Exam 400-007 topic 1 question 11 discussion

In my experience in Cisco SD-WAN, IPsec is used for edge to edge. DTLS or TLS is for Edge to controller.

Answer is A

• DTLS is designed to provide security for datagram-based applications by allowing them to communicate in a way that prevents eavesdropping, tampering, and message forgery. It is based on TLS, but adapted for use over UDP, which makes it suitable for unreliable networks. • DTLS supports NAT traversal and can handle the packet loss, reordering, and fragmentation typical of UDP-based communication over public Internet links. • This makes DTLS an excellent choice for securing SD-WAN traffic over broadband Internet links, especially when NAT gateways are involved.

Guys please help me understand this question. Keywords are encryption + overlay protocol + SDWAN (no specific Cisco/Viptella hints) + unreliable underlay + nat. unreliable underlay = UDP in my head = Datagram NAT= TLS derivatives or IPSEC NAT-T Overlay , possible options are DTLS and IPSEC For IPSEC i remember to have used encryption accelerator cards, meaning heavy cpu needed TLS i have never had any specific requirements and it worked, hence i assume that it is easier on the cpu and opt for TLS. Final thought taking all above together is DTLS which is a supported Overlay, supports unreliable networks by the virtue of UDP and provides encryption. My answer will be A / DTLS please share your thoughts where i got wrong along the path. thank you

IPSEC is the answer in my opinion, because viptella use IPSEC between vEdges.

Edge to Edge communication IPSEC be it behind nat or without NAT https://www.cisco.com/c/en/us/td/docs/solutions/CVD/SDWAN/cisco-sdwan-design-guide.html#Components

This actually makes sense https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/security/ios-xe-17/security-book-xe/security-overview.html

I believe they are referring to protocol between any two edge devices - DTLS or TLS is used between edge device and SMART or vBOND devices and IPSEC is used between edge devices. https://www.cisco.com/c/en/us/td/docs/routers/sdwan/configuration/security/ios-xe-17/security-book-xe/security-overview.html

One of the primary challenges with IPsec is its compatibility with NAT (Network Address Translation). IPsec was designed before NAT became prevalent, and as a result, it can experience difficulties traversing NAT devices. Although there are extensions like NAT-T (NAT Traversal) that help IPsec to work better with NAT, the process can still be more complex and less reliable than DTLS, which was designed with NAT traversal in mind.