IPsec UDP Mode

in Silver Peak
Unity EdgeConnect

Challenges with Traditional IKE Based IPsec

Traditional site-to-site IP VPNs use IKE (Internet Key Exchange) to establish a
security association (SA) between two endpoints. While traditional IKE has been
well-established as the control plane for IPSec VPNs, it suffers from the following
challenges.

OPERATING WITH ADDRESS TRANSLATION When 4G LTE WAN circuits are used, network admins
In order to conserve and protect private address cannot dedicate public static IP addresses. A relia-
spaces, enterprises deploy Network Address trans- ble mechanism is needed to connect the different
lation (NAT) which can be limited to just addresses branch appliances through different carrier networks
(NAT) or ports (PAT). This can be implemented by and addressing schemes.
enterprise IT teams or by carriers that provide WAN DISABLING STOLEN DEVICES
transport or by both. When implemented by carriers,
IPsec with IKE was designed for an environment
it is referred to as Carrier-Grade NAT (CG-NAT). The
where the parties on both sides of a connection
NAT traversal feature in IKE helps solve the address
don’t trust each other. IKE traditionally provides
translation problem to some extent. However, it fails
pre-shared keys or certificate-based authentication.
if there are multiple devices at the branch, including
Public Key Infrastructure (PKI) or Certificate authenti-
other non-Silver Peak devices like client machines,
cation is considered better than pre-shared keys for
laptops, mobile devices, other branch firewalls and
authentication and key distribution, as it is based on
routers that may have their own VPN requirements.
digital signatures and a trusted hierarchical model.

Silver Peak | Whitepaper 01

However, the PKI model falls short when handling
stolen appliances. Those appliances can still commu- What IPsec UDP Solves
nicate to the network until the certificates expire in A Unity EdgeConnect™ SD-WAN builds its virtual
days, weeks or months or until they are revoked by WAN overlays, referred to as Business Intent Over-
human intervention. If many appliances are involved, lays, using end-to-end IPsec VPN tunnels. IPsec UDP
it is far more complicated to revoke all of them. mode, also known as ‘IKE-less’ mode, is used. This is
Therefore, the PKI model alone is not sufficient for the recommended and default mode of automati-
SD-WAN networks with branch appliances. cally setting up IPsec tunnels between EdgeConnect
SECURE SCALABILITY CHALLENGE appliances. It is extremely flexible, secure and robust
SD-WAN network topologies can be hub and spoke and is deployed in production by many Silver Peak
or full mesh or both. The number of sites can be global customers. Silver Peak also supports the leg-
several hundreds or even thousands. IPsec with IKE acy IKE mode to build third party IPsec tunnels with
is intended for site-to-site VPNs and is not designed non-Silver Peak devices.
for full mesh IPsec connections in an SD-WAN net- IPsec UDP mode uses standards-based IPsec
work; it poses a problem of exponential complexity encryption, with standard UDP encapsulation. The
in an SD-WAN network. For example, n sites in a fully control channel, however, does not use IKE, but uses
meshed topology require (n*(n-1))/2 tunnels, which the Silver Peak Unity Orchestrator™ for authentica-
can be approximated by n2. Operationally, managing tion, key distribution and management.
key distribution, key rotation or rekey and tunnel Orchestrator is a trusted entity. It is deployed in the
setup and teardown for thousands of tunnels in a enterprise data center and is a protected asset. Silver
secure and timely manner without loss of network or Peak also provides a fully-managed Cloud Orchestra-
site availability is very complex, time-consuming and tor that is implemented on an SOC-3 and FedRAMP
subject to human error. Although PKI solves the key compliant AWS infrastructure. In either case, Orches-
distribution problem better than pre-shared keys, in trator performs the function of a Certificate Authority
that there are no shared secrets, PKI still requires in terms of distributing key material and authenticat-
n2 key material negotiations and does not solve the ing EdgeConnect appliances.
scalability challenge.
IPsec UDP tunnels help solve the following chal-
BLOCKING BY NATION STATE FIREWALLS lenges and issues:
Traditional IKE uses well known ports – port 500 – so OPERATING WITH ADDRESS TRANSLATION
it is easy for a nation state to configure its firewall to
block IKE. >> Multiple IPsec devices at the same branch
IPsec UDP mode in EdgeConnect supports NAT
RATE-LIMITING BY CARRIERS traversal, PAT and CG-NAT. In a particular branch,
Carriers providing WAN transport can also rate-limit there may be more than one EdgeConnect ap-
or block traffic easily as the ports are well known. pliance in standalone or EdgeConnect HA mode.
There may be other non-Silver Peak devices with
VPN requirements.

>> Support 4G LTE WAN circuits

When 4G LTE is used as a WAN circuit, it is not
possible to dedicate static public IPs for the
branch. IP addresses change in an LTE circuit and
there is added complexity when LTE is used with
other wireline (ethernet, fiber) WAN circuits that
have different address translation mechanisms.

02 Silver Peak | Whitepaper

In all cases of address translation, the IPsec UDP for tunnels is directionally unique; the key for tun-
mode helps reliably connect one or more devices at nels between appliances A->B is different from that
the branch to other branches, hubs, data centers or for tunnels between appliances B->A. Key rotation
the internet through different forms of NAT. More ensures that a possible future compromise does not
detailed use cases are discussed in the NAT section affect previous tunnels between the two appliances
below. since the encryption key at any point in time cannot
EXPOSURE FROM STOLEN DEVICES IS STRICTLY
be used to derive past encryption keys. Silver Peak
CONTAINED
Orchestrator is employed to manage the unique
encryption keys which reduces the tunnel setup
By using a trusted entity like Silver Peak Orchestrator time required with IKE. This is efficient for SD-WAN
in the data center or hosted in the cloud, EdgeCon- networks with hundreds and thousands of tunnels.
nect simplifies the authentication process, to provide Re-key or key rotation happens in a timely manner
security at all times in the lifecycle of an appliance. If and there is no loss of service when tunnels are
an appliance is stolen, lost in shipment or RMA-ed, it re-keyed.
cannot contact the Orchestrator in the data center TRAVERSAL OF NATION STATE FIREWALLS
or cloud and key rotation fails. The appliance is auto-
matically removed from the network and alarms are Silver Peak has several successful implementations
sent to the administrator. A stolen device can also of IPsec UDP tunnels deployed by global enterprises
be immediately taken out of the network by an IT in countries where there is a known nation state
administrator with a single click in the Orchestrator. firewall.
MITIGATION OF CARRIER RATE LIMITING
SECURE SCALABILITY AND OPERATIONAL EFFICIENCY
WITH ORCHESTRATION Multiple, different UDP ports over IPsec can be easily
Silver Peak uses unique encryption keys that are orchestrated for hundreds of sites. This makes it
never repeated. For example, the encryption key more difficult for carriers to rate limit or block the
traffic using upstream firewalls.

Silver Peak | Whitepaper 03

 Properties IKE Pre-shared keys IKE PKI based auth with Silver Peak “IKEless”
with IPsec IPsec IPsec UDP

Blocking & rate Easy to block ports 500, Easy to block ports 500, Cannot block changing
limiting 4500 4500 UDP ports

Multiple VPN devices Cannot distinguish multi- Cannot distinguish multi- NAT discovery and NAT
behind NAT ple IPsec devices behind ple IPsec devices behind traversal helps solve the
upstream NAT upstream NAT multiple devices with VPNs
and NAT problem

Exposure from No protection Cannot protect as is; Stolen device cannot

stolen devices needs proper revocation communicate with the
management in place; SD-WAN network after
also requires human the next key rotation
intervention to revoke interval since it cannot
certificates reach Orchestrator in the
customer’s data center; an
administrator can perma-
nently revoke access to
the device by removing
the device approval in the
Orchestrator

Scalability Though pre-shared keys Uses device certificates Key negotiation, rotation
(PSKs) are simpler to for authentication; still re- happens automatically
manage, it still requires quires n2 key negotiations and in a timely manner for
n2 key negotiations for n and extensive certificate hundreds/thousands of
sites in full mesh lifecycle management appliances

Operational Need to configure PSKs Need to manage certifi- Automatically managed by

efficiency for all tunnel pairs for cates and their lifecycle the Orchestrator
hundreds or thousands for hundreds or thou-
of devices sands of devices

Key distribution and Uses insecure common Uses unique keys per tun- Uses unique keys per
management shared secrets to build nel, per device pair, per tunnel, per device pair,
tunnels direction but requires ex- per direction, and they are
tensive certificate lifecycle automatically maintained
management maintained by the Orchestrator for
by IT admins hundreds/thousands of
appliances

Confidentiality and End-to-end encryption (using default AES-256-CBC), SHA1-SHA512 HMAC

integrity

Table 1: Comparison of Pre-shared Keys, PKI and IPsec UDP

04 Silver Peak | Whitepaper

How IPsec UDP Works Cloud Portal maintains relevant licensing informa-
tion, including the account name and key, licensing
The following is a deeper technical drill-down on information, and asset serial numbers.
some of the properties of IPsec UDP tunnels in the Customer administrators approve and authorize
Silver Peak EdgeConnect SD-WAN edge platform. EdgeConnect SD-WAN appliances into the network.
In addition, Orchestrator also supports multi-factor
Secure Zero Touch Provisioning and authentication to ensure additional access control.
Authentication If a device is compromised, stolen or needs to be
Secure provisioning and authentication ensure that decommissioned, the customer admin can remove
only authorized appliances are admitted into the SD- the device’s authentication and approval from
WAN network at all times. It is “zero touch,” because Orchestrator with one click. A stolen device can also
the provisioning of new appliances into the SD-WAN be automatically deprovisioned through key rotation.
requires no special onsite IT administrators to install This is discussed in the section on Key Distribution
and configure appliances at a branch. and Management.

Device level authentication is performed through In all cases, an unauthorized or stolen device cannot
secure TLS in the management plane. The Silver Peak connect to the SD-WAN network; it cannot download
Cloud Portal and Orchestrator are trusted entities. a configuration or build tunnels and is excluded from
joining the network.

Figure 2: Secure zero-touch provisioning and authentication

Silver Peak | Whitepaper 05

Key Distribution and of a key rotation interval, Orchestrator activates new
ephemeral key material for all of the EdgeConnect
Management
appliances in the SD-WAN network. The appliances
Orchestrator automatically manages all elements should be reachable to the Orchestrator for the key
of key distribution and key rotation. It generates material activation. However, there are two cases of
and distributes ephemeral key material to all unreachability:
EdgeConnect appliances in the network and distrib-
1. Inactive appliances: When appliances are inac-
utes them over secure TLS connections. Ephemeral
tive, they exist in the Orchestrator, but do not have
key material rotation happens every 24 hours. It can
tunnels configured to any ‘active’ appliances.
be configured to be rotated as frequently as every 60
minutes if desired. Each EdgeConnect appliance also 2. Temporary unreachability: Temporary un-
has persistent key material to encrypt communica- reachability issues occur in cases where an Edge-
tions between a pair of appliances, per direction. So, Connect appliance reboots or if there is a link or
the data encryption key for the IPsec tunnel between communication failure. In this case, Orchestrator
appliances A->B is derived by combining the ephem- will not activate the new key material until all active
eral key material and the persistent key material. The appliances are reachable and have received the
encryption key for the IPsec Security Association (SA) new key material. If the appliance is unreachable
between appliances A->B is different from the key for for a period longer than the key rotation interval, it
the SA between appliances B->A. will be treated as an inactive appliance.

Failure Handling and Orchestrator Re-authorization: Inactive appliances that become

Reachability active at a later point in time, will be reauthorized to
receive the current key material. Only then they will
Orchestrator distributes key material to all EdgeCon- be able to download configuration and build tunnels.
nect appliances in the network. Just before the end

Figure 3: Silver Peak IPsec Key Management

06 Silver Peak | Whitepaper

Support for NAT
The following are the use cases or combinations of possible types of NAT between
any pair of connected EdgeConnect appliances. UDP source ports indicated below
are assigned by the Orchestrator for IPsec UDP tunnels. The firewall devices shown
by black icons, indicated below, depict upstream NAT performed by the enterprise or
by carriers. Port 10002, 11002 are default IPsec UDP ports used by Silver Peak.

UNSUPPORTED USE CASE:

Currently, CG-NAT or PAT at both ends is not supported. This is usually eliminated by
having one-to-one NAT or public IP addresses on the other end as depicted in the
earlier use case.

Silver Peak | White Paper 07

Multiple Branch Devices
Multiple Silver Peak EdgeConnect appliances at a branch can be configured in
EdgeConnect HA mode. There may also be multiple appliances at a site that are not
configured for HA. There can be other non-Silver Peak devices at the branch that
operate their own VPNs. All of these deployment options may be supported at a
branch.
As depicted in the Support for NAT section, an Edge HA configuration of the
EdgeConnect appliances at the remote destination can have a public IP address,
one-to-one NAT but not PAT or CG-NAT.

08 Silver Peak | White Paper

Packet Formats
Control Plane
IKE or ISAKMP packets are used to negotiate the control channel in legacy ‘IPsec’
mode that uses IKE. Since UDP ports 500 are used for source and destination, it can
be easily blocked.

Outer IP Header UDP (Src, Dest 500) ISAKMP Header Control Data (part encrypted)

Figure 4: IKE/ISAKMP packet

Data Plane
TRADITIONAL IKE, IPSEC PACKET FORMATS

The original packet to be encrypted is a regular TCP/IP or UDP/IP packet. Hereafter, it

is referred to as ‘Encrypted Packet’ in the subsequent IPsec packets.

Original IP Header TCP/UDP Header Payload

Figure 5: Original packet (to be encrypted)

Outer IP Header ESP Header Encrypted Packet ESP Trailer ESP Auth

Figure 6: Traditional IPsec (ESP) packet

Outer IP Header UDP Header-NAT-T ESP Encrypted ESP Trailer ESP Auth
(src, dest port 4500) Header Packet

Figure 7: Traditional IPsec (ESP) packet with NAT-Traversal

SILVER PEAK OVERLAY ENCAPSULATIONS

Silver Peak encapsulation shown in green uses a GRE header to encapsulate a propri-
etary Silver Peak header. Silver Peak header contains fields for loss, latency measure-
ments, overlay identification and WAN optimization.

Outer IP Header ESP GRE Silver Peak Encrypted ESP Trailer ESP Auth
Header Header Header Packet

Figure 8: Traditional IPsec (ESP) packet Silver Peak encapsulation

When NAT Traversal is on in the legacy IPsec mode (with IKE), the UDP source/desti-
nation ports are 4500. They can be easily blocked by ISPs or nation state firewalls.

Outer IP Header UDP ESP GRE Silver En- ESP Trailer ESP Auth
Header-NAT-T Header Header Peak crypted
(src, dest port Header Packet
4500)

Figure 9: Traditional IPsec (ESP) packet with NAT-Traversal and Silver Peak encapsulation

IPsec UDP with Silver Peak encapsulations use configurable UDP ports for source and
destination which makes it difficult to block by ISPs or nation state firewalls.

Outer IP Header UDP ESP GRE Silver En- ESP Trailer ESP Auth
Header Header Header Peak crypted
(configurable Header Packet
UDP,src, dest
ports)

Figure 10: IPsec UDP (ESP) packet with Silver Peak encapsulation

Silver Peak | White Paper 09

Conclusion FAQ
With more than 1,000 EdgeConnect production 1. Can I still use standard IKE/IPsec instead of
deployments around the world and growing, Silver IPsec UDP for EdgeConnect to EdgeConnect
Peak has gained extensive field experience provid- tunnels?
ing secure SD-WAN solutions for the world’s largest Yes, the legacy ‘IPsec’ mode, which is IPsec with
global enterprises. IPsec UDP deployments comprise IKE is still supported.
approximately 15 percent of these deployments to
date and are rapidly increasing as security concerns 2. What about IPsec to non-Silver Peak devices?
become an increasing important SD-WAN criterion. The legacy ‘IPsec’ mode (with IKE) is used to build
Silver Peak provides the most holistic approach to tunnels to non-Silver Peak devices supporting
SD-WAN security in the industry including a robust standards-based IPsec.
IPsec UDP implementation for EdgeConnect-to-Edge-
Connect secure tunnels and business intent overlays. 3. Is there a pre-shared key per overlay or a
pre-shared key per overlay and connection?
It is not a pre-shared key. The data path key is
unique to an appliance, per tunnel, per direc-
tion per key rotation interval. It consists of an
ephemeral key material that changes every hour
and a persistent key material per tunnel. See the
key distribution and management section for
details.

4. Is there a separate unidirectional key for

each overlay for encrypting the traffic
between two nodes?
Each direction of each underlay tunnel is
assigned a unique encryption key that changes
every hour.

5. How is the random seed (key material) gener-

ated for IKE-less IPsec?
We use the Java random number library in
Orchestrator for generating all of the key mate-
rial for both the ephemeral and persistent keys.

6. How are the data encryption keys derived in

in IPsec UDP / IKEless IPsec?
Data encryption key = ephemeral key material +
persistent key material
(ephemeral key material changes every hour, so
the data encryption key changes every hour)
The data encryption key is unique per appliance,
per underlay tunnel, per direction, per key rota-
tion interval.

010 Silver Peak | White Paper

7. How are the data encryption keys exchanged is added after these functions. On the receiving
when using IPsec UDP / IKE-less IPsec? side, the EdgeConnect appliance reverses the
Keys are not exchanged because Orchestrator process to recover the contents of the original
communicates with the EdgeConnect devices packet. The Packet Format section has more
and provides the key material for the devices details.
to generate the keys themselves. So, the data 12. Is a strict header check taking place for the
encryption keys are never sent out on the wire. data plane?
8. What additional authentication is provided Yes, the packet is dropped if there are errors in
by the Orchestrator to be granted write/push the header.
access to the EdgeConnect devices?
13. How are external third-party network
Silver Peak uses server certificates and TLS1.2 encryption products supported?
sessions to authenticate and encrypt communi-
Customers are welcome to deploy transparent
cation between Orchestrator and EdgeConnect.
third-party encryption devices. We also interop-
9. Orchestrator acts as the key server for PSKs erate with other third-party network encryption
and random seed. Can the role of Orches- products through IPsec with IKE.
trator as the key server be limited to zero in
14. Are there plans to support PCI-based third-
order to limit dependencies and to reduce
party encryption boards?
the attack surface?
Not at this time. We use the Intel AES-NI instruc-
Orchestrator is a trusted entity. Apart from key
tion set, and it provides more than 5Gbps of
distribution and management, it configures and
throughput per CPU core which is more than
manages the entire network. Orchestrator is a
sufficient for our SD-WAN and WAN Optimization
vital part of the SD-WAN solution and it is impor-
applications.
tant that it is secured in the data center. Accord-
ing to Silver Peak SD-WAN management best 15. How does IPsec UDP’s provisioning and
practices, control of the Orchestrator is more Orchestration compare with the properties
critical than the control of the keys. of standards-based PKI or certificate authen-
tication?
10. Are there plans to support certificates? If yes,
what are they? See table on next page.
We support device certificates for the EdgeCon-
nect and Orchestrator. We plan to add support
for certificate authentication (PKI) for third party
IPsec tunnels. For EdgeConnect to EdgeConnect
overlays, we recommend using IPsec UDP as it is
more secure. Refer to the section on What IPsec
UDP solves.

11. What changes are made to the original packet

when assigned to an overlay? Alternatively,
what changes are made to the packet during
encryption?
The packet payload and IP header can be com-
pressed when Unity Boost™ WAN Optimization
is applied. A Silver Peak packet header and
trailer may be added. IPsec UDP encapsulation

Silver Peak | White Paper 011

 Standards-based Public Key Infrastructure (PKI) or IPsec UDP Secure Provisioning and
Certificate Authentication Orchestration

Certificate Authorities like Verisign, Comodo are Silver Peak Cloud Portal, Orchestrator are trusted (organi-
trusted. zational compliance ensures this).

Authentication, authorization is provided by certifi- Two-step authentication, authorization with multi-factor

cate parameters. It is NOT a two-step process. authentication supported by Orchestrator. Silver Peak
Additional multi-factor authentication is optional. Cloud portal has account key, authorized serial numbers,
#base licenses for account. Customer admins approve,
authorize appliances into the network.

Stolen appliances - Certificate expiry and revocation Stolen appliances – Customer revokes access through the
handles device lifecycle, managed by customer’s IT Orchestrator; simpler lifecycle management by Silver Peak.
admins.

Unauthorized appliances – cannot establish TLS Unauthorized appliances – drop all traffic, additional
connection, needs revocation by enterprise IT. advantage: cannot download configuration.

Non-repudiation – The assurance that someone can- Non-repudiation – This assurance is provided when
not deny something is provided via digital signature in customer clicks ‘authorize’ in the Orchestrator.
the certificate.

  
Company Address Phone & Fax Online

Silver Peak Systems, Inc Phone: +1 888 598 7325 Email: [email protected]
2860 De La Cruz Blvd. Local: +1 408 935 1800 Website: www.silver-peak.com
Santa Clara, CA 95050

© 2018 Silver Peak Systems, Inc. All rights reserved. Silver Peak, the Silver Peak logo, and all Silver Peak product names, logos, and brands are
trademarks or registered trademarks of Silver Peak Systems, Inc. in the United States and/or other countries. All other product names, logos,
and brands are property of their respective owners.

SP-WP-IPSEC-UDP-102218

012 Silver Peak | White Paper