Services Ubiquity, Extensibility and Security for Cloud Era
Jul 9, 2018
As rapidly growing cloud applications transcend multiple networks to reach end users - from DCs to backbones to metros, even the public Internet, cloud like service agility and service ubiquity have become key business imperatives for all networks. Sensing new opportunities of the cloud era, in addition to own network buildouts, many operators are also leveraging partnerships and M&As to expand services portfolios and are offering seamless services experience over these disparate networks; for instance, business VPN and metro services of yesteryears are transforming into cloud connect services. To drive profitability during all these changes, network simplification has become critical. IP fabrics are rising to meet all these challenge. IP fabrics enable rapid service rollout, extended service footprint beyond traditional network boundaries, easy network scaling and most critically in-transit data privacy, all while simplifying the network architectures.
Network Services Evolution - A Journey:
MPLS services enjoyed widespread adoption since they brought two major advantages:
1. MPLS provided a common transport underlay for all applications – voice, video, Internet, Enterprise VPNs and mobility – making applications independent of varied transport technologies like TDM, SONET, and ATM.
2. The MPLS label switching paradigm improved network performance and efficiency, while offering mature OAM and failure protection.
MPLS was the first step towards network simplification and service harmonization. It allowed carriers to build a common MPLS infrastructure to support all applications, making their networks multi-service, more efficient, and more profitable.
Now, even simpler IP fabrics have emerged to complement MPLS to drive further network simplification and service ubiquity required for the cloud era. IP fabrics allow simple IP routed network underlays along with MP-BGP signaled IP tunnels to carry application traffic such as L2VPNs, IPVPNs and plain IP. Additionally, with current forwarding ASICs, IP routing with Longest Prefix Match (LPM) is very efficient. A small forwarding performance difference between MPLS switching and IP forwarding does not affect overall network performance in a meaningful way.
IP Fabrics are Poised for Breakout Growth In Different Network Domains
IP routed underlays with application specific IP fabrics are not exactly new. Enterprises have deployed GRE, IPinIP, MPLS over GRE and various IPsec VPN services for many years to provide remote user and branch office connectivity over the Internet. Similarly, carriers have also deployed GRE, L2TPv3, L2TPv2 for various wireline services and GTP for mobile services for a long time. However, these technologies cater only to specific applications and, often, have their own control plane protocols or custom configuration mechanisms, thereby limiting adoption to specific applications.
Now, a few powerful IP fabric technologies – VxLAN, MPLS over UDP (MPLSoUDP), and IP over UDP (IPoUDP) – have emerged to support all widely deployed MP-BGP signaled services, such as L2VPNs (E-LINE, E-LAN, E-TREE), L3VPNs and plain IP. These new IP fabrics are also entropy friendly, support easy scale-out options, transcend network boundaries easily, and support encryption. Due to wide services applicability and inherent technical advantages, IP fabrics are growing in diverse deployments.
Some of the benefits of IP fabrics and IP underlays are:
Network simplification with service ubiquity
ONE LESS PROTOCOL
Similar to LDP networks, IP fabrics follow the shortest path towards destination. Applications get the exact same transport functionality without running LDP. Running one less protocol can help companies move towards operational simplification and savings.
INHERENTLY SIMPLE SCALE-OUT:
As network traffic increases, operators are looking to add capacity without any service impact. Since modern IP fabrics are designed to be inherently entropy friendly, they allow operators to add capacity by scaling out the network horizontally – without having to worry about entropy labels, FAT PW labels or control words.
BUILT IN HIGH AVAILABILITY:
Entropy friendly scale out architecture have built-in high availability. With multi-pathing, if a node or a link goes down, traffic takes alternate paths within milliseconds after failure. Even without multi-pathing, service restoration happens in order of milliseconds with LFA techniques.
EASY TO TRANSCEND TRADITIONAL NETWORK BOUNDARIES
As cloud applications transcend traditional network boundaries, IP Fabrics bring significant network simplification due to elimination of various MPLS stitching technologies.
Extending Network Services beyond Routers and Switches
In today’s MPLS VPN networks, the MPLS service label identifies a customer in a multi-tenant network. Apart from using an MPLS label for identifying a tenant, there is no MPLS semantic to this label (using MPLS label to identify a tenant simplified lookups in earlier generation of forwarding ASICs, so using MPLS label was a right call then). This service label can be easily replaced with a new service identifier (e.g. VNID in VxLAN) and all of the MP-BGP based service signaling machinery is still usable. Given operational experience with BGP services, operators can deploy services with a new identifier quickly without having to learn new application specific control/configuration protocols, thereby helping rapid service adoption and seamless integration with existing services.
The option to replace service identifier from MPLS label by some other construct – e.g. VNID – is a very powerful property of IP fabrics that expands their versatility beyond routers / switches into server based applications. When L2 applications on servers and VMs interconnected with other L2 endpoints over IP routed DC underlay, it was quite easy to invent VXLAN-VNID as a new service identifier/ encapsulation. NFV applications simply encapsulate the VNID as tenant identifier and tenant L2 frame in a UDP packet with a simple socket call, eliminating the need for server applications and DC infrastructure to understand MPLS.
Interestingly, while using a new and different service identifier / encapsulation is a great way to integrate NFV applications, some routers/switches ASICs may not be able to support new encapsulation without HW change. Fortunately, service edge routers with programmable ASICs, like Juniper MX, can support new service identifiers / encapsulations with a simple software update. To avail easy software upgradability to new service identifiers, only service edge devices need programmable ASICs; the rest of the network performs simple IP routing.
Services Security and In Transit Data Privacy
MULTI-TERABIT SCALE ENCRYPTION
As enterprises prepare for more robust data protection and privacy regulations like GDPR, IP fabrics can allow operators to offer end-to-end service level encryption, reducing the prospect of sensitive corporate data falling into the wrong hands while in transit. To offer better data privacy for services, many providers have started to implement MACSec in their networks. However, since MACSec provides hop-by-hop encryption, to achieve complete data privacy, operators must enable MACSec on every port in the network. On the other hand, IP fabrics allow end-to-end traffic encryption between service edges, even if traffic transits a 3rd party network or public Internet
Juniper’s 5th generation Penta ASICs on MX Routers will offer massive – multi-terabyte per second - inline IPsec traffic encryption, enabling end to end service level encryption at scale. While encrypting IP tunnels with IPSec is nothing new, this massive encryption performance improvement is a game changer that will make end-to-end in-transit data encryption a reality for business VPNs, cloud connect, DCI and high end enterprise WAN use-cases for the first time.
PROTECTION AGAINST SERVICE SPOOFING:
As we see increasing interest in using IP fabrics in different network domains, we have implemented protection against traffic spoofing. Anti-spoofing capabilities are widely utilized in today’s MPLS networks, and Juniper has implemented equivalent anti-spoofing protection for IP fabric technologies to facilitate their adoption without compromising service security.
Operationalizing IP Fabrics Deployments
TACKLING TRAFFIC ENGINEERING AND COMPLEX TOPOLOGIES
IP fabrics lack traffic engineering and LFA convergence may not be optimal in all topologies. However, in many modern networks built with scale out design and fine-grained visibility in network utilization, strict traffic engineering is not critical. The easiest way to tackle traffic engineering is to build a TE enabled network domain using RSVP-TE or SPRING-TE, wherever TE is critical, and then to interconnect the IP fabric networks over these TE domains. With IP fabrics, this inter-connection is much simpler, since the RSVP-TE/SPRING-TE network simply transports IP traffic between service nodes, without MPLS stitching technologies.
NETWORK VISIBILITY WITH HIGH SCALE GRANULAR TELEMETRY
Today, many operators rely on “connection oriented” operations and use LSP statistics on intermediate routers to determine network utilization. With IP fabric, it is a bit difficult to get such “LSP” stats by querying an intermediate router. To provide complete visibility into network utilization, Juniper has enabled granular, high scale streaming telemetry on its routers and switches, and the Northstar Controller has a built in telemetry collector to provide fine grained visibility into network utilization. These modern telemetry technologies enable granular, real time visibility into network utilization, thereby enabling IP fabric deployments without compromising service SLAs.
Today. IP fabrics rely mostly on ingress replication for multicast distribution. However, efficient technologies like Bit Explicit Indexed Routing (BIER) are emerging to allow efficient multicast replication on IP fabric networks.
The Inflection Point
Any technology gains widespread traction only when technical inflections and business conditions create a virtuous cycle. IP fabrics, with their wide application support, cross-network service reach, easy scale out properties, massive encryption gains, and inherent simplicity are ideally suited for new cloud-era network architectures. Juniper led the first network simplification and services harmonization wave with MPLS, and is now leading the second network simplification and service ubiquity wave with IP fabrics.
Statements in this blog post concerning the expected function and benefits of IP fabric technologies and their potential impact on the networking industry; the potential benefits of our products to customers; and our overall future prospects are forward-looking statements that involve a number of uncertainties and risks. Actual results or events could differ materially from those anticipated in those forward-looking statements as a result of several factors, including the factors listed in our most recent report on Form 10-K and subsequent quarterly reports on Form 10-Q filed with the Securities and Exchange Commission. All statements made in this blog are made only as of July 9, 2018. Juniper Networks undertakes no obligation to update the information in this blog post in the event facts or circumstances subsequently change after the date of this blog post.
Statement of Product Direction
In this blog post, we may disclose information related to our development and plans for future products, features or enhancements (“SOPD”). SOPD information is subject to change at any time, without notice. Except as may be set forth in definitive agreements, we are not providing any assurances, or assuming any responsibility, that future products, features or enhancements will be introduced. Except as may be set forth in definitive agreements, customers should not base purchasing decisions upon reliance of timeframes or specifics outlined in an SOPD, because we may delay or never introduce the future products, features or enhancements.