|Sdwan-sec -- Handling IPsec configurations in large scale SD-WAN deployment with constrained resources
SDWAN-SEC Mailing Listing is for discussing optimized or simplified (and in some sense compromised) mechanisms in securing large scale SD-WAN deployment with constrained resources, especially the risks associated with various simplification of IPsec protocol by utilizing SD-WAN central controller. The traditional IPsec scheme requires that in a fully meshed network, each device has to manage n2 key exchanges and (n-1) keys. As an example, in a 1,000-node network, 1,000,000 key exchanges are required to authenticate the devices, and each node is responsible for maintaining and managing 999 keys. In addition, when an edge node has multiple tenants attached, the edge node has to establish multiple tunnels for tenants. For example, for a network with N nodes, a node A has 5 tenants app attached to it, then the node A has to maintain 5*(N-1) number of keys if each tenant needs to communicate with all other nodes. Therefore, simplification facilitated by SD-WAN controller is needed for large scale deployment. However, it is necessary identify the associated risks, so that the industry can make the informed decision on risks that can be tolerated for their specific environment.
To see the collection of prior postings to the list, visit the Sdwan-sec Archives.
To post a message to all the list members, send email to
You can subscribe to the list, or change your existing subscription, in the sections below.
|Subscribing to Sdwan-sec
Subscribe to Sdwan-sec by filling out the following form. You will be sent email requesting confirmation, to prevent others from gratuitously subscribing you. This is a private list, which means that the list of members is not available to non-members.