View Only
last person joined: 23 hours ago 

Ask questions and share experiences with SD-WAN and Session Smart Router (formerly 128T).

Video: Packet Walkthrough 

04-02-2018 14:23

A 128T router investigates the packet’s headers up through the transport layer to associate related IP packets together as IP sessions. Each IP session has a distinct beginning and end. All packets associated with a session are routed the same way among all 128T devices, and all response packets likewise return the same way; we call this bi-flow.

Packet Walkthrough
When a packet arrives at a 128T, the 128T compares that inbound packets seven-tuple to all sessions that are in progress. The seven-tuple is the combination of:
  • Source IP address
  • Source port
  • Destination IP address
  • Destination Port
  • Transport protocol
  • Ingress interface
  • VLAN tag

This seven-tuple represents the unique session key for a specific conversation between two network hosts. If the session key matches one it’s already seen and processed before, then the 128T applies a set of actions – things like encryption, NAT transformations and the like – and forwards it through the same path it forwarded the rest of the packets in that session.
Alternatively, if the 128T hasn’t seen this session key before, it must be part of a new session. The 128T then performs a lookup on the source IP address, including arriving interface to determine the tenant that the source of this new session belongs to. This is due to the fact that tenants have different routes available to them, and the 128T needs to understand which tenant’s routes apply to the source of this session request.
NOTE: If you are not sure what a tenant is or how a 128T determines which tenant a package belongs to, please check out the Video: Tenancy in 128T. 
Once the 128T determines which tenant a packet belongs to, it then needs to figure out which services that tenant is allowed to access. It does this by taking a look at the FIB table. The 128T matches the destination IP address from the packet using a longest prefix match strategy to search for the forwarding rules for this packet. If there are no applicable forwarding rules available, then the packet is returned with the appropriate ICMP NO ROUTES FOUND. This is part of the 128T’s implementation of Zero Trust Security, meaning you don’t allow anyone to have access to your services unless explicitly granted.
Assuming the FIB lookup produces a positive result, the packet is handed off to a software process that performs a detailed path selection routine to choose the appropriate next hop for this session. This path selection is influenced by a whole variety of factors, including congestion reports from the network, the 128T’s own state knowledge about capacities of the possible destinations, the load balancing policy for the destination service, and other factors,
Once a suitable next hop is chosen, the session key for both the forward and reverse directions are laid into the forwarding engine’s lookup tables, so that subsequent packets follow the same path.
Now the 128T prepares to send the packet to its destination. When the path that the 128T chooses for this session includes other 128T devices, the originator creates some metadata that it sends with the first packet. This metadata is only understood by routers that support 128T technology, and is only included when a previous hop router knows for sure that a downstream router supports 128T metadata. The metadata is used to signal information about a session from one router to another, and includes:
  • The tenant that the 128T has associated with the requestor
  • The name of the service the requestor is attempting to access
  • The original source IP address and port
  • The original destination IP address and port
  • Other policies and controls (as needed) 

The metadata also includes a cryptographic signature using credentials known to both the original 128T Platform and the terminating 128T Platform, so that the receiving 128T Platform can authenticate that the sender is a trusted source. This is another aspect of 128 Technology’s Zero Trust Security enforcement.
The metadata is typically only included once in each direction, within the first packet sent in either direction between two 128Ts. Since IP packets are sometimes dropped or lost, the metadata will be retransmitted with each packet until a backward packet is received. For TCP sessions, this is always the SYN, SYN/ACK exchange; for UDP protocols, it may take several transmissions before the first backward packet is received. The metadata sent in the reverse direction includes various utilization metrics, to be used as input for load balancing (CPU load, memory, active sessions, etc) so that future sessions can be routed optimally.
The packet is then forwarded to the waypoint address of the next 128T platform on the path. That router checks the authentication (signature) and upon a valid result, removes the transit metadata and processes the packet by using the same methods we mentioned before.
All subsequent packets of the session follow this first packet in either the forward direction, or reverse.
And that’s it, that’s how the 128T handles packets that it receives and routes them to the appropriate destinations.  
#packets #Tenants #video #eLearning

0 Favorited
0 Files

Related Entries and Links

No Related Resource entered.