This Industry Viewpoint was authored by Dan Joe Barry, vice president of marketing, Napatech.
Gigaom Research reports that software-defined networking (SDN) and network functions virtualization (NFV) represent two of the more dramatic oncoming technology shifts in networking. Both will significantly alter network designs, deployments, operations and future networking and computing systems. Key drivers include improved network service levels and lower operating and capital costs.
That’s good news for the telecom industry, whose overall assessment is that the migration to SDN and NFV will breathe new life into traditional network configurations vis-à-vis greater agility and flexibility. As network speeds increase, performance will be an issue.
Network appliances provide the real-time insight needed to continuously monitor, collect and analyze traffic for management and security purposes. Appliances can be virtualized, but the same constraints that affect the performance of physical appliances will also affect virtual ones.
Those hoping to span the gap between the networks they now have and those on the horizon can use virtualization-aware appliances, which provide real-time insight using analysis acceleration. This enables event-driven automation of policy decisions and real-time reaction to those events, thereby allowing the full agility and flexibility of SDN and NFV to unfold.
SDN and NFV: Re-Examining the Standards
For most telecom carriers, managing SDN and NFV is difficult in light of the considerable investments they have made in Operations Support Systems (OSS)/Business Support Systems (BSS) and infrastructure. This must now be adapted not only to SDN and NFV, but also to Ethernet and IP networks.
This adaptation must occur because most of the OSS/BSS systems are based on the Fault, Configuration, Accounting, Performance and Security (FCAPS) model of management first introduced by ITU-T in 1996 – almost 20 years ago. This concept was simplified to Fault, Assurance and Billing (FAB). Management systems tend to focus on one of these areas and often do so in relation to a specific part of the network or technology, such as optical access fault management.
Using FCAPS and FAB is problematic because they were based on traditional, voice-centric networks based on Plesiochronous Digital Hierarchy (PDH) and Synchronous Digital Hierarchy (SDH). They were static, engineered, centrally-controlled and planned networks where the protocols involved provided rich management information. This made centralized management possible.
However, attempts have been made to insert Ethernet and IP into these management concepts. For example, Call Detail Records (CDRs) have been used for billing of voice services, so the natural extension of this concept is to use IP Detail Records (IPDRs) for billing of IP services. xDRs are typically collected in 15-minute intervals, which are sufficient for billing. This does not, in most cases, need to be real-time. However, xDRs are also used by other management systems and solutions as a source of information to make decisions.
Here’s the problem: Ethernet and IP networks are completely different from traditional telecom networks, which do not change in a 15-minute interval since they are centrally controlled and engineered. Ethernet and IP are dynamic and bursty by nature. Because the network makes autonomous routing decisions, traffic patterns on a given connection can change from one IP packet or Ethernet frame to the next. When you consider that Ethernet frames in a 100 Gbps network can be transmitted with as little as 6.7 nanoseconds between each frame, you begin to understand the significant distinction when working with a packet network.
Not much management information is forthcoming from Ethernet and IP, which is another problem. If a carrier wants to manage a service provided over Ethernet and IP, they need to collect all the Ethernet frames and IP packets related to that service and reassemble the information to get the full picture. While switches and routers could be used to provide this kind of information, it became obvious that continuous monitoring of traffic in this fashion would impact switching and routing performance. Hence, the introduction of dedicated network appliances that could continuously monitor, collect and analyze network traffic for management and security purposes.
Appliances for Ethernet and IP Networks
Because all Ethernet frames and IP packets need to be collected and reassembled to enable effective management of services, network appliances are necessary to manage Ethernet and IP networks effectively. This, in turn, requires continuous monitoring of the network, even at speeds of 100 Gbps, without losing any information. Network appliances provide this capability in real time.
Analysis is not reliable unless all network information is captured and collected by
network appliances. Network appliances receive data either from a Switched Port Analyzer (SPAN) port on a switch or router that replicates all traffic, or from passive taps that provide a copy of network traffic. They then need to precisely time stamp each Ethernet frame to allow accurate determination of events and latency measurements for quality of experience assurance. Network appliances also recognize the encapsulated protocols, as well as determine flows of traffic that are associated with the same senders and receivers.
Telecoms widely use appliances for effective, high-performance management and security of Ethernet and IP networks. However, the taxonomy of network appliances has grown outside of the FCAPS and FAB nomenclature. The first appliances were used for troubleshooting performance and security issues but have gradually become more proactive, predictive and preventive in their functionality. The real-time capabilities that all appliances provide make them essential to effective management of Ethernet and IP networks. For this reason, network appliances need to be encompassed in frameworks for managing and securing SDN and NFV.
Appliances to Accelerate Analysis
Built on commercial off-the-shelf servers with standard Network Interface Cards (NICs),
appliances of this type are not designed for continuous capture of large amounts of data and tend to lose packets. For guaranteed data capture and delivery for analysis, hardware acceleration solutions are used, such as analysis accelerators, which are intelligent adapters designed for analysis applications.
Designed specifically for analysis, analysis accelerators meet the nanosecond-precision requirements for real-time monitoring. They are similar to NICs for communication but differ in the fact that they are designed specifically for continuous monitoring and analysis of high-speed traffic at maximum capacity. For monitoring of a
10 Gbps bi-directional connection, this means the processing of 30 million packets per second. Typically, a NIC is designed for the processing of 5 million packets per second. It is very rare that a communication session between two parties would require more than this amount of data.
For off-load of data pre-processing tasks from the analysis application, analysis accelerators provide extensive functionality. This ensures that as few server CPU cycles as possible are used on data pre-processing and enables more analysis processing to be performed.
Telecom carriers assess the performance of the network in real time as they continuously monitor the network and can get an overview of application and network usage. This information can also be stored directly to disk, again in real time, as it is being analyzed. This is typically used in troubleshooting to determine what might have caused a performance issue in the network. It is also used by security systems to detect any abnormal behavior in the past.
It is possible, however, to detect performance degradations and security breaches in real time. The network data that is captured to disk can be used to build a profile of normal network behavior. By comparing this profile to real-time captured information, it is possible to detect anomalies and raise a flag.
There are several reasons why this capability can be very useful in a policy-driven SDN and NFV network. If performance degradation is flagged, then a policy can automatically take steps to address the issue. If a security breach is detected, a policy can initiate more security measurements and correlation of data with other security systems. It can also go so far as to use SDN and NFV to reroute traffic around the affected area and potentially block traffic from the sender in question.
Network appliances with hardware acceleration provide real-time capture, capture-to-disk and anomaly detection – fundamental capabilities that maximize SDN and NFV performance through a policy-driven framework.
Bridging the Gap: Virtualization-Aware Network Appliances
Network appliances can be used in SDN and NFV environments to provide real-time insight for management and security. But a key question remains: can network appliances be fully virtualized and provide high performance at speeds of 10, 40 or even 100 Gbps?
Because network appliances are already based on standard server hardware with applications that are designed to run on x86 CPU architectures, they lend themselves very well to virtualization. The issue is performance. Virtual appliances are sufficient for low speed rates and small data volumes, but not for high speeds and large data volumes.
Most high-performance appliances use analysis acceleration hardware because even for physical network appliances, performance at high speed is an issue. While analysis acceleration hardware does free up CPU cycles for more analysis processing, most network appliances still use all the CPU processing power available to perform their tasks.
Virtualization is a useful approach, but virtualization of appliances only goes so far. If the data rate and the amount of data to be processed are low, then a virtual appliance can be used, even on the same server as the clients being monitored. However, once the data rate and volume of data increase, the CPU processing requirements for the virtual appliance increases. At first, this will mean that the virtual appliance will need exclusive access to all the CPU resources available. But even then, it will run into some of the same performance issues as physical network appliances using standard NIC interfaces with regard to packet loss, precise time-stamping capabilities and efficient load balancing across the multiple CPU cores available.
Network appliances face constraints, whether virtual or physical, and they must be confronted. One way of addressing this issue is to consider the use of physical appliances to monitor and secure virtual networks. Virtualization-aware network appliances can be “service-chained” with virtual clients as part of the service definition. It requires that the appliance can identify virtual networks, typically done using VLAN encapsulation today, which is already broadly supported by high-performance appliances and analysis acceleration hardware.
This enables the appliance to provide its analysis functionality in relation to the specific VLAN and virtual network and can be a very useful solution in a practical phased approach to SDN and NFV migration. It is broadly accepted that there are certain high-performance functions in the network that will be difficult to virtualize at this time without resulting in performance degradation. A pragmatic solution is an SDN and NFV management and orchestration approach that takes account of physical and virtual network elements. This means that policy and configuration does not have to concern itself with whether the resource is virtualized or not, but can use the same mechanisms to “service-chain” the elements as required.
A mixture of solutions for management and security, both current and new, are necessary for the introduction of SDN and NFV. These should be deployed under a common framework with common interfaces and topology mechanisms. With this in place, functions can be virtualized when and where it makes sense without affecting the overall framework or processes.
A High-Performance Future
Network performance challenges abound in this new high-speed world. Ensuring real-time, reliable data for management and analytics becomes crucial as SDN and NFV become more commonplace. Management and security require real-time insight, and network appliances can provide it. However, performance constraints apply to virtual appliances just as they do to physical ones, so SDN management must take that into account in order to be effective. Virtualization-aware appliances are a great fit here, meeting today’s network needs while looking to future needs as well.
About the Author:
Daniel Joseph Barry is VP of Marketing at Napatech and has over 20 years experience in the IT and Telecom industry. Prior to joining Napatech in 2009, Dan Joe was Marketing Director at TPACK, a leading supplier of transport chip solutions to the Telecom sector. From 2001 to 2005, he was Director of Sales and Business Development at optical component vendor NKT Integration (now Ignis Photonyx) following various positions in product development, business development and product management at Ericsson. Dan Joe joined Ericsson in 1995 from a position in the R&D department of Jutland Telecom (now TDC). He has an MBA and a BSc degree in Electronic Engineering from Trinity College Dublin.