In the Three Paths of Enterprise IT part of Business Aspects of Networking webinar I covered the traditional networking vendor landscape. Let’s try to do the same for SD-WAN.

It’s clear that we have two types of SD-WAN vendors:

Startups claiming to be disruptive while trying to apply lessons their engineers learned in more traditional environments in a clean-slate product design;

Traditional vendors trying to sprinkle fairy dust on their products to be able to slap SD-WAN label on them (Cisco’s DMVPN+PfR+OER+Glue Networks orchestration comes to mind).

If you’ve been in networking long enough, you’ve probably seen what happens when traditional vendors try to “do more with less” and “leverage the investment”. Trying to glue a bunch of software components that were never designed to work together into something that could be called a solution or new technology is never a pretty sight… but do keep in mind that there are no miracles and in most cases you have to deal with either explicit complexity (aka “seeing how the sausage is being made”) or with hidden complexity that will eventually come back to bite you.

One would hope that the startups would come up with better solutions, but it seems that at least in the SD-WAN case a variant of Conway’s Law applies to them - no SD-WAN startup did a perfect job but focused on the aspects that were familiar to its founders. For example, Viptela was really good in solving the routing challenge (while using traditional packet forwarding) while VeloCloud had really interesting packet handling capabilities while trying to ignore the need for routing protocols.

Traditional vendors slapping SD-WAN labels onto their products fall into similar categories:

Router vendors being really good in finding paths across the networks while missing advanced WAN features;

WAN Optimization vendors applying their existing technologies to the WAN transport part of SD-WAN while having mediocre routing implementations;

Firewall vendors relabeling their VPN products while having sub-par routing or WAN transport capabilities.

Not surprisingly, most everybody the got security part of the equation wrong. That’s what happens when you try to enter a complex technology area without understanding what you’re doing and using obsolete versions of open-source libraries in your products because that’s cheaper than investing into people who built good security products in the past (not that there would be too many of them).

Some of the juicy security details can be found in this presentation. Even better, a team of security researchers created SD-WAN New Hope repository listing tons of white papers, presentations from independent security researchers, and their security findings. Fun reading…

I know a poor soul who was involved in SD-WAN pentesting and vendor evaluation. He has nightmares of vendors using key exchange and encryption technologies that were obsoleted for a very good reason by recent IPsec RFCs, but unfortunately cannot share the horror stories due to layers of NDAs he had to sign to get the vendors to spill their (lack of) beans.

Does this landscape look gloomy? Sure it does, but then what did you expect after another gold rush? Can we hope to get something better in the future? I doubt - the most-promising startups have been acquired, and their product architectures are mature enough that they are getting ossified… and being a part of 400-pound gorilla makes it really hard to change things that the gorilla paid big money for. Looks like we’ll have to live with the consequences of another round of disruptive marketing for years.

People are telling me that Viptela is getting better and gradually implementing functionality available in competing SD-WAN products, so there’s still some hope… ;)