Wednesday, March 7, 2012
Software Defined Networks
Customers have gained significant savings as result of compute and storage virtualization. However, additional efficiencies in cloud data centers have reached a barrier. Reaping more savings go beyond the scope of today’s data center networks. The external physical network -- while excellent at forwarding packets – is a costly restriction to realizing full capabilities. The current network routing and switching configurations have placed limits on the success of compute and storage virtualization.
Network operations are overly complicated. They are a fragile systems constructed from thousands of individual devices tied together by vendor-specific interfaces but without an interface for network-wide controls. In a typical Interned-based net a transaction may be handled by anywhere from eight to twenty-five “hops” before it arrives at its destination. As result the network requires expensive hardware synchronization while binding network management to a particular vendor.
While a transaction traverses over the multi-step Internet, it is vulnerable. For instance, the passage over multiple routers exposes it to attacks such as: promiscuous mode corruption; router table misdirection; router information mistakes; shortest path faults; border gateway miscalculations and border gateway poisoning. Passing it through a multiplicity of switches makes it open to attacks such as: flooding attacks; address resolution spoofing; “man-in-the-middle” attacks; denial of service; switch hijacking; spanning tree attacks; root claims; forcing external root election and VLAN hopping.
Just as server virtualization decouples and isolates the computing from the underlying hardware, network virtualization decouples network services from the underlying physical network routers and switches. Such virtualization then enables the creation of software- defined networks. Such networks can be centrally managed across the entire connection map so that security policy can be uniformly applied.
A Network Virtualization Platform (NVP) software then makes it possible to takes over an entire networking environment and places it into a managed virtual space. It transforms the physical network, defined by a diversity of Internet protocols, into a standard pool of network capacity. This is comparable to what happens when a server hypervisor in a data center transforms physical servers into a pool of computing capacity. Decoupling virtual networks from the physical hardware of routers and switches to allow customers to scale the pool of network capacity without affecting the physical networks operating below it.
When relegated to delivering simple IP connectivity of packets, the demand on the physical network is reduced because the paths of a transaction are managed to traverse preferred circuits. The requirements for many specialized hardware features are eliminated because the virtual network is now managed as a controlled environment that operates with uniform standards. Hardware capacity can be added in a virtual format without affecting the performance of the entire network that will now operate decoupled from the physical infrastructure.
Virtualization of Internet networks will be one of the most significant transformations of IT in the near future. It will deliver both business efficiency as well as the vulnerability of networks to cyber attacks. Network virtualization will removes existing barriers by enabling the creation of scalable configurations that are separate from the underlying physical network. This will make possible to form new network services through software, rather than through upgrading hardware in the entire chain of transactions.
With about 6,000 physical locations that DoD networks must reach, assuring secure hardware interoperability of perhaps as many as 60,000 routers and switches is a task that is not manageable.
Once virtualized, the physical network is used only for packet forwarding and not for routing or switching. Virtual networks are then programmatically created on top of the physical networks. Virtual networks can operate independently from the underlying hardware, offering features that assure information security.
As a software solution, NVP creates an intelligent abstraction layer between end hosts and any existing network. Managed by a separate controller server this transforms the network into clusters of controlled communication capacity. It enables centrally managed control software to create tens of thousands of isolated virtual networks that are endowed with uniform capabilities to execute quickly policy-level directives. Such speed greatly increases information assurance because there will be always attacks that standard firewalls and virus protection will not be able to counter-act.
The existing physical network, populated with a variety of codes and procedures makes it possible attackers to corrupt operations of routers and switches because the software that is already installed on thousands of network devices can be corrupted. For instance, routers that are located on the path of statistically indeterminate “hops” can be tampered with, from where further security compromises can then spread. The number of possible misrouting is enormous.
The new software defined network is presently available from a number of vendors. Such software, sited at cloud hubs, then orchestrates and delivers the virtual networks and network services on top of the physical fabric. Customers can then program network service features on top of the physical network, rather than directly configure each node, one element at a time.
A software-defined network can be deployed non-disruptively on existing networks without changing hardware, or it can be used with next generation network fabric architectures from any vendor. This allows the programmatic creation of isolated virtual networks, each of which maintains its own address space, statistics counters, quality-of-service, security configurations, and other higher-level network services. The time it takes to deploy secure applications in the cloud goes from weeks to minutes and the process goes from manual to automatic.
Networking must evolve a virtualization layer that decouples workloads from the physical network. Until this happens, the full potential of compute virtualization will remain unrealized. Traditional networking approaches are not well suited for this task.
A Distributed Virtual Network Infrastructure (DVNI) provides a network virtualization architecture that addresses the shortcomings of traditional network approaches, providing a host of virtualization benefits, such as isolation, mobility, scalability, dynamic provisioning without restriction, and hardware independence. As a result, this approach is taking hold in the world’s largest virtualized data centers.
Implementation of DVNI is not feasible with close to 700 data centers and 15,000 networks in DoD. Large-scale consolidations will have to be phased with simultaneous migration to controlled Internet connectivity.