Secure Access to SONiC Switch w/ IPSec & StoneWork

StoneWork | An IPSec Appliance

Our portfolio is steadily growing. Our latest addition to the family is StoneWork.

Here, StoneWork enables you to securely and remotely access your management plane.

StoneWork is a solution which, thanks to its modular architecture, enables you to combine multiple CNFs from the portfolio, using only one data-plane, to increase the overall throughput, while keeping rich functionality.

One of the many features of StoneWork is IPSec, which we will talk about in this post.

StoneWork IPSec + SONiC

This case study briefly describes, how the StoneWork IPsec appliance can be used on your SONiC enabled switch to secure & tunnel your OOB management SONiC interface.

Stonework is part of our portfolio. It is an enhanced VPP distribution, which serves as an all-in-one switch/router/firewall.

Stoneworks (IPSec) test setup by

If you are interested in the deployment script, click here to contact us!

In this demonstration, two SONiC OS instances are provisioned to represent two IPSec gateways. But instead of actual physical switches, each SONiC OS runs inside a Docker container with a P4-simulated SAI behavioral model software switch ASIC underneath.

This P4 ASIC is also running as a separate container, to keep the emulated physical interfaces separated from kernel-space ports. A link between the ASIC and SONiC container is a network namespace reference /var/run/netns/sw_net that P4 ASIC expects to point to ASIC container from the filesystem of the SONiC container.

On top of that, there is a StrongSwan appliance running in a container, using the same network namespace as SONiC for the sake of AF_PACKET. In total there are three containers to represent one switch.

In-between the switches there is a “bridge” container, used only to capture traffic and verify that it is indeed encrypted. On the opposite side of switches, there are containers representing hosts – one is used as a TCP client, the other as a server.

What is SONiC?

SONiC is a Linux-based, network operating system, available as an open-source project, meant for network routers & switches.

The architecture is similar to that of OpenDaylight or – it is composed of modules, on top of a centralized infrastructure, which is easily scalable.

Its main benefits are the usage of the Redis-engine infrastructure & placement of modules into Docker containers. The primary functional components are DHCP-Relay, PMon, SNMP, LLDP, BGP, TeamD, Database, SWSS, SyncD.

SONiC covers all the components needed for a complete L3 device. Its main use-case presents a cloud-data center, with the possibility of sharing software stacks among different platforms. Currently, over 100 platforms are officially supported.

An important concept of SONiC is that it does not interact with the hardware directly. Instead, its programs switch ASIC via the vendor-neutral Switch Abstraction Interface or SAI for short.

This approach, on one hand, allows maintaining vendor independence, while decoupling the network software and hardware. On the other hand, it creates boundaries on what can be performed with the underlying networking hardware.

Categorized as Blog


Here you can find our very own blog posts, Slovak software know-how and other news from research & development in networking sphere. These posts are primarily focusing on network technologies and prototype software which we provide to customers world-wide through various projects.

View all of's posts.