Skip to main content
Cisco SD-WAN
Support
Product Documentation
Viptela Documentation

Configuring Security Parameters

This article describes how to change security parameters for the control plane and the data plane in the Viptela overlay network.

Configure Control Plane Security Parameters

By default, the control plane uses DTLS as the protocol that provides privacy on all its tunnels. DTLS runs over UDP.

You can change the control plane security protocol to TLS, which runs over TCP. The primary reason to use TLS is that, if you consider the vSmart controller to be a server, firewalls protect TCP servers better than UDP servers.

You configure the control plane tunnel protocol on a vSmart controller:

vSmart(config)# security control protocol tls

With this change, all control plane tunnels between the vSmart controller and vEdge routers and between the controller and vManage NMSs use TLS. Control plane tunnels to vBond orchestrators always use DTLS, because these connections must be handled by UDP.

In a domain with multiple vSmart controllers, when you configure TLS on one of the vSmart controllers, all control plane tunnels from that controller to the other controllers use TLS. Said another way, TLS always takes precedence over DTLS. However, from the perspective of the other vSmart controllers, if you have not configured TLS on them, they use TLS on the control plane tunnel only to that one vSmart controller, and they use DTLS tunnels to all the other vSmart controllers and to all their connected vEdge routers. To have all vSmart controllers use TLS, configure it on all of them.

By default, the vSmart controller listens on port 23456 for TLS requests. To change this:

vSmart(config)# security control tls-port number

The port can be a number from 1025 through 65535.

To display control plane security information, use the show control connections command on the vSmart controller. For example:

vSmart-2# show control connections 
                                                                            PEER                      PEER                                                    
PEER     PEER     PEER             SITE        DOMAIN      PEER             PRIVATE  PEER             PUBLIC                                                  
TYPE     PROTOCOL SYSTEM IP        ID          ID          PRIVATE IP       PORT     PUBLIC IP        PORT    REMOTE COLOR     STATE           UPTIME         
--------------------------------------------------------------------------------------------------------------------------------------------------------------
vedge    dtls     172.16.255.11    100         1           10.0.5.11        12346    10.0.5.11        12346   lte              up                   0:07:48:58
vedge    dtls     172.16.255.21    100         1           10.0.5.21        12346    10.0.5.21        12346   lte              up                   0:07:48:51
vedge    dtls     172.16.255.14    400         1           10.1.14.14       12360    10.1.14.14       12360   lte              up                   0:07:49:02
vedge    dtls     172.16.255.15    500         1           10.1.15.15       12346    10.1.15.15       12346   default          up                   0:07:47:18
vedge    dtls     172.16.255.16    600         1           10.1.16.16       12346    10.1.16.16       12346   default          up                   0:07:41:52
vsmart   tls      172.16.255.19    100         1           10.0.5.19        12345    10.0.5.19        12345   default          up                   0:00:01:44
vbond    dtls     -                0           0           10.1.14.14       12346    10.1.14.14       12346   default          up                   0:07:49:08

vSmart-2 control connections 
                                                                            PEER                      PEER                                                    
PEER     PEER     PEER             SITE        DOMAIN      PEER             PRIVATE  PEER             PUBLIC                                                  
TYPE     PROTOCOL SYSTEM IP        ID          ID          PRIVATE IP       PORT     PUBLIC IP        PORT    REMOTE COLOR     STATE           UPTIME         
--------------------------------------------------------------------------------------------------------------------------------------------------------------
vedge    tls      172.16.255.11    100         1           10.0.5.11        12345    10.0.5.11        12345   lte              up                   0:00:01:18
vedge    tls      172.16.255.21    100         1           10.0.5.21        12345    10.0.5.21        12345   lte              up                   0:00:01:18
vedge    tls      172.16.255.14    400         1           10.1.14.14       12345    10.1.14.14       12345   lte              up                   0:00:01:18
vedge    tls      172.16.255.15    500         1           10.1.15.15       12345    10.1.15.15       12345   default          up                   0:00:01:18
vedge    tls      172.16.255.16    600         1           10.1.16.16       12345    10.1.16.16       12345   default          up                   0:00:01:18
vsmart   tls      172.16.255.20    200         1           10.0.12.20       23456    10.0.12.20       23456   default          up                   0:00:01:32
vbond    dtls     -                0           0           10.1.14.14       12346    10.1.14.14       12346   default          up                   0:00:01:33

Configure DTLS on vManage NMS

If you configure the vManage NMS to use TLS as the control plane security protocol, you must enable port forwarding on your NAT. If you are using DTLS as the control plane security protocol, you do not need to do anything.

The number of ports forwarded depends on the number of vdaemon processes running on the vManage NMS. To display information about these processes and about and the number of ports that are being forwarded, use the show control summary command shows that four vdaemon processes are running:

vManage# show control summary
          VBOND     VMANAGE    VSMART    VEDGE
INSTANCE  COUNTS    COUNTS     COUNTS    COUNTS
------------------------------------------------
0           2          0           2        7
1           2          0           0        5
2           2          0           0        5
3           2          0           0        4

To see the listening ports, use the show control local-properties command:

vManage# show control local-properties
organization-name            vIPtela Inc Test
certificate-status           Installed
root-ca-chain-status         Installed

certificate-validity         Valid
certificate-not-valid-before May 20 00:00:00 2015 GMT
certificate-not-valid-after  May 20 23:59:59 2016 GMT

dns-name                     vbond.viptela.com
site-id                      5000
domain-id                    0
protocol                     dtls
​tls-port                     23456
...
...
...
number-active-wan-interfaces 1

                 PUBLIC         PUBLIC  PRIVATE        PRIVATE                                                       ADMIN     OPERATION  LAST
INDEX  INTERFACE IP             PORT    IP             PORT     VSMARTS  VMANAGES  COLOR            CARRIER          STATE     STATE      CONNECTION
-----------------------------------------------------------------------------------------------------------------------------------------------------------------
0      eth0      72.28.108.37   12361   172.16.98.150  12361    2        0         silver           default          up        up        0:00:00:08

This output shows that the listening TCP port is 23456. If you are running vManage NMS behind a NAT, you should open the following ports on the NAT device:

  • 23456 (base - instance 0 port)
  • 23456 + 100 (base + 100)
  • 23456 + 200 (base + 200)
  • 23456 + 300 (base + 300)

Note that the number of instances is the same as the number of cores you have assigned for the vManage NMS, up to a maximum of 8.

Configure Data Plane Security Parameters

In the data plane, IPsec is enabled by default on all vEdge routers, and by default IPsec tunnel connections use the AH-SHA1 HMAC for authentication on the IPsec tunnels. On vEdge routers, you can change the type of authentication, and you can modify the IPsec rekeying timer and the size of the IPsec anti-replay window.

Configure Allowed Authentication Types

By default, IPsec tunnel connections use AH-SHA1 HMAC and ESP HMAC-SHA1 for authentication, choosing whichever authentication method is stronger. To modify the negotiated authentication types or to disable authentication, use the following command:

vEdge(config)# security ipsec authentication-type (ah-no-id | ah-sha1-hmac | none | sha1-hmac)

Configure each authentication type with a separate security ipsec authentication-type command. The command options map to the following authentication types, which are listed in order from most strong to least strong:

  • ah-sha1-hmac enables AH-SHA1 HMAC and ESP HMAC-SHA1.
  • ah-no-id enables a modified version of AH-SHA1 HMAC and ESP HMAC-SHA1. This option accommodates some non-Viptela devices, including the Apple AirPort Express NAT, that have a bug that causes the ID field in the IP header, a non-mutable field, to be modified. Configure the ah-no-id option in the list of authentication types to have the Viptela AH software ignore the ID field in the IP header so that the Viptela software can work in conjunction with these devices.
  • sha1-hmac enables ESP HMAC-SHA1.
  • none maps to no authentication. You can choose this option in situations where data plane authentication and integrity are not a concern.

For information about which data packet fields are affected by these authentication types, see the "Data Plane Integrity" section in Data Plane Security Overview.

vEdge routers advertise their configured authentication types in their TLOC properties. The two routers on either side of an IPsec tunnel connection negotiate the authentication to use on the connection between them, using the strongest authentication type that is configured on both of the routers. For example, if one vEdge router advertises AH-HMAC-SHA1, ESP HMAC-SHA1, and none, and a second vEdge router advertises ESP HMAC-SHA1 and none, the two routers negotiate to use ESP HMAC-SHA1 on the IPsec tunnel connection between them. If no common authentication types are configured on the two vEdge peers, no IPsec tunnel is established between them.

The encryption algorithm on IPsec tunnel connections is either AES-256-GCM or AES-256-CBC. For unicast traffic, if the remote side supports AES-256-GCM, that encryption algorithm is used. Otherwise, AES-256-CBC is used. For multicast traffic, the encryption algorithm is AES-256-CBC. You cannot modify the choice made by the software.

When the IPsec authentication type is changed, the AES key for the data path is changed.

Change the Rekeying Timer

Before vEdge routers can exchange data traffic, they set up a secure authenticated communications channel between them. The vEdge routers use the DTLS or TLS control plane connection between them as the channel, and they use the AES-256 cipher to perform encryption. Each vEdge router generates a new AES key for its data path periodically.

By default, a key is valid for 86400 seconds (24 hours), and the timer range is 10 seconds through 1209600 seconds (14 days). To change the rekey timer value:

vEdge(config)# security ipsec rekey seconds

The configuration looks like this:

security
  ipsec
    rekey seconds
  !

When the IPsec keys are compromised, you can generate new keys immediately, without modifying the configuration of the vEdge router. To do this, issue the request security ipsec-rekey command on the compromised vEdge router.

For example, the following output shows that the local SA has a SPI (key) of 256:

vEdge# show ipsec local-sa
         
                                          SOURCE           SOURCE             
TLOC ADDRESS     TLOC COLOR       SPI     IP               PORT    KEY HASH   
------------------------------------------------------------------------------
172.16.255.15    lte              256     10.1.15.15       12346   *****b93a 

If this key is compromised, use the request security ipsec-rekey command to generate a new key immediately. This command increments the existing key, so in our example the SPI changes to 257:

vEdge# request security ipsec-rekey
vEdge# show ipsec local-sa
                                          SOURCE           SOURCE             
TLOC ADDRESS     TLOC COLOR       SPI     IP               PORT    KEY HASH   
------------------------------------------------------------------------------
172.16.255.15    lte              257     10.1.15.15       12346   *****b93a  

After the new key is generated, the vEdge router sends it immediately to all its DTLS or TLS peers, and they begin using it as soon as they receive it. Note that the old compromised SPI (256) will continue to be used for a short period of time, until it times out.

To stop using the compromised key immediately, issue the request security ipsec-rekey command twice, in quick succession. This sequence of commands removes both SPI 256 and 257, and sets the key to 258. Note, however, that some packets will be dropped for a short period of time, until all the remote vEdge routers learn the new key.

vEdge# request security ipsec-rekey
vEdge# request security ipsec-rekey
vEdge# ipsec local-sa
                                          SOURCE           SOURCE             
TLOC ADDRESS     TLOC COLOR       SPI     IP               PORT    KEY HASH   
------------------------------------------------------------------------------
172.16.255.15    lte              258     10.1.15.15       12346   *****b93a  

Change the Size of the Anti-Replay Window

IPsec authentication provides anti-replay protection by assigning a unique sequence number to each packet in a data stream. This sequence numbering protects against an attacker duplicating data packets. With anti-replay protection, the sender assigns monotonically increasing sequence numbers, and the destination checks these sequence numbers to detect duplicates. Because packets often do not arrive in order, the destination maintains a sliding window of sequence numbers that it will accept.

s00082.png

Packets with sequence numbers that fall to the left of the sliding window range are considered old or duplicates, and the destination drops them. The destination tracks the highest sequence number it has received, and adjusts the sliding window when it receives a packet with a higher value.

s00083.png

By default, the sliding window is set to 512 packets. It can be set to any value between 64 and 8192 that is a power of 2 (that is, 64, 128, 256, 512, 1024, 2048, 4096, or 8192). To modify the anti-replay window size, use the replay-window command, specifying the size of the window:

vEdge(config)# security ipsec replay-window  number

The configuration looks like this:

security
  ipsec
    replay-window number
  !
!

If QoS is configured on a vEdge router, that router might experience a larger than expected number of packet drops as a result of the IPsec anti-replay mechanism, and many of the packets that are dropped are legitimate ones. This occurs because QoS reorders packets, giving higher-priority packets preferential treatment and delaying lower-priority packets. To minimize or prevent this situation, increase the size of the anti-replay window.