SDWAN networks capitalize the usage of broadband Internet links over traditional MPLS links to offer more cost benefits to enterprise customers. However, due to the insecure nature of the public Internet, it is mandatory to use encryption of traffic between any two SDWAN edge devices installed behind NAT gateways.
Which overlay method can provide optimal transport over unreliable underlay networks that are behind NAT gateways?
Optimal transport over unreliable underlay networks behind NAT gateways can be efficiently provided by Datagram Transport Layer Security (DTLS). DTLS is designed to provide security for datagram-based applications by allowing them to communicate securely in environments that are prone to packet loss, reordering, and fragmentation, which is typical for UDP-based communication over public Internet links. Additionally, DTLS supports NAT traversal and handles the dynamic nature of such networks effectively. Therefore, DTLS is well-suited for securing SD-WAN traffic over broadband Internet links, especially when NAT gateways are involved.
Edge to Edge communication IPSEC be it behind nat or without NAT https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-design-guide.html#Components
I believe they are referring to protocol between any two edge devices - DTLS or TLS is used between edge device and SMART or vBOND devices and IPSEC is used between edge devices. https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/security/ios-xe-17/security-book-xe/security-overview.html
• DTLS is designed to provide security for datagram-based applications by allowing them to communicate in a way that prevents eavesdropping, tampering, and message forgery. It is based on TLS, but adapted for use over UDP, which makes it suitable for unreliable networks. • DTLS supports NAT traversal and can handle the packet loss, reordering, and fragmentation typical of UDP-based communication over public Internet links. • This makes DTLS an excellent choice for securing SD-WAN traffic over broadband Internet links, especially when NAT gateways are involved.
IPSEC is the answer in my opinion, because viptella use IPSEC between vEdges.
This actually makes sense https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/security/ios-xe-17/security-book-xe/security-overview.html
One of the primary challenges with IPsec is its compatibility with NAT (Network Address Translation). IPsec was designed before NAT became prevalent, and as a result, it can experience difficulties traversing NAT devices. Although there are extensions like NAT-T (NAT Traversal) that help IPsec to work better with NAT, the process can still be more complex and less reliable than DTLS, which was designed with NAT traversal in mind.
Answer is A
Guys please help me understand this question. Keywords are encryption + overlay protocol + SDWAN (no specific Cisco/Viptella hints) + unreliable underlay + nat. unreliable underlay = UDP in my head = Datagram NAT= TLS derivatives or IPSEC NAT-T Overlay , possible options are DTLS and IPSEC For IPSEC i remember to have used encryption accelerator cards, meaning heavy cpu needed TLS i have never had any specific requirements and it worked, hence i assume that it is easier on the cpu and opt for TLS. Final thought taking all above together is DTLS which is a supported Overlay, supports unreliable networks by the virtue of UDP and provides encryption. My answer will be A / DTLS please share your thoughts where i got wrong along the path. thank you