Solving Network Complexity: Why Overlays Are Not the Answer


Solving Network Complexity: Why Overlays Are Not the Answer

By Special Guest
Sorell Slaymaker
  |  January 18, 2017

Given the demands of the modern enterprise, it seems impractical that current IP networks would be built upon the same fundamental technologies that were established 20 years ago – yet they are. Today’s IP networks are powered by decades-old routing technology with bolt-on functionalities, such as firewalls, tunnels, load balancers, and overlays that add unprecedented complexity and create new vulnerabilities.

This duct-tape approach to routing is increasingly hard to manage, leading to costly network outages and frequent data breaches. Overlay networks, and IPsec overlays in particular, have grown too complex, too fragile, and too expensive to deliver the security, control, and agility needed to handle cloud, mobile, and IoT applications – let alone the demands of future applications and use cases.

So, what’s an enterprise to do? To be successful in today’s environment, organizations need to rethink routing. They need to stop relying on tunnel-based overlays, and instead infuse session intelligence throughout the network. A session-oriented router can streamline the network, eliminating complexity created by middleboxes and overlay technologies, while providing end-to-end policy and security.

For an enterprise, service provider, or cloud service provider to weather today’s IP networking storm, it is critical to first understand why overlay technologies are responsible for today’s network fragility and complexity.

Overlay Networks = Complexity

An overlay network is a logical network built on top of an existing physical or virtual network or networks.

Overlay networks are used to augment Ethernet or IP networks to deliver deterministic forwarding, network virtualization, security, and segmentation across networks. To do this, overlay networks typically utilize tunneling protocols such as IPsec, MPLS, and VxLAN to enforce a desired traffic behavior. Unfortunately, these tunnel-based overlays have a number of drawbacks, including performance overhead, complexity at scale, and network visibility challenges.

To get a better sense of the limitations associated with overlay techniques, let’s take a closer look at IPsec overlays, as they provide a representative example of most overlay shortcomings.

The Limitations of IPsec Overlays

IPsec overlays are primarily used when enterprises want to interconnect their networks, or when an enterprise uses an untrusted network such as the internet to connect its sites together. However, IPsec in tunnel mode has the following limitations.

IPsec overlays are inefficient. Tunnels can consume anywhere from 5 to 40 percent of available network bandwidth depending on what protocol is being used, whether the traffic is already encrypted, and whether the packet exceeds the maximum length allowed on a link and needs to be fragmented.

IPsec overlays are difficult to scale. – In an IPsec overlay, a router or firewall must maintain IPsec tunnel state and have the computing resources to encrypt the traffic. For small to medium implementations, this is usually not a challenge. However, as the size of the network grows, the network architecture, number of sites involved, the number of links per site, and the number of sub-networks per site can create significant scalability obstacles. For example, even mid-sized enterprises can have thousands of sites with many endpoints per site, and will often attempt to connect them all in a point-to-point (any-to-any) fashion. Creating and maintaining thousands of IPsec tunnels across a full mesh consumes significant router or firewall resources, and substantial operational cycles to manage.

IPsec overlays offer limited control and visibility. – Because current routing technology has no understanding of sessions, and advanced network functions such as firewalls and load balancers have incomplete concepts of sessions, operators have no control over or visibility into the traffic within the IPsec tunnel.  

Session-Oriented Routing to the Rescue

A session is a two-way exchange of information comprised of related flows in both directions, much like a phone call. Today, almost every network involves bi-directional sessions to move packets, and nearly all of the advanced service functions that have emerged, like firewalls, load balancers, WAN optimization, etc., are required to have an understanding of and control over network sessions.

A stateful session-oriented router controls traffic end-to-end, making packet transmission fundamentally simpler and more transparent, all while offering benefits like improved security, control, and agility. Using sessions enables deterministic routing that dynamically optimizes how and where packets travel through the network. Session management has traditionally been done higher up on the OSI stack by the endpoints communicating with each other, and not aware of all the other sessions on the network. Layer 3 session awareness enables the router to dynamically manage all sessions going across a network in an intelligent way and provide end-to-end visibility, even across network boundaries with network address translation.

Unlike IPsec overlays, stateful session-oriented routing operates more efficiently by not adding upfront addressing and sequencing overhead to every packet in a flow. While existing routers require the overhead because they are stateless and need to route each packet as a new one, the only overhead added in session-oriented routing is the encryption information (if the session needs to be encrypted at the network level).

Also, with a dynamic, stateful session-oriented approach to networks, enterprises can utilize routers, tenants, and services to handle millions of different secured sessions. Overlays do not scale as the number of sites, links, and tenants increase.  

While IPsec overlays are static and cannot adapt when network congestion and other events occur in a dynamic manner, session-oriented routing provides intelligent, native load balancing, security, network control, and analytics that traditional packet- and flow-based routers cannot.

By rethinking routing with a session orientation, overlays can be eliminated and still enforce path selection and segmentation. Zero trust security and adaptive encryption can still be offered. Applications can be more tightly aligned with the underlying network capabilities. Many simultaneous sessions can be managed dynamically and intelligently end to end. In short, a network can be created that is fundamentally simpler, smarter, more secure, and more transparent.

Sorell Slaymaker is product evangelist at 128 Technology (

Edited by Stefania Viscusi
blog comments powered by Disqus