Today’s IP networks are powered by decades-old routing technology that has been augmented with different technologies, such as overlays, to accommodate today’s use cases.
An overlay network is a logical network built on top of an existing physical or virtual network(s). Overlay networks are used to augment Ethernet or IP networks to deliver deterministic forwarding, network virtualization, security and segmentation across networks. In order to do this, overlay networks typically utilize tunneling protocols such as IPsec, MPLS, and VxLAN to enforce a desired traffic behavior. Unfortunately, these tunnel-based overlays pose a number of challenges, including adding performance overhead, complexity at scale, and network visibility challenges.
Overlay networks, and IPsec overlays in particular, have added complexity, made our networks too fragile and too expensive to deliver the security, control and agility needed to handle cloud, mobile and IoT applications. To weather today’s IP networking storm, it is critical to understand why overlay technologies are responsible for today’s network fragility and complexity.
As an example, let’s take a closer look at the challenges associated with IPsec overlays, which are primarily used when enterprises want to interconnect their networks, or when an enterprise uses an untrusted network, such as the internet, to connect its sites together.
- IPsec overlays add bandwidth, making them less efficient – Tunnels can consume anywhere from 5 to 40 percent of available network bandwidth depending on: what protocol is being used, whether the traffic is already encrypted, and whether the packet exceeds the maximum length allowed on a link and needs to be fragmented.
- IPsec overlays are difficult to scale – In an IPsec overlay, a router or firewall must maintain IPsec tunnel state and have the computing resources to encrypt the traffic. For small to medium implementations, this is usually not a challenge. However, as the size of the network grows, the network architecture, number of sites involved, the number of links per site, and the number of sub-networks per site can create significant scalability obstacles. Creating and maintaining thousands of IPsec tunnels across a full mesh consumes significant router or firewall resources, and substantial operational cycles to manage.
- IPsec overlays offer limited control and visibility – Because current routing technology has no understanding of sessions, and advanced network functions (such as firewalls and load balancers) have incomplete concepts of sessions, operators have no control over or visibility into the traffic within the IPsec tunnel.
As an alternative to piling on more overlays to provide path selection and segmentation, we propose rethinking routing with a session orientation. Unlike IPsec overlays, session-oriented routing operates more efficiently by not adding upfront addressing and sequencing overhead to every packet in a flow. While existing routers require the overhead because they are stateless and need to route each packet as a new one, the only overhead added in session-oriented routing is the encryption information (if the session needs to be encrypted at the network level).
Also, with a dynamic, stateful session-oriented approach to networks, enterprises can utilize routers, tenants, and services to handle millions of different secured sessions. Overlays do not scale as the number of sites, links and tenants increase.
While IPsec overlays are static and cannot adapt when network congestion and other events occur in a dynamic manner, session-oriented routing provides intelligent, native load balancing, security, network control and analytics that traditional packet and flow based routers cannot.
By rethinking routing with a session orientation, overlays can be eliminated and still enforce path selection and segmentation. Zero trust security and adaptive encryption can still be offered. Applications can be more tightly aligned with the underlying network capabilities. Many simultaneous sessions can be managed dynamically and intelligently end-to-end. In short, a network can be created that is fundamentally simpler, smarter, more secure and more transparent.