for breakthroughs
in simplification, control,
and security
¾ Simplicity for easier
management, reduced
costs, and greater agility
¾ Extensibility for easier
scaling across network
boundaries
.
Secure Vector Routing: Simply Smarter
Secure Vector Routing: Simply Smarter
Service-Centricity
Federation
Data Plane
How to Build a New Kind of Network | 6
Session-Aware Data Plane:Simpler Networking with Better Security and Control
Nearly every use of a network
involves sessions — the
symmetrical, bi-directional exchanges
that take place between source and
destination endpoints.
Continued on next page...
R3w
R2w
R5w
R1w
R4w
How to Build a New Kind of Network | 7
Session-Aware Data Plane continued...
However, the existing routing
technology has no understanding
of sessions – and advanced network
functions, such as firewalls, load
balancers, and network optimizers
have incomplete concepts of
sessions. In order to be session-
aware, routers must understand
and correlate:
¾ The fixed addresses of the endpoints
¾ The two corresponding
unidirectional flows in opposite
directions/vectors
¾ Directionality – which endpoint
initiated the exchange
¾ Other parameters, like desired
service/tenant or policies or QoS
metrics specific to that session
An SVR network has inherent
access to this information. It can
associate all packets and flows
to a unique session, and control
that session end-to-end. Session
integrity and security is protected at
every waypoint through “first packet
processing.” See sidebar.
SVR incorporates advanced network
functionality like firewalling and
load balancing into the act of
routing itself. With it, you can:
¾ Eliminate tunnel-based overlays,
but still enforce path selection and
segmentation
¾ Offer zero trust security and adaptive
encryption
¾ More tightly align applications with
the capabilities of the underlying
network
¾ Manage many simultaneous sessions
dynamically and intelligently end-to-
end
First Packet Processing
SVR uses an in-band signaling technique that recognizes the first packet of a session and controls the session based on the key information in that packet. This is done by translating the original source and destination addresses to “waypoint” addresses. Waypoints are locations along a route that are recorded and stored so they can be referenced later by the 128T router.
Then, metadata is added to the first packet, including the original source and destination addresses, along with other policy and control parameters. The metadata is then signed with a certificate, optionally encrypted, and forwarded to the next waypoint address in the route.
When it reaches the last waypoint in the route, the original packet contents are restored and it’s delivered to the final destination.
In short, you can quickly create
a network that is fundamentally
simpler and smarter.
How to Build a New Kind of Network | 8How to Build a New Kind of Network | 8
Service-Centricity
In the data model for an SVR
network, services represent
applications reachable by
an IP address (such as a
web server, database server,
logging service, etc.).
Services are grouped into
tenants, which are sub-
networks that maintain
their own sets of policies,
access controls, and allowed
network paths. To access a
service (or services) within
a tenant, you need to be a
member of that tenant.
This approach turns the
access control list (ACL)
concept on its head, and
drastically minimizes the
configuration required for
access control, or other
policy applications.
Building Service-Centricity into the Network
Routing has traditionally relied on IP addressing and device topology in applying
controls and policies to the network. Modern routing must evolve beyond this –
and enable a session-aware data plane to make dynamic routing decisions based on
fully distributed knowledge of services topology and policy frameworks. In other words,
routing needs to be service-centric.
SVR does this by using a new kind of network data model defined in terms of services,
tenants, and policies. Tenants can only “see” or utilize services as policies allow. Access,
Quality of Service (QoS), and security related policies are defined for tenants and
services, with policies and permissions propagated automatically throughout the
network. See sidebar.
The focus on applications and services doesn’t end there. In an SVR-based network,
business logic drives network architecture, not the other way around. In this schema,
all services and service routes are described with a Qualified Service Name (QSN)
instead of an IP address. Network administrators are no longer struggling with
numbered IP addresses, overlapping VLANs, VXLANs, VPNs, etc. Think of this as “routing
with words.”
What’s important note is that this approach takes place within – and not on top of –
the IP network; the network itself is built to be service-oriented.
Security
QoS
Access
QSN://Subtenant.Tenant.Authority/ServiceGroup/Service
Hierarchical Tenant Descriptor Services Descriptor
Enabling true end-to-end network
services requires the ability
to stretch virtual networks across
boundaries, from the data center to
the branch office, to the cloud. Doing
this using current techniques require
complex “stitching” or overwrought
orchestration schemes.
Secure Vector Routing enables
delivery of applications and services
across multiple networks and
network segments, including address
domains, security zones, firewalls, and
private-public boundaries.
This is done via STEP (Service and
Tenancy Exchange Protocol), a
new kind of protocol designed to
complement existing dynamic
routing protocols with a global
view of services, tenancy, and policy
information.
STEP provides a number of benefits:
¾ Dramatic simplification and scale-
out capabilities for provisioning and
maintaining network wide services
topologies, QoS, and security policies
¾ Virtual network stretching across the
fragmented infrastructure including
data center, wide-area network,
Internet, and the branch
¾ Automation of interconnect between
different service providers, cloud
providers and enterprises
The result? Greater simplicity,
more flexible deployments, and a
significantly expanded service reach.
How to Build a New Kind of Network | 9
Service Federation:Creating Networks Without Borders
How to Build a New Kind of Network | 10
We Do SVR
In fact, we invented it. The new SVR paradigm
easily replaces or augments complex overlay
networks and provides native advanced network
functionality, improving security, control, and
agility.
Implementing SVR does not mean you need
to rip and replace your existing network. SVR
is fully compatible with existing TCP/UDP
network protocols and architectures. Existing
components: routers, firewalls, IPS/IDS, load-
balancers or any other devices can stay in place.
The SVR network can work seamlessly with
existing architectures.
The point is, you can – when and wherever you
need to – bring intelligence throughout the
network.
To learn more, visit us at
128technology.com
How to Build a New Kind of Network | 10
Control Agility
Security
200 Wheeler Road, Burlington, MA 01803
781.203.8400 | [email protected]
128technology.com
Copyright © 2016 128 Technology.
About 128 TechnologyThe company is focused on creating innovative
software solutions that address a broad range of
networking challenges across enterprises, service
providers and cloud services.
We are a group of technologists and entrepreneurs
who enjoy tackling big problems and aren’t afraid
to defy convention and raise a few eyebrows. Our
core team has a successful track record in creating
disruptive network technology for delivering secure
connectivity across global IP networks.
128 Technology understands that for many
companies, networks are a core part of their
business — and in some cases, the network is their
business. The massive, rapid shift to cloud and
mobile native applications places the importance of
the network into even sharper relief.
Top Related