Академический Документы
Профессиональный Документы
Культура Документы
Release 20.1.0
Feature Summary
Table of Contents
Table of Contents ........................................................................................................................................... 2
Multicast ......................................................................................................................................................... 9
RIPv2 ............................................................................................................................................................. 13
Provisioning and ZTP Workflow Support for Routing and Security Use-Cases ............................................. 17
interfaces, FlexVNF would choose appropriate (one) nexthop interface to anchor that
flow and starts employing full (TCP) flow analysis. This flow analysis data establishes
very important data points for the performance of that flow, originated from that
branch, destined to that particular SaaS FQDN.
This process will repeat with more flows, eventually forming a large enough data pool
for that specific FQDN and by using that information, next set of flows will be forwarded
on best performing paths / nexthops destined for that FQDN.
Such real, TCP flow-based session analysis includes request, response, retransmission,
packet losses, and other critical flow details, thereby allowing Versa to establish reliable
data points for each SaaS FQDN from that site.
As part of that analysis, Versa assigns Application Experience score which is viewable
and will be used to manage traffic by using SD-WAN policies. As Versa FlexVNF
continuously analyzes these flows, it will be able to detect changing network conditions
and it will assign each new flow to the best path available for that FQDN.
Versa FlexVNF instances, irrespective of whether they are spokes or hubs, collect
various transport layer as well as application layer metrics for SaaS application sessions,
transiting the appliance in an inline fashion.
Furthermore, this information can be shared across the SD-WAN control plane of Versa,
giving the opportunity to distribute this information across the network, helping make
best decisions. Thus, spoke sites have information about whether direct internet access
or access through the hub would provide better performance.
Such information is collected locally across multiple links or paths and/or learned from
hub sites through SD-WAN Control Plane. Hence, FlexVNF can anchor flows to best
performing links or paths to those specific SaaS destinations and monitor the flows on
an ongoing basis so that if / when conditions change, it can implement appropriate
update and steering decisions and propagate that information to the rest of the
network.
The following are some examples of how SaaS connectivity may be realized.
● Direct access only
● Access through Internet hubs only
● Combination of direct and Internet hub access
In addition, the deployment modes may be categorized according to the various ways in
which passive metrics, active CFM metrics, and active application metrics are combined
to measure SaaS performance.
One can think of this multi-dimensional feature as an intelligent ADC like function that is
applied over to a SD-WAN network while the assets are spread over Internet and
accessible through disparate ways.
DNS Proxy
A DNS proxy server takes DNS queries from a local network and forwards them to an
Internet or Intranet (authoritative) Domain Name Server. DNS proxy may also cache DNS
records. There are a few different modes of DNS proxy servers and both of these modes
are supported by Versa FlexVNF:
• Split Proxy: The DNS split proxy feature allows you to configure your DNS proxy
server to split the DNS query based on both the interface and the domain name.
You can configure a set of name servers and associate them with a given domain
name. When you query that domain name, the device sends the DNS queries to
only those name servers that are configured for that domain name to ensure
localization of DNS queries.
You can configure DNS split proxy based on the network transport domain. For
example, when the device has broadband connection(s) as well as MPLS-VPN or
IPSec VPN connection(s) to the corporate network through an IPsec VPN or any
other secure tunnel, you can configure DNS split proxy to use the secure VPN
tunnel to transport the domain name inquiries or traffic to such domains
belonging to the corporate network. In such a case, intranet DNS resolution
queries are not leaked to the ISP DNS server and are contained within the
corporate network.
If the client wants to reach to destinations on the Internet, DNS split proxy would
be able to guide to these client requests for anycast DNS servers, such as 8.8.8.8
that are located on Internet to resolve them in the best ways.
• Transparent Proxy: Transparent DNS proxy is a server that sits between your
computer and the Internet and redirects your requests and responses without
modifying them. A proxy server that does modify your requests and responses is
defined as a non-transparent proxy.
This mode allows client’s DNS queries to be forwarded to designated or well-
known DNS servers. DNS proxy is configured in the transparent mode when the
network for extranet queries and for the purpose of providing geo-location
optimized delivery.
Also, network operators can choose to use transparent DNS proxy to intercept all
DNS lookup requests (TCP/UDP port 53) to transparently proxy the results,
forcing clients to use their DNS service for all DNS lookups.
Versa supports both modes of DNS proxy. Both TCP and UDP DNS protocols are
supported. Versa DNS proxy also supports DNS clients that use single UDP/TCP
connections and requests multiple transactions (DNS queries on different domains). In
such a scenario, FlexVNF does proxy based on each transaction.
You can also configure Versa DNS proxy with static entries, which will allow you to
configure static FQDN-to-IP address mappings, that is then provided in response to DNS
queries.
Today, you can use Versa’s DNS proxy to optimize name resolution requests on a per
region basis (geo location-based optimization). Versa DNS proxy can also be used to
manage the flow based on the first package. Firstly, packet-based lookup and traffic
direction (instead of scanning 4-5 packets as with the case with DPI) allows the flow to
be anchored on the interface based on domain name and route resolution, establishing
CGNAT and other records right from the first packet. Note that once CGNAT records are
established with the first packet, and once a session translation table is established on a
path, it cannot move to another interface as that will force a different address
translation, breaking the flow. For such reasons, DNS proxy is a key building block used
in Versa’s DIA/DCS (SaaS) traffic optimizations feature.
In subsequent releases, Versa DNS proxy implementation will expand to cover dynamic
DNS, DNS feeds, filtering functions. The latter will secure DNS inquires and provide
additional layer of security (roadmap).
bandwidth across the network at pre-determined times of the day (for example, at peak
times, at very low utilization times) and by days of the week so that they can collect this
information from their network on a systematic basis.
Such systematically collected data allows our customers to build large pool of measured
network available bandwidth across any or all points of the SD-WAN network. This data
will not only form a baseline but also help our customer see trend changes over time
and react to it or plan upgrades or changes proactively.
Once enabled, this data is collected and trended by Versa Analytics and it is ready to be
consumed by our customers by using effective windows and reporting capabilities of our
big data analysis tool.
These tags are assigned based on the research of Versa engineers and these tags have
attributes, such as risk profiles.
Such attributes like risk, productivity nature of the app, and other attribute values can
change over time and Versa engineers keep these attribute values updated. Versa
provides the updated tags with security updates, so that you can use these pre-defined
tags in up to date forms. Note that Versa does not allow defining custom Application
Filters.
Let us look at an example of pre-defined Application Filter:
• App-Filter: SaaS-Applications
• Example app that is part of this App Filter: OFFICE365
• QoS Mapping: Business Critical traffic class by default.
In the above examples, use of pre-defined Application Service Template with
Application Group of Office365 Apps or use of App Filter SaaS-Application makes it very
easy to apply appropriate policies (QoS profiles, path selection choices, decisions like
application of Advanced SD-WAN features like FEC, application of security profiles) to
manage each class of these applications.
With 20.1.0, Versa provides over 15 Application Filters and over 20 pre-defined
Application Groups. In addition to these, one can come up with user-defined/custom
App Groups.
Multicast
Prior to 20.1.0, these features were available on a special multicast branch and got
deployed by select production networks. Starting from 20.1.0, Versa provides a rich set
of multicast routing protocols in generally available deployable form to our overall
customer base.
Multicast is typically used by online streaming video and gaming, financial, or
broadcasting applications that distribute information from one-to-many or from many-
to-many. Different multicast networking protocols were developed over timeto allow
more efficient use of network resources when supporting these types of applications.
Versa supports these multicast protocols in 20.1.0 release:
• IGMP v2/v3
multicast session, based on explicit interest (this is the opposite of PIM Dense Mode
assumptions).
PIM-SM explicitly constructs a tree from each sender to the receivers in the multicast
group. PIM SM allows multiple multicast sources (any source multicast) which allows
multiple sources to originate traffic for a multicast group such that a source can be a
listener as well. The latter scenario will require PIM SM to create associate
unidirectional trees accordingly as well. High scale of PIM SM deployments with many
groups, sources, and listeners can get complex over time.
PIM SM uses Rendezvous Point (RP) to simplify this any to any data forwarding problem.
Multicast distribution trees are rooted at the selected node called the Rendezvous Point
(RP) and used by all sources sending to the multicast group. To send to the RP, sources
must encapsulate data in PIM control messages and send it by unicast to the RP. This is
done by the source's Designated Router (DR), which is a router on the source's local
network. Discovering the address of RP for a given multicast group is critical for PIM SM.
PIM SM uses several techniques for this and among those, Bootstrap RP is supported by
Versa FlexVNF in 20.1.0.
For more information on PIM SM, please see RFC4601 here:
https://tools.ietf.org/html/rfc4601
As noted above, Versa’s PIM SM implementation covers RP (Rendezvous Point) and
Bootstrap RP functions in 20.1.0.
PIM Source-Specific Multicast (PIM-SSM) builds trees that are rooted in just one source,
offering a more secure and scalable model for a limited number of applications (mostly
broadcasting of content). In SSM, an IP datagram is transmitted by a source (S) to an
SSM destination address (G), and receivers can receive this datagram by subscribing to
channel (S,G). For more information, please see RFC3569, here:
https://tools.ietf.org/html/rfc3569
PIM SSM is perceived simpler compared to PIM SM. There is no need for shared trees or
RP mapping (no RP is required), or for RP-to-RP source discovery through MSDP. By
ignoring the many-to-many model and focusing attention on the one-to-many source-
specific multicast (SSM) model, highly scalable multicast deployments can be achieved
for applications that have one source and many listeners. An example of such an
application is television channel distribution or stock market information distribution
over the Internet or over SD-WAN network. In such examples, by using PIM-SSM, one
can broadcast information to listeners much more quickly and efficiently by selecting
which sources to listen to and by only managing the data traffic in one way.
PIM SSM is also used by initial incarnation of VXLAN overlay tunnels within the
virtualized DC environments.
As it can be seen through the protocol overview and implementation scope overview
shared above, Versa provides a very rich set of multicast capabilities to our customer
base on local LAN and WAN interfaces as well as over SD-WAN overlay networks.
In Versa SD-WAN deployments with multicast, it is recommended to choose PIM-SSM if
application allows. In the case of PIM SM, it is recommended to choose Rendezvous
Point deployments either at the Hub-FlexVNF or some other PIM router behind a hub.
While Versa FlexVNF can generate quite a large volume of multicast packets in the RP
role, if large volumes of traffic replication are required, Versa recommends leveraging
an ASIC based router or Ethernet switch to act as the RP. Alternatively, a hierarchy of
hubs can be used to reduce the packet replication load on a single RP.
Versa’s multicast support has additional means to control the traffic. Versa provides
policy based traffic control for multicast traffic and allows customers to choose
transport networks according to their policies. Multicast WAN topology can be spread
over Broadband, MPLS-VPN links, and/or SD-WAN overlay paths based on given
destination(s), which administrator can fully control.
An aggregate BGP route can carry an AS Path attribute that lists the set of autonomous
systems (AS) that this route was originated and advertised from. In the case of BGP
route aggregation, as the actual sequence of these AS instance is no longer relevant, AS-
Sequence cannot be used and only AS-Path attribute gets used.
AS-Path attribute populated as AS-Set type and it consists of union of all of the AS-Path
values participating routes that have been learned from. It is a common practice to
overwrite those AS-Path values by using a route policy to set it as the local AS.
In addition, aggregating router also provider aggregator attribute to provider the router
id of the device that does route aggregation.
Versa also supports Atomic Aggregate Attribute such that if one still needs to advertise
more specific route(s) in addition to the aggregate route, it can be done.
While this feature may be used for a variety of routing use-cases, this feature may be
commonly used by our customers to summarize SD-WAN network and branch networks
behind SD-WAN network, over to legacy network or to core network devices for the
purpose of providing a single route to these devices. Such a choice can help operators of
these brownfield networks to talk to branches by using appropriate SD-WAN Gateway
nodes.
RIPv2
Versa FlexVNF provides Routing Information Protocol Version 2 to increase its’ interop
options with legacy network equipment.
Versa’s RIPv2 implementation complies with RFC2543.
In a nutshell, RIPv2 distributes routing prefix information through participating routers
to provide reachability to those network prefixes or subnets. RIPv2 (as well as RIPv1), is
a distance vector based routing protocols that uses router hop counts as its’ distance
calculation metrics. RIPv2 supports a maximum hop count value of 15. Any router
farther than 15 hops away is considered to be unreachable.
RIPv2 supports subnets and CIDR (Classless Interdomain Routing), which were some of
the main shortcomings of RIPv1.
You can find more information on RIPv2, here:
https://tools.ietf.org/html/rfc2453
File Filtering
File Filtering is an important tool for data loss prevention as well as protection from a
wide variety of Malwares in the network. Versa SD-Security file filtering feature helps
reduce the risk of attacks from unwanted and malicious file types. It provides file
protection against virus and vulnerabilities that are associated with various file types
and blocks potentially risky file transfers, applications (file types), file with specific size,
files with specific protocols, and traffic direction. This decreases an attacker’s ability to
conduct an attack on your organization.
The file filtering functionality detects the file type from scanning the first few packets of
the file (and not only based on the extension type). Versa supports these protocols to
extract the file in transfer: HTTP, SMTP, FTP, IMAP, MAPI, etc.
Once the file type is understood and the signature of the file is extracted, the filter
filtering functionality looks for a match of the file against a blacklist database, whitelist
database, and reputation database in order to identify malicious files. Through the file
reputation feeds, Versa can carry signatures of very large number of files, known to
distribute malicious content. Additional criterion, such as file size, file type, etc are used
to make policy decisions.
The file filtering functionality works in conjunction with the Anti-Virus feature to ensure
that the files are not infected. If it is used in combination with AV, it reduces the work
on AV by providing a pre-scanned file to the AV engine. The AV engine will only scan for
files that are not in whitelist or blacklists.
Also note that soon after the 20.1.0 release, Versa will provide support for
decompression functionality, allowing FlexVNF to decompress and analyze files that are
compressed by well-known algorithms.
As Windows is the most widely used OS in any enterprise network, the mechanisms
used for lateral movement are usually based on Windows networking protocols.
However, similar techniques are applicable for any operating system.
A malware which uses lateral movement techniques typically follows these steps to gain
access to the network:
1. Infiltrate: The attacker gains access to one of the low value targets in the
organization by using Spear Phishing, Drive by Download, etc.
2. Reconnaissance: The Malware snoops the network to identify the topology,
hosts, etc.
3. Credential Harvesting: The infected machine snoops on the cached credentials.
4. Code Execution: Using the information gained from Reconnaissance state and
Credential Harvesting state, the attacker now obtains further authorization by
using Kerberos or other protocols.
Versa’s SD-Security solution is enhanced to identify the exploit and alert the
administrators. Versa’s IPS and AV signatures are enhanced against such threats. The AV
engine detects the binaries used in such exploits. The IPS tool inspects the network
traffic to identify the activities typical to ransomware and malware as well as activities
seen by commonly mis-used tools, such as Responder. Starting 20.1 release, Versa
FlexVNF has support to detect advanced lateral movement techniques in a Windows
environment irrespective of the Malware sample or threat actor. The security engine
will be able to detect network activity that’s indicative of psexec, pass-the-hash,
credential harvesting attacks, attacks on active directory and more.
booting. Cloudinit is typically used to configure the IP address and other service
parameters for efficient automation of the VM instantiation.
From 20.1.0 onwards, the Cloudinit parameters can be uploaded as a file to the service
chain configuration. The Cloud Init parameters can also be parameterized. When the
Cloud Init data is parameterized, the VM specific information can be uploaded during
the VM configuration.
templates could be created and yet reused for service configuration (for branches with
different connectivity options but similar service configuration).
From 20.1.0 onwards, the service templates can now be associated with Device Groups.
Device Groups is a concept which groups the devices which use similar templates (which
means belong to the same tenant organization. When Service Templates were
associated with General Templates, there could have been only 1:1:1 relationship
between the service configuration, templates and device groups.
With Service templates now associated with Device Groups, the SP can create 1:1:Many
relationship. Using the General Templates, Device Groups and Service Templates, the
customers can incorporate various ‘modules’ as and when required.
with option to configure traffic monitoring rules and send Netflow-based IETF defined
fields.