The Internet is Broken: A Look at IPsec Overlays, Sessions and the 128T Networking Platform Solution

Overlay networks and IPsec overlays have added complexity, making our networks too fragile and too expensive to deliver the security, control and agility needed to handle cloud, mobile, and IoT applications. In this blog, we’ll take a look at the challenges presented by IPsec overlays, the importance of being session-aware, and how the 128T Networking Platform — which is now part of the Datavision portfolio — fits into the conversation.

To weather today’s IP networking storm, it is critical to understand why overlay technologies are responsible for today’s network fragility and complexity. IPsec challenges consist of:

1. Bandwidth: IPsec overlays add bandwidth, making them less efficient. Tunnels can consume anywhere from 5 to 40 percent of available network bandwidth depending on what protocol is being used, whether the traffic is already encrypted, and whether the packet exceeds the maximum length allowed on a link and needs to be fragmented.
2. Scalability: IPsec overlays are difficult to scale. In an IPsec overlay, a router or firewall must maintain IPsec tunnel state and have the computing resources to encrypt the traffic. For small to medium implementations, this is usually not a challenge. However, as the size of the network grows, the network architecture, number of sites involved, the number of links per site, and the number of sub-networks per site can create significant scalability obstacles. Creating and maintaining thousands of IPsec tunnels across a full mesh consumes significant router or firewall resources and substantial operational cycles to manage.
3. Limited Control and Visibility: IPsec overlays offer limited control and visibility. Because current routing technology has no understanding of sessions, and advanced network functions (such as firewalls and load balancers) have incomplete concepts of sessions, operators have no control over or visibility into the traffic within the IPsec tunnel.


When we refer to “sessions,” we’re primarily talking about connections that occur at the internet and transport layers – Layers 3 and 4 in the OSI stack.

These types of sessions can have distinct characteristics that make them interesting:

1. First, they have fixed addresses for the source and destination endpoints – at Layer 4, throw in the protocol and you have yourself a 5-tuple
2. Second, they can have “biflow” – comprised of two related unidirectional flows in opposite directions/vectors
3. Third, sessions have directionality, reflecting which endpoint initiated the exchange
4. Finally, sessions have state – they have a recognizable start and end, along with any number of other parameters specific to that session
These characteristics make it possible to associate packets and flows with a unique session and manage that session.

Why Being Session-Aware is Critical

Being session-aware is critical today and is a main aspect of the 128T networking platform for a few reasons:

1. To incorporate advanced network functionality through routing itself
2. Every aspect of 128 Technology’s router is based on sessions, from basic packet processing to policy definition, so the platform naturally generates data for session awareness. Since these analytics are tied to the services that generate enterprise value, they provide tremendous management insight
3. 128 Technology integrates this data directly into its management tools, so the administrator can monitor relevant service metrics, adjust configuration, and improve performance across the entire network
To read more about Datavision’s partnership with 128 Technology, click here.