Cisco SD-WAN uses the Datagram Transport Layer Security (DTLS) protocol to secure the control plane traffic between devices. DTLS is based on the TLS protocol but is designed to work over the UDP transport layer instead of TCP. Some key points about how DTLS works in Cisco SD-WAN:
DTLS is used to establish secure connections between Cisco vSmart Controllers, Cisco vBond Orchestrators, and Cisco vEdge routers.
When a device boots up, it generates an RSA public-private key pair. This key pair is used to encrypt the initial DTLS handshake between devices.
During the DTLS handshake, devices authenticate each other using X.509 certificates signed by a root CA. This ensures that only authorized devices can join the overlay network.
After successful authentication, devices establish a permanent DTLS connection. This connection uses the AES-256-GCM cipher to encrypt all control plane traffic, providing privacy and confidentiality.
The AES-GCM mode also provides data integrity by generating a message authentication code (MAC) for each packet. The receiver verifies the MAC to ensure the packet has not been tampered with in transit.
DTLS handles packet reordering, packet loss and fragmentation that can occur over the UDP transport layer.
DTLS supports perfect forward secrecy by generating a new set of symmetric encryption keys for each connection. This prevents decryption of previous sessions even if long-term keys are compromised.
Cisco SD-WAN devices rotate their AES keys frequently (by default, every 24 hours) to further strengthen security. This prevents attackers from decrypting sessions for an extended period of time.
In summary, DTLS provides the foundation for a secure control plane in Cisco SD-WAN by establishing encrypted and authenticated connections between devices. The encryption and message integrity ensure that only authorized devices can participate in the overlay network and that all control plane traffic remains private and tamper-proof.
Cisco SD-WAN uses either the Datagram Transport Layer Security (DTLS) protocol or the Transport Layer Security (TLS) protocol to secure the control plane traffic between devices. While both protocols are based on SSL and provide encryption, authentication and integrity, there are some key differences:
Transport layer - DTLS works over UDP, while TLS works over TCP. UDP is used for delay-sensitive applications like voice and video, while TCP provides reliability.
Handshake - The initial handshake in DTLS is similar to TLS but has some modifications to work over UDP. For example, it uses retransmission timers to ensure the handshake completes reliably.
Reliability - Since UDP is connectionless, DTLS has to implement its own mechanisms to handle packet loss, reordering and fragmentation. TLS relies on TCP for these functions.
Performance - DTLS has lower overhead since it does not have the TCP handshake and acknowledgments. This makes it faster for control plane traffic.
Cisco SD-WAN use - Cisco SD-WAN uses DTLS by default for the control plane between vEdges, vBond and vSmart. TLS can optionally be used if the reliability of TCP is preferred over DTLS performance.
Security - Both protocols provide the same level of security through encryption, authentication and integrity. The choice between DTLS and TLS is mainly based on performance and reliability requirements.
Recommendation for Cisco SD-WAN
DTLS is recommended by default for the control plane in Cisco SD-WAN since it provides better scalability and performance.
TLS can be used if the reliability of TCP is preferred over the performance of DTLS. This is typically needed if the devices are behind firewalls that only allow TCP traffic.
In summary, the key differences are:
|Handshake||Modified for UDP||Leverages TCP reliability|
|Reliability||Implements own mechanisms||Relies on TCP|
|Performance||Generally better||Depends on network conditions|
|Recommendation||Default for control plane||When TCP reliability is needed|