vIPtela Brings SDN & Security to the Disaggregated WAN
Startup vIPtela sees opportunity in using software-defined networking (SDN) principles to unify WAN connectivity, as it’s announcing its products today with claims that it’s in production with at least one large enterprise and running proofs-of-concept with three others.
The company’s goal is to unify the disparate WAN choices that the enterprise now has: VPNs, straight Internet access, and wireless connectivity. Networks were built for a time when MPLS-based VPNs were the only option. VIPtela wants to apply the principles of virtualization to make it easier to bring the other choices into the fold.
That might sound familiar, as startup CloudGenix launched last week, also targeting the WAN. VIPtela’s launch is more anticipated, however, as it made waves in December when AllThingsD reported the startup had raised $33 million, all of it from Sequoia Capital.
VIPtela also has an obsession with security that CloudGenix might not match. (CloudGenix hasn’t fully explained its technology yet, so any comparisons would be mismatched at the moment.)
Layer 3 and Security
Traffic is shifting off of VPNs partly because it’s no longer originating at the branch office and going straight to one data center. It’s coming from practically anywhere (thanks to mobility) and could be going to public and/or private clouds.
VIPtela’s Secure Extensible Network (SEN) uses Layer 3 tunnels to make all these options accessible. This requires two pieces: the vEdge router running at the points being connected (the branch office or the data center, for instance) and the vSmart controllers, running on x86 hardware, probably in a data center. Overseeing the pieces is network management software called (guess what) the vManage Network Management System.
“At a high level, this looks like any SDN architecture, where you have a controller and a bunch of routing devices,” says Ramesh Prabagaran, vIPtela’s vice president of product management. VIPtela’s use of Layer 3 is a bit different, although not unique (Contrail, now owned by Juniper, applies a Layer 3 SDN architecture.) The bigger difference is the obsession with security, because any time traffic diverts from an MPLS VPN, security becomes an issue.
VIPtela’s tunnels use IPsec, and they can scale in a way that IPsec could not, vIPtela claims. The culprit has always been the signaling behind IPsec’s Internet Key Exchange (IKE), Prabagaran says. VIPtela gets around that by having routers use a secure channel to send information to the controllers about the next IPsec key; it’s the same channel that’s being used to send next-hop information.
So, if two vEdges are communicating, each one is sending key information to the vSmart controller. That distributes the problem to that every edge device isn’t trying to exchange keys with every other device.
When it’s possible, vIPtela can change WAN transport options dynamically based on policy — avoiding a particularly expensive MPLS connection unless necessary, for example.
Reworking the WAN
The message behind vIPtela and CloudGenix is that startups think the WAN is ripe for redefining. VIPtela was founded in 2012 after the founding team — including CEO Amir Khan, formerly of Juniper, and CTO Khalid Raza, a former distinguished engineer at Cisco — got wind of the trend.
They spent that summer honing the idea by talking to prospective customers. By that time, OpenFlow had emerged as a means of virtualizing network connectivity, but vIPtela decided to stick with its Layer 3 plans. Sequoia came calling during that time (vIPtela officials say they hadn’t approached the VC firm themselves) and provided $33.5 million in two funding rounds.