Fixing the Internet Using Secure Vector Routing

By No Jitter |
A massive networking transformation may be underway, enabled by applying the concept of sessions to all network traffic.

In IP communications, the concept of sessions has become second nature. Modern PBXs and video conferencing systems are built around the Session Initiation Protocol (SIP). At the network edge, session border controllers (SBCs), also operate on the concept of media sessions, securing and routing voice and video communications flows based on session rules and controls specified by a network administrator.

What would happen if we applied this idea of sessions to all network traffic, not just IP voice and video packets? The answer: a complete disruption of how routing is done throughout the Internet.

It Started with the SBC

Many in our industry will remember Acme Packet, an early SBC manufacturer that gained market prominence and was subsequently acquired by Oracle, in 2013. Following a short stint at Oracle, the Acme Packet engineering and leadership teams reassembled and began discussing how they could apply the concept of sessions to the Internet at large. Conceptually, the Internet is quite simple: It comprises a series of stateless routers that know how to forward packets to each other. Connecting a series of these routers together enables delivery of IP packets from a source device to a destination device or service.

This sounds simple, but the reality is that most networks need far more than just routing; they need a variety of “middle boxes” such as firewalls, load balancers, network address translation (NAT), deep packet inspection, overlays, and tunnels — all of which have session state and can manipulate packets. Each of these additional functions multiplies the number of devices in the network path, complicates the architecture, limits network scalability, and encumbers network management.

The Acme Packet team, now mostly reconstituted within a new company called 128 Technology, is simplifying network routing using the concept of sessions learned in the SIP world. The result is a secure, vector-routed network that is entirely software-based, “middle box” free, massively scalable, and, the company says, 90% to 95% less costly than a network using traditional routing.

How 128 Technology Is Disrupting Networking

The big differentiator that 128T brings to networking is the addition of session state to routing. The idea of session-based routing has been around for a long time; it is how 128T does it that is profound and highly disruptive.

In any IP network, packets are placed on the network when an application, called a source, needs to communicate over the network with some other application or service, called the destination. Each packet in such an exchange contains the source’s IP address and network port, the destination’s IP address and port, and the protocol. These five pieces of information are known as a “5-tuple.” At a high level, here’s what happens within a network using 128T routers:

  1. When a 128T router sees the 5-tuple in the first packet of a new flow, it identifies the flow as a new session and uses the 5-tuple along with an encryption mechanism to generate a unique session ID.
  2. The router then instantly maps this session ID to predetermined network policy for this type of session. If no policy is defined, the packet is discarded.
  3. The router then modifies the packet by adding encrypted metadata containing a) the new session ID, b) the original source and destination addresses, and c) the session policy information based on the rules resident in the router.
  4. Next the router selects the 128T router closest to the destination and places the first 128T router and the final 128T router addresses into the IP header. This path called a “waypoint.” By using 128T-specific waypoints, NAT is enabled on each end of the flow since the source and destination IP addresses in the original packet are hidden in the metadata and the packets routed through the network use 128T router addresses.
  5. The router then determines the actual physical path the packets should take between the 128T routers. This is called a vector; vectors are chosen based on network performance measurements, QoS requirements, and policies from all available paths. 128T routers can send everything over the same physical path, or it can split up sessions, if appropriate, so packets traverse multiple vectors (or network paths).
  6. The final 128T router in the path decrypts the metadata from the first packet and delivers the packet in its original form to the destination application or service.

After the first packet has been sent, the 128T routers map subsequent session packets to the unique session ID based on the 5-tuple. They change packet headers to reflect the 128T router waypoint addresses through the network and send the packets on their ways; no metadata is necessary for subsequent packets. The destination 128T router replaces the waypoint information in the packet header with the source and destination IP addresses, based on the session ID, and delivers each packet to the destination in its original form.

kelly_128t-1

Figure 1. The steps followed in 128 Technology’s secure vector routing mechanism, combining session awareness, first packet processing, and waypoints. In the above example, the waypoint is between the 128T routers, and there are five possible vectors individual packets may use for traversing the network between the 128T routers.

Although conceptually simple, the 128T approach is radically different from other routing mechanisms, and it brings enormous benefits:

Elimination of “middle boxes” along with incorporation of the best of network function virtualization (NFV) — 128T routers include all of the value-added capabilities typical of traditional routers, including firewall, deep packet inspection, load balancing, and NAT. 128T has integrated these capabilities within the software stack of its routers, making them all available to network administrators who are developing network policies. Furthermore, because 128T uses a software-based architecture, its approach is like NFV — with one big difference. The 128T technology integrates the network functions with management in a single interface along with a common reporting mechanism. Comparatively, most NFV solutions treat network functions as discrete capabilities “chained together,” managed separately, and with separate reporting mechanisms.

“Deny by default” secure networking — because the router gathers security and network policy based on the first packet, no packets can enter the network without a policy applicable to that packet and session type. If no rule exists, the router discards the packet. This enables “zero trust” networking based on a white list.

The benefits of software-defined WAN technology without CPU and bandwidth penalties — 128T’s routers add only 36 bytes of metadata to the first packet. SD-WAN mechanisms, because they are not based on sessions with state information, add between 100 and 124 bytes to each packet. Let’s consider this in context of a typical G.711 voice packet with 20 milliseconds of voice data. This packet starts out at 160 bytes in length. Add the 40-byte IP overhead (20 for the IP header information, eight for User Datagram Protocol, and 12 for Real-time Transport Protocol), and the typical G.711 packet grows to 200 bytes in length. 128T routers add 36 bytes of metadata to the first packet only; subsequent packets remain 200 bytes long. SD-WAN devices add 100 to 124 bytes to every packet, expanding each G.711 packet to a whopping 300 to 324 bytes in length. Thus, 128T routers require 33% less bandwidth per packet while consuming fewer CPU cycles on each end. Also to note, large packet sizes can cause fragmentation of real-time video flows, which in turn causes latency and jitter issues in video traffic.

G.729 voice packets suffer even more severe consequences. Normal G.729 packets are 40 bytes in length (including IP protocol overhead); with SD-WAN technology they become 140 to 164 bytes long. SD-WANs use three times more bandwidth with G.729 media flows than do 128T routers. The impact on available bandwidth is enormous over WAN links — especially on international circuits — that are typically bandwidth constrained in the first place.

SD-WANs also use IPsec, which encrypts all traffic. But, some flows already have encryption. For example, many IP communications media streams are encrypted when they leave an endpoint. Thus, SD-WANs re-encrypt already encrypted payloads, effectively “double encrypting” them with the attendant CPU overhead required to do so. Through policy, 128T routers recognize when a new session comes already encrypted, so 128T sessions do not suffer from double encryption overhead.

Double NAT security — 128T routers identify packets based on their unique 5-tuple signatures. When seeing packets in the same session with the same 5-tuple combination, the router immediately maps the packets to the unique session ID it has already created. Based on this ID, the router already knows to use the path set up for the very first packet. The 128T routers replace the 5-tuple with the waypoint path information, which hides the source and destination IP/port addresses. This is similar to what a NAT device does. When the packet arrives at the final 128T router in the path, the router, which knows the original source and destination IP addresses based on the session ID, simply replaces the waypoint addresses in the packet with the source and destination IP addresses. Thus, the final packet presented to the far end application or service is identical to the original sent by the source. This double NAT capability (NATs on both ends of the flow) eliminates the potential for man-in-the-middle attacks.

128T’s routers can work with existing network infrastructure — 128T routers can replace existing network routers and the middle boxes that surround them, or they can sit inside existing networks providing overlay and/or deterministic QoS pathways to sessions traversing them. They rely on standard networking industry protocols like Border Gateway Protocol and Open Shortest Path First.

Session detail records enable new business models — 128T routers create session detail records for every session and report on network performance during that session, including the number of dropped packets, number of TCP re-transmits, bandwidth consumed, etc. Network administrators can use this data to monitor the network, as well as to create new business models. For example, with ‘Net neutrality in jeopardy, content providers like Netflix, Facebook, and Hulu could pay for high-quality network connectivity to their content rather than having users pay for the bandwidth or having the network provider throttle it. (This would be similar to toll-free calling in voice world; in this case, however, the content provider pays the high-quality network connection costs.)

Secure Vector Routing

128T has coined the term “secure vector routing” to describe how it routes packets. Secure vector routing combines session awareness, first-packet processing, and waypoints. A real example may further explain how this works.

128T has a SaaS customer  that offers secure, compliant unified communications solutions via a cloud-based platform. This cloud provider has a healthcare client that must comply with HIPAA, ISO, PCI, and other regulatory guidelines, and therefore needs secure, segmented, QoS-enabled connections between its contact center and the cloud provider. For cost reasons, this healthcare company wants to use best-effort Internet as opposed to an MPLS connection.

Here is the architecture for this solution:

kelly_128tdiagram
Figure 2. A real 128 Technology deployment showing 128T routers working with existing network infrastructure between a cloud UC provider and a healthcare client. Note the availability of four deterministic waypoints over different network providers.

 

128T routers sit behind a traditional edge router and the corporate firewall at both the SaaS provider and the healthcare client locations. The cloud provider has two redundant links to the Internet via different carriers. The healthcare provider also has two redundant links to the Internet through two separate carriers. The 128T routers are configured so that they know of these redundant links, which provide four possible paths or vectors: A-C, A-D, B-C, and B-D.

The 128T routers send a Bidirectional Forwarding Detection packet (like an IPsec keepalive packet) every half second across each connection path to gather network performance characteristics for real-time routing decisions based on session policy and network conditions. Thus, they know how well all four of these possible network routes are performing at any given moment.

When a new session is started, a phone call in this instance, the 128T routers look at the four waypoint paths and route the packets across the vector that provides the best performance from a latency, jitter, and overall QoS perspective. Note that this is a bidirectional flow because both parties on the call are using voice, and packets are flowing in both directions.

The 128T routers continuously monitor the quality of the connection; should the selected path become congested, they’ll reroute the call within one to two seconds over a different vector path, thus preventing call failure. SD-WAN mechanisms typically take 15 seconds or longer to switch routes. Alternatively, SD-WAN devices use forward error correction, where the SD-WAN router sends duplicate packets over two links and reassembles them on the far end, which consumes even more bandwidth and may not correct the quality problem.

The 128T solution, which was built without touching existing network switches, routers, or firewalls on either end, provides multipath, QoS-enabled routing with real-time failover. A business manager at the healthcare organization deployed the solution bypassing the need for IT department resources (the cloud provider and 128T deployed and configured the 128T routers).

Licensing and Processing Power

128T offers its solution on a subscription basis with terms of either one or three years. Pricing is based on a specified capacity in megabits or gigabits that traverse the routers. At the end of each year, a “true-up” occurs in which 128T examines the routing capacity used above and beyond the contracted capacity. It then calculates the new capacity by looking at the 95th percentile of actual capacity used (this allows short bursts in traffic above the contracted capacity to be eliminated from consideration).

128T does not charge back for capacity used in the prior year above the contracted capacity. Nor does it charge for software maintenance or support or redundancy; organizations can run the 128T software on as many devices as they wish. 128T claims its solutions are 90% to 95% less expensive than other routing options when examined over a four-year TCO window.

The 128T router software will run on off-the-shelf processors, in virtual environments, or on cloud infrastructure from Azure, Amazon Web Services, and Google. 128T asserts that a simple Intel NUC device with a Quad Core Atom 1 processor can route up to one gigabit per second and a Xeon 2 14-core processor with a 6-GHz processor can route 40 Gbps. Thus, the solution can scale from the smallest to the largest applications.

Key Takeaways

Using ideas first developed for session-based IP multimedia flows, 128T has applied the concepts of session and state awareness to the much larger problem of “fixing the Internet” by fixing routing. The company’s technology can make Internet routing more deterministic with predictable QoS. 128T’s routers provide zero-trust security and state functionality without the need for middle boxes like firewalls, deep packet inspection devices, NAT, and load balancers. The overhead costs in terms of CPU processing and bandwidth, particularly for multimedia flows, are far less for 128T’s solution than they are for SD-WAN technologies or other tunneling mechanisms. The company’s software runs on a variety of CPUs and is licensed on a subscription model with pricing based on the number of gigabits of network traffic that traverses the router.

Although the 128T secure vector routing concept seems simple, it is radically different from what most other networking companies are doing. 128T won an innovation award at Interop in May 2017 for its technical approach. Right now, 128T has routers in production in several customer locations and an additional 50 pilot deployments are underway. The company is in its C Series round of funding with $57 million in total funding to date. 128T hopes to be worth $40 billion in the coming years.

For cloud-based voice and video providers in our industry as well as for enterprises seeking robust, secure, inexpensive networking technology, 128T may well be worth a look. Delivering a great quality of experience for users means insuring network performance for every session.

(Editor’s Note: The author has no affiliation with 128 Technology, nor has he been compensated by 128 Technology to write this article. He stated, “If this technology really does fix the Internet, then I need to know enough about it to discuss the concepts in an article!”)

 

Brent Kelly is President and Principal Analyst at Kelcor, Inc. 

The original article can be found here.

Contact Us

We're not around right now. But you can send us an email and we'll get back to you, asap.

Start typing and press Enter to search