Abstract: A method may include determining, by a first network device, a type of control channel to open across a transport in a software-defined network (SDN). The method may also include establishing the control channel with a control device via a control plane that is separate from a data plane. The method may further include advertising first security association parameters to the control device via the control channel. The method may include receiving, from the control device via the control channel, second security association parameters associated with a second network device. The method may also include establishing a data plane connection with the second network device using the second security association parameters.

Abstract: In some examples, an example method to provide an IPsec anti-replay window with quality of service (QoS) at a first network endpoint may include configuring a multiple number of anti-replay windows, generating a first security association (SA), and establishing the first SA with a second network endpoint. The first SA may include a first multiple number of security parameter indexes (SPIs), where each of the first multiple number of SPIs may be assigned to a specific QoS level, and each of the first multiple number of SPIs may be assigned to one of the multiple number of anti-replay windows. Establishing the first SA with the second network endpoint may include assigning the first SA to a first encryption key, and providing the first encryption key to the second network endpoint.

Abstract: A method is performed by an access router of an enterprise network including a first edge router to communicate with a second edge router over a wide area network (WAN). The method includes receiving a packet from a first endpoint, receiving from a mapping service a network location of a second edge router for which the packet is destined and a security association (SA) to encrypt the packet from the access router to the second edge router, and generating for the first edge router one or more path selectors for WAN path selection. The method includes encrypting the packet using the SA, and adding to the encrypted IP packet, in clear text, the path selectors and outer encapsulation including the network location, to produce an encrypted tunnel packet. The method also includes forwarding the encrypted tunnel packet to the second edge router via the first edge router and the WAN.

Abstract: A method may include determining, by a first network device, a type of control channel to open across a transport in a software-defined network (SDN). The method may also include establishing the control channel with a control device via a control plane that is separate from a data plane. The method may further include advertising first security association parameters to the control device via the control channel. The method may include receiving, from the control device via the control channel, second security association parameters associated with a second network device. The method may also include establishing a data plane connection with the second network device using the second security association parameters.

Abstract: A method may include determining, by a first network device, a type of control channel to open across a transport in a software-defined network (SDN). The method may also include establishing the control channel with a control device via a control plane that is separate from a data plane. The method may further include advertising first security association parameters to the control device via the control channel. The method may include receiving, from the control device via the control channel, second security association parameters associated with a second network device. The method may also include establishing a data plane connection with the second network device using the second security association parameters.

Abstract: In some examples, an example method to provide an IPsec anti-replay window with quality of service (QoS) at a first network endpoint may include configuring a multiple number of anti-replay windows, generating a first security association (SA), and establishing the first SA with a second network endpoint. The first SA may include a first multiple number of security parameter indexes (SPIs), where each of the first multiple number of SPIs may be assigned to a specific QoS level, and each of the first multiple number of SPIs may be assigned to one of the multiple number of anti-replay windows. Establishing the first SA with the second network endpoint may include assigning the first SA to a first encryption key, and providing the first encryption key to the second network endpoint.

Abstract: A method may include receiving a hub ID configuration preference message from a control device, wherein the hub ID configuration preference message includes an order in which to connect to network hubs that are associated with the hub IDs; selecting the first hub ID from the hub ID configuration preference message based on the first connection priority having a higher priority as compared to the second connection priority; identifying a first set of network hubs that are associated with the first hub ID; establishing a connection with at least one network hub associated with the first hub ID; in response to identifying a triggering event, selecting the second hub ID from the hub ID configuration preference message; identifying a second set of network hubs that are associated with the second hub ID; and establishing a connection with at least one network hub associated with the second hub ID.

Abstract: In some examples, an example method to provide an IPsec anti-replay window with quality of service (QoS) at a first network endpoint may include configuring a multiple number of anti-replay windows, generating a first security association (SA), and establishing the first SA with a second network endpoint. The first SA may include a first multiple number of security parameter indexes (SPIs), where each of the first multiple number of SPIs may be assigned to a specific QoS level, and each of the first multiple number of SPIs may be assigned to one of the multiple number of anti-replay windows. Establishing the first SA with the second network endpoint may include assigning the first SA to a first encryption key, and providing the first encryption key to the second network endpoint.

Abstract: A method is performed by an access router of an enterprise network including a first edge router to communicate with a second edge router over a wide area network (WAN). The method includes receiving a packet from a first endpoint, receiving from a mapping service a network location of a second edge router for which the packet is destined and a security association (SA) to encrypt the packet from the access router to the second edge router, and generating for the first edge router one or more path selectors for WAN path selection. The method includes encrypting the packet using the SA, and adding to the encrypted IP packet, in clear text, the path selectors and outer encapsulation including the network location, to produce an encrypted tunnel packet. The method also includes forwarding the encrypted tunnel packet to the second edge router via the first edge router and the WAN.

Abstract: A method may include receiving a hub ID configuration preference message from a control device, wherein the hub ID configuration preference message includes an order in which to connect to network hubs that are associated with the hub IDs; selecting the first hub ID from the hub ID configuration preference message based on the first connection priority having a higher priority as compared to the second connection priority; identifying a first set of network hubs that are associated with the first hub ID; establishing a connection with at least one network hub associated with the first hub ID; in response to identifying a triggering event, selecting the second hub ID from the hub ID configuration preference message; identifying a second set of network hubs that are associated with the second hub ID; and establishing a connection with at least one network hub associated with the second hub ID.

Abstract: A method may include receiving a hub ID configuration preference message from a control device, wherein the hub ID configuration preference message includes an order in which to connect to network hubs that are associated with the hub IDs; selecting the first hub ID from the hub ID configuration preference message based on the first connection priority having a higher priority as compared to the second connection priority; identifying a first set of network hubs that are associated with the first hub ID; establishing a connection with at least one network hub associated with the first hub ID; in response to identifying a triggering event, selecting the second hub ID from the hub ID configuration preference message; identifying a second set of network hubs that are associated with the second hub ID; and establishing a connection with at least one network hub associated with the second hub ID.

Abstract: A method may include receiving a hub ID configuration preference message from a control device, wherein the hub ID configuration preference message includes an order in which to connect to network hubs that are associated with the hub IDs; selecting the first hub ID from the hub ID configuration preference message based on the first connection priority having a higher priority as compared to the second connection priority; identifying a first set of network hubs that are associated with the first hub ID; establishing a connection with at least one network hub associated with the first hub ID; in response to identifying a triggering event, selecting the second hub ID from the hub ID configuration preference message; identifying a second set of network hubs that are associated with the second hub ID; and establishing a connection with at least one network hub associated with the second hub ID.

Abstract: In some examples, an example method to provide an IPsec anti-replay window with quality of service (QoS) at a first network endpoint may include configuring a multiple number of anti-replay windows, generating a first security association (SA), and establishing the first SA with a second network endpoint. The first SA may include a first multiple number of security parameter indexes (SPIs), where each of the first multiple number of SPIs may be assigned to a specific QoS level, and each of the first multiple number of SPIs may be assigned to one of the multiple number of anti-replay windows. Establishing the first SA with the second network endpoint may include assigning the first SA to a first encryption key, and providing the first encryption key to the second network endpoint.

Abstract: A method may include determining, by a first network device, a type of control channel to open across a transport in a software-defined network (SDN). The method may also include establishing the control channel with a control device via a control plane that is separate from a data plane. The method may further include advertising first security association parameters to the control device via the control channel. The method may include receiving, from the control device via the control channel, second security association parameters associated with a second network device. The method may also include establishing a data plane connection with the second network device using the second security association parameters.