Most overlay solutions these days encrypt and authenticate data plane traffic using IPsec and Cisco SD-WAN is no different. Although there is one major difference that Cisco SD-WAN utilizes in order to scale better and more efficiently. Most traditional IPsec environments use Internet Key Exchange (IKE) to handle the key exchange between IPsec peers. However, IKE creates scalability issues in full-meshed environments with thousands of spokes because each spoke is required to manage n^2 key exchanges and n-1 different keys.

Cisco SD-WAN was designed to overcome these scaling limitations by not utilizing IKE at all but instead implementing the key exchange within the control plane as shown in Figure 1. This is possible because vEdges identity is established during the provisioning process with the vBond orchestrator. 

Data Plane Encryption Overview
Figure 1. Data Plane Encryption Overview

The main idea is that WAN edge routers can leverage the existing encrypted control connections to the vSmart controller and advertise their keys to the controller via OMP. The controller then redistributes them as OMP updates to all other peers so the exchange is completely done through the SD-WAN control plane.

Let's look at the example shown in Figure 2. vEdge-1 generates an AES-256-bit key for each connected WAN transport. In the example, there is only one transport so there is only one generated key - encr-key-1. However, three symmetric keys will be generated if we have three WAN providers. Once the encr-key-1 is generated, vEdge-1 advertises it in an OMP update to vSmart, along with the corresponding TLOC T1. This route advertisement is then re-advertised to the rest of the overlay fabric. vEdge-2 and vEdge-3 will then use this information to build their IPsec tunnels to vEdge-1 and encrypt the data plane traffic with the received AES-256 key.

Cisco SD-WAN Key Exchange
Cisco SD-WAN Key Exchange

Essentially, this keys exchange model removes the burden of individual negotiations between WAN edge devices that using IKE would have brought. In addition to that, each key lifetime is 24 hours and each WAN edge router will regenerate its keys every 12 hours in order to provide enhanced encryption and authentication. This means that two keys (old and new) are present at any one time. The renegotiation of keys does not affect existing traffic, as it happens in parallel with the existing ones and the old key is still held for another 12 hours so any traffic is accepted using either one.

If we summarize everything we have said up to this point - the Cisco SD-WAN solution exchanges keys between WAN Edges and vSmart controllers and uses symmetric keys in an asymmetric fashion. This means the following:

  • The same key is used for encryption and decryption of data plane traffic.
  • WAN edge routers use their remote peer’s key to encrypt the data rather than their own when sending traffic over the tunnel.
Traffic encryption with Symmetric Keys
Figure 3. Traffic encryption with Symmetric Keys

Let's look at the example shown in figure 3 where two WAN edge devices are going to communicate over a secure overlay tunnel. Encryption and decryption will occur using the following process:

  • vEdge-1 generates an AES-256 key called encr-key-1 and vEdge-2 generates one called encr-key-2.
  • Both routers advertise these via OMP to the controller and it distributes them across the overlay.
  • When vEdge-1 sends data to vEdge-2, it will encrypt the data using vEdge-2’s key.
  • When vEdge-2 receives the data, it will use its key for the decryption of that data.
  • When vEdge-2 sends data to vEdge-1, it will encrypt the data using vEdge-1’s key.
  • When vEdge-1 receives the data, it will use its key for the decryption of that data.

Additional security with Pairwise

The IPsec Pairwise keys feature provides additional security by ensuring that multiple vEdge devices across the fabric do not use the same session key for encryption and decryption. The feature functions by generating a pair of IPsec session keys (one encryption and one decryption key) for each pair of local - remote TLOCs. This is visualized in the example shown in figure 4 where there is a fabric with three WAN edge devices. The security improvement comes from the fact that encryption and decryption between vEdge-1 and vEdge-2 will use a session key that is unique to that pair of TLOCs. The green tunnel between WAN Edge 1 and WAN Edge 3 will also use a different session key pair. 

Encryption with Pairwise Keys
Figure 4. Encryption with Pairwise Keys

Therefore, the process of encryption and decryption of data when using the IPsec Pairwise keys feature will be as follow:

  • Each WAN Edge will generate a key for each pair of local-remote TLOC. The session key will then be advertised to the vSmart via OMP.
  • The vSmart controller will redistribute the key to the respective peers.
  • When WAN edge A sends data to WAN edge B, the IPsec session key BA will be used. In the reverse scenario, WAN Edge B will use the IPsec session key AB.
  • When vEdge-A sends data to vEdge-C, key CA will be used. In the reverse direction, vEdge-C will send traffic using AC.

Another very important thing to note is that the IPsec Pairwise feature is backward compatible with devices that don’t support pairwise keys. The feature is disabled by default on the Cisco SD-WAN device and can be enabled via templates.