The New Network
Explore Juniper’s vision for network innovation and how the company and industry are shaping the future with the new network
BobMuglia

Decoding SDN

by BobMuglia ‎01-14-2013 10:26 AM - edited ‎01-15-2013 10:35 AM

For the past year, software defined networking (SDN) has been the buzz of the networking world.  But in many ways, networking has always been defined by software.  Software is pervasive within all of the technology that impacts our lives and networking is no different.  However, networks have been constrained by the way software has been configured, delivered and managed – literally within a box, updated monolithically, managed through command lines that are throw-back to the days of mini-computers and DOS in the 1980’s.

 

The Challenges with Networking Software

Networking software has been a drag on innovation across our industry.  Because each network device must be configured individually – usually manually; literally from a keyboard - networks can’t keep pace with the on the fly changes required by modern cloud systems.  Internet companies like Amazon or Google that dedicate hundreds of engineers to their cloud systems have built their own solution to network configuration but this is not a reasonable approach for most companies to build their private cloud.  As virtualization and the cloud has revolutionized computing and storage, the network has lagged behind.

 

In the service provider world, carriers struggle to configure and manage their networks.  Like Google, they too have built operational support systems to configure their networks but these systems are often 20+ years old and they are crumbling from the burden placed upon them by networking software.  For a service provider, the network is their business, so they must look to networking vendors to introduce new capabilities in order to enable new business opportunities.  Here again, networking software is failing the industry – it is developed as a monolithic, embedded system and there is no concept of an application.  Every new capability requires an update of the entire software stack.  Imagine needing to update the OS on your Smartphone every time you load a new application.  Yet that is what the networking industry imposes on its customers.  What’s worse is that each update often comes with many other changes - and these changes sometimes introduce new problems.  So service providers must carefully and exhaustively test each and every update before they introduce it into their networks. 

 

What is SDN?

Enterprise and service providers are seeking solutions to their networking challenges.  They want their networks to adjust and respond dynamically, based on their business policy.  They want those policies to be automated so that they can reduce the manual work and personnel cost of running their networks.  They want to quickly deploy and run new applications within and top of their networks so that they can deliver business results.  And they want to do this in a way that allows them to introduce these new capabilities without disrupting their business.  This is a tall order but SDN has the promise to deliver solutions to these challenges.  How can SDN do this?  To decode and understand SDN, we must look inside networking software.   From this understanding, we can derive the principles for fixing the problems.  This is what SDN is all about.   

 

Here are six principles of SDN with corresponding customer benefits:

 

  1. Cleanly separate networking software into four layers (planes): Management, Services, Control, and Forwarding - providing the architectural underpinning to optimize each plane within the network.

  2. Centralize the appropriate aspects of the Management, Services and Control planes to simplify network design and lower operating costs.

  3. Use the Cloud for elastic scale and flexible deployment, enabling usage-based pricing to reduce time to service and correlate cost based on value.

  4. Create a platform for network applications, services, and integration into management systems, enabling new business solutions.

  5. Standardize protocols for interoperable, heterogeneous support across vendors, providing choice and lowering cost.

  6. Broadly apply SDN principles to all networking and network services including security - from the data center and enterprise campus to the mobile and wireline networks used by service providers.

The Four Planes of Networking

Inside every networking and security device – every switch, router, and firewall - you can separate the software into four layers or planes.  As we move to SDN, these planes need to be clearly understood and cleanly separated.  This is absolutely essential in order to build the next generation, highly scalable network.

 

networkplanes.jpgForwarding.  The bottom plane, Forwarding, does the heavy lifting of sending the network packets on their way.  It is optimized to move data as fast as it can.  The Forwarding plane can be implemented in software but it is typically built using application-specific integrated circuits (ASIC’s) that are designed for that purpose.  Third party vendors supply ASIC’s for some parts of the switching, routing, and firewall markets.  For high performance and high scale systems, the Forwarding ASIC’s tend to be specialized and each vendor provides their own, differentiated implementation.  Some have speculated that SDN will commoditize switching, routing, and firewall hardware.  However, the seemingly insatiable demand for network capacity generated by thousands of new consumer and business applications creates significant opportunity for differentiation in Forwarding hardware and networking systems.  In fact by unlocking innovation, SDN will allow further differentiation from the vendors who build these systems.

 

Control.  If the Forwarding plane is the brawn of the network, Control is the brains.  The Control plane understands the network topology and makes the decisions on where the flow of network traffic should go.  The Control plane is the traffic cop that understands and decodes the alphabet soup of networking protocols and ensures that the traffic flows smoothly.  Very importantly, the Control plane learns everything it needs to know about the network by talking to its peer in other devices.  This is the magic that makes the Internet resilient to failures, keeping traffic flowing even when a major storm like Sandy brings down thousands of networking devices.

 

Services.  Sometimes network traffic requires more processing and for this, the Services plane does the job.  Not all networking devices have a Services plane – you won’t find this plane in a simple switch.  But for many routers and all firewalls, the Services plane does the deep thinking, performing the complex operations on networking data that cannot be accomplished by the Forwarding hardware.  Services are the place where firewalls stop the bad guys and parental controls are enforced.  They enable your Smartphone to browse the web or stream a video, all the while ensuring you’re properly billed for the privilege.   The Services plane is ripe for innovation.

 

Management.  Like all computers, network devices need to be configured, or managed.  The Management plane provides the basic instructions of how the network device should interact with the rest of the network.  Where the Control plane can learn everything it needs from the network itself, the Management plane must be told what to do.  Today’s networking devices are often configured individually.  Frequently, they are manually configured using an esoteric command line interface (CLI), understood by a small number of network specialists.  Because the configuration is manual, mistakes are frequent and these mistakes sometimes have serious consequences – cutting off traffic to an entire data center or stopping traffic on a cross-country networking highway.  Service providers worry about backhoes cutting fiber optic cables but more frequently, their engineers cut the cable in a virtual way by making a simple mistake in the complex CLI used to configure their network routers or security firewalls.

 

networkdevicessmall.jpgWhile the Forwarding plane uses special purpose hardware to get its job done, the Control, Services, and Management planes run on one or more general purpose computers.  These vary in sophistication and type, from very inexpensive processors within consumer devices to what is effectively a high-end server in larger, carrier-class systems.   But in all cases today, these general purpose computers use special purpose software that is fixed in function and dedicated to the task at hand.  That inflexibility is the root of the issue that has sparked the interest in SDN.

 

If you crawled through the software inside a router or firewall today, you’d find all four of the networking planes.  But with today’s software that networking code is built monolithically without cleanly defined interfaces between the planes.  What you have today are individual networking devices, with monolithic software, that must be manually configured.  This makes everything harder than it needs to be.

 

Centralization

So if today’s networking software is the root of the problem, better software is the solution and that’s where SDN comes in.  How do we go from today’s networking software to a modern architecture?  We start by looking at the way cloud providers build their software.  Amazon, Google, and Facebook use racks of industry-standard, x86 servers running software that is designed to scale-out by adding more servers as the need for capacity increases.  The use of industry standard, x86 hardware combined with scale-out software is how modern, highly available systems are built.


centralized.jpgUnlike most cloud applications, networks are inherently decentralized.  That’s really what networks are all about – moving data from one place to another.  So while Facebook can run in a small number of huge data centers, networks are distributed – throughout a data center, over a campus, within a city, or in the case of the Internet, across the entire planet.  That’s why networks have always been built as a collection of separate, self-contained, individually managed devices.  But centralization is powerful; it is a key principle for SDN and it’s very appropriate to apply centralization to networking software.  However, you can’t take this too far.  Centralization only makes sense within a highly-connected, contained geographic area – for example, within a data center, throughout a campus, or in the case of a service provider, across a city.  Even with this centralization, network devices themselves will remain distributed and they must have local intelligence. 

 

When you add the concept of centralization to networking software, the four planes move around a bit.  Regardless of the number of distributed devices, you’d like to manage the network as a system and Centralized Management does that job.  When you centralize management, it becomes the configuration master; all of the devices keep just a copy.  This is very similar to the way publications work with our Smartphones and tablets.  If you run the New York Times app on your iPad, it pulls down today’s edition.  During the day, it keeps checking for updates and downloads them when they appear.  This is analogous to how Centralized Management works; the full truth lives in the center and only a copy of the configuration data is stored on the networking devices.

 

Services have historically been implemented within each networking and security device but with SDN, Services can move to the center and are performed on behalf of all devices.  However, this only makes sense in a highly-connected, contained geographic area.  If you’re accessing the Internet from your Smartphone, you want to get onto the Internet highway from the city you’re in, not someplace half-way across the country.

 

When SDN enters the picture and some things are centralized, the changes to the Control plane are the most complex.  The control plane is the cop that directs the traffic.  The way the Control plane works is each networking device talks to the networking devices they directly connect with.  They tell each other what they know about the network.  Think about it as an electronic version of smoke signals.  Each device passes information about the network on to the next device.  This works incredibly well in the highly connected, networking world.  Many years of work across the entire networking industry ensure that networks continue to do their job even when things go wrong.  When a major router goes offline, there is a buzz of chatter between the networking devices as they scurry to restructure their view of the network – and keep you connected. 

 

But sometimes having a central, birds-eye view of traffic also makes sense.  That’s where the Centralized Controller comes in.  The Centralized Controller has a broad view of the network and can connect things together in a way that optimizes the overall traffic.  

 

Forwarding is one plane that always stays decentralized in an SDN world.  This makes sense because Forwarding actually moves the data – and this is by-definition decentralized. 

 

Getting from Here to There

So how do we go from today’s fully decentralized networks to a new world where some things are centralized with SDN?  You can’t start with a clean sheet of paper because networks are actively running and must continue to function as SDN is introduced.  SDN is like a remodel; you need to do it one step at a time.  Like most remodels, there is more than one way to get to the SDN result, but here is a reasonable set of steps to reach the goal:

 

Step1.jpgStep 1: Management is the best place to start as this provides the biggest bang for the buck.  The key is to centralize network management, analytics, and configuration functionality to provide a single master that configures all networking devices.  This lowers operating cost and allows customers to gain business insight from their networks.

 

Centralizing Management does several things, each of which provides significant value.  You start by creating a Centralized Management system.  Similar to cloud applications, this centralized management system is packaged in x86 virtual machines (VM’s) running on industry standard servers.  Those VM’s are orchestrated using one of the commonly available orchestration systems such as VMware’s vCloud Director, Microsoft System Center, or OpenStack.  

 

In the case of the service provider, their operational and business systems connect to the centralized management VM’s which configure the network.  Similarly within a data center, that same data center orchestration system (VMware vCloud Director, OpenStack, etc.) can now directly manage the network.

 

Configuration is performed through published API’s and protocols; where possible these protocols are industry-standard.  As SDN is still nascent, industry standard protocols are still emerging but it is very important that moving forward these standards get created.

 

Networking and security devices generate huge amounts of data about what is happening across the network.  Much can be learned by analyzing this data and like other aspects of business, “Big Data” analytics techniques applied to networking and security data can transform our understanding of business.

 

Step2.jpgPulling management from the network device into a centralized service provides the first step to creating an application platform.  Of greatest urgency is simplifying the connection to the operational systems used by enterprises and service providers.  But as this platform takes shape, new applications will emerge.  The analytics provides insight into what’s happening within the network, enabling better business decisions and new applications which will dynamically modify the network based on business policy.  Centralized management enables changes to be performed quickly - enabling service providers to try out new applications, packages and plans, quickly expanding those that work and dropping those that don’t.  In fact, like other new platforms we’ve seen over the years, the possibilities are endless and the most interesting applications will only emerge once that platform is in place.

 

Step 2: Extracting Services from network and security devices by creating service VM’s is a great next step because Services are an area that is terribly underserved by networking.  This enables network and security services to independently scale using industry-standard, x86 hardware based on the needs of the solution. 

 

Creating a platform that enables services to be built using modern, x86 VM’s opens up a whole new world of possibility.  For example, the capacity of a security firewall today is completely limited by the amount of general-purpose processing power you put into a single networking device – the forwarding plane is faster by an order of magnitude or more.  So if you can pull the security services out of the device and then run them on a bank of inexpensive x86 servers, you dramatically increase capacity and agility.

 

Step3.jpgAs a first step, you can tether, or connect these services back to a single networking device.  You can put the x86 servers in a rack next to the networking device or they can be implemented as server blades within the same networking device.  Either way, this step opens up the possibilities for a whole new set of network applications.  

 

Step 3:  Creating a Centralized Controller is a big step forward.  The Centralized Controller enables multiple network and security services to connect in series across devices within the network.  This is called “SDN Service Chaining” – using software to virtually insert services into the flow of network traffic.  Service chaining functionality is physically accomplished today using separate network and security devices.  Today’s physical approach to service chaining is quite crude; separate devices are physically connected by Ethernet cables; each device must be individually configured to establish the service chain.  With SDN Service Chaining, networks can be reconfigured on the fly, allowing them to dynamically respond to the needs of the business.  SDN Service Chaining will dramatically reduce the time, cost and risk for customers to design, test and deliver new network and security services.  

 

SDNServiceChain1small.jpg

Here are several examples of SDN Service Chaining.  The first example is a cloud data center connection between the Internet and a web server.  In this example, the Stateful Firewall service protects the application and the Application Delivery Controller provides load balancing of network traffic across multiple instances of the web server.  SDN Service Chaining allows each service within the chain to elastically scale based on need; the SDN Service Chain dynamically adjust the links within the chain as instances of the services come and go.

 

SDNServiceChain2.jpgThe second example is between two components of a cloud application; in this case between the web server and the middle-tier application VM’s.  The traffic between these application components must be isolated from other traffic within the cloud data center and the load needs to be balanced across application instances with an Application Delivery Controller service.   With SDN Service Chaining, all of this is done in software – the chain forms a virtual network where the end-points are the virtual switches within the hypervisors of the servers that run the application VM’s.  The SDN Service Chain dynamically adjusts the links in the chain when the data center orchestration system moves a VM from one physical server to another.  Of course, there is still a physical network underneath the SDN Service Chain but it does not need to be reconfigured when changes are made within the SDN Service Chain.

 

While the first two SDN Service Chain examples apply to the cloud data center, the third example is in a completely different domain – the mobile service provider edge.  In this case, the network traffic is coming from a cell phone tower; it moves through an edge router and then a set of processing steps are performed in series.  The Evolved Packet Core extracts the Internet Protocol (IP) sessions from the network tunnels connected to the cell tower base stations.  Immediately this traffic is analyzed and protected by a Stateful Firewall.  Deep Packet Inspection is used to determine traffic patterns and generate analytics information.  The Policy Charging & Enforcement Function applies subscriber SDNServiceChain3.jpgpolices such as enhancing the quality of service for premium subscribers.  Finally as the traffic heads out to the Internet, Carrier Grade Network Address Translation (NAT) provides the traffic with an IP address.

 

In the third example, both end-points of the SDN Service Chain are edge routers.   While the specific application in the mobile service provider edge is very different from the data center, the SDN Service Chaining architecture is exactly the same.

 

SDN Service Chaining dramatically increases the flexibility of service deployment.  Most significantly, it allows network and security devices to be managed and upgraded independently from the services within the SDN Service Chain.  SDN Service Chaining enables services to be treated like applications on your Smartphone – the network can still operate when new services are installed.  This is a huge advance over the current situation where these upgrades are highly disruptive, thus requiring immense care and planning. 

 

SDN Service Chaining is a new innovation and thus extensions to existing protocols and new protocols will need to be defined.  As these emerge, it is important that they are established as industry standards to enable multi-vendor interoperability.

 

Step4.jpgStep 4: The final step of optimizing network and security hardware can proceed in parallel with the other three.  As services are disaggregated from devices and SDN Service Chains are established, network and security hardware can be used to optimize performance based on the needs of the solution.  Network and security hardware will continue to deliver 10x or better Forwarding performance then can be accomplished in software alone. The combination of optimized hardware together with SDN Service Chaining allows customers to build the best possible networks. 

 

The separation of the four planes helps to identify functionality that is a candidate for optimization within the Forwarding hardware.  This unlocks significant potential for innovation within the ASIC’s and system design of networking and security devices.  While an x86 is general purpose, the ASIC’s within networking devices are optimized to forward network traffic at extreme speeds.  This hardware will evolve to become more capable –every time you move something from software into an ASIC, you can achieve a 10x performance improvement or more.  This requires close coordination between ASIC design, hardware systems, and the software itself.  As SDN becomes pervasive, the ability to optimize the hardware will create lots of opportunity for networking and security system vendors.

 

Summary                                                                                                                                                                       

SDN is major shift in the networking and security industries.   Its impact will extend far beyond the data center and is thus actually much broader then many predict today.  SDN will create new winners and losers.  We will see new companies successfully emerge and we’ll watch as some incumbents unsuccessfully struggle to transition.  But like any major industry trend, the customer benefit is real and we’ve now reached a tipping point where the technology shift is inevitable. 

Comments
by on ‎01-27-2013 08:41 PM

Great Article!

 

From my personal perspective, it would be great if we:

1. are able to 'customize & solutionise' this concepts to our clients

2. have a ballpark figure/budget on this

3. able to provide training engineers to administer and setup the solution

4. address post-sales support topcs/concerns (troubleshooting, backup and upgrading...)

 

Is there a demo lab on this currently?

 

Cheers,

michael

by N Shravan on ‎01-29-2013 07:12 AM

Hello,

 

SDN seems to have a lot of potential for everyone.

 

I have a few questions though:

 

Principle 5 of SDN is interesting. What sort of new protocols do we see coming into the networks as a result of SDN?

Do we plan to have any head start in that area?

 

As and when SDN is deployed by enterprises, and they actually begin to enforce their business rules dynamically over their network in using software, who/what would ensure the following:

The business rules do not overwhelm the physical (speed) limitations of the network.

The business rules do not compromise any network or data security

The business rules make the best use of the network resources

 

In short how do we make sure that the SDN ready/SDN capable network is 'fool-proof'? Is that possible?

 

Thanks and Regards,

 

N Shravan

by Jag Brar(anon) on ‎02-08-2013 04:08 PM

Bob,

 

Excellent article.  Thanks.

 

I think one of promises of SDNs is the ability to think of the network end-to-end and to apply policies across the network - as opposed to thinking about one device at a time.  This would require new abstractions for interfacing with network - as opposed to simply configuring interfaces, peer, prefix lists and route-maps (something I have been doing for a very long time).  And "this" aspect of SDNs is not applicable to Cloud Datacenters alone - it applies to any network, I think.

 

Jag

by Ed Roberto(anon) on ‎03-01-2013 01:04 PM

Bob,

 

Thank you for authoring a thoughtful treatment on the state of SDN. Several facets read directly from the business plan of Lagrange Systems and our focus on Layer 7 and traffic management associated with high availability applications. In your future analysis, I'd be curious to get your view on the integration between SDN and ADN.

 

Best Regards,

Ed 

by Charuhas(anon) on ‎04-18-2013 07:03 PM

Hi Bob,

 

Thanks for a great article!

 

SDN has among other things, great potential for solving the management headaches that the tradiional management systems (whether based on SNMP/CLI or even XML) have failed (partially). Since SDN is centralized, an 'end-to-end' (this is that dreaded and over used word again!) view as well as orchestration will be extremely poerful and useful.

Post a Comment
Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
About The New Network

Exploring the vision for the networking industry and the issues shaping its future.

Subscribe to The New Network    RSS Icon

Our Bloggers

Rami Rahim
EVP/GM
Juniper Development & Innovation

Profile | Subscribe

Brad Brooks
Chief Marketing Officer

Profile | Subscribe

Bask Iyer
Senior Vice President and CIO

Profile | Subscribe

Judy Beningson
Vice President, Strategic Planning

Profile | Subscribe

Mike Marcellin
Senior Vice President
Marketing

Profile | Subscribe

Jonathan Davidson
Senior Vice President
Engineering

Profile | Subscribe

Ankur Singla
Vice President of Engineering

Profile | Subscribe

Bob Dix
Vice President
Government Affairs &
Critical Infrastructure Protection

Profile | Subscribe

Copyright© 1999-2013 Juniper Networks, Inc. All rights reserved.