Alan Weissberger Software Defined Network

Light Reading’s NFV and the Data Center- Operator Keynotes, Security & Summary-Part 2

This second article on Light Reading’s NFV-Data Center conference summarizes telco keynote speeches from Orange and NTT-America. We then look at security challenges and wrap up with our summary and conclusions. Part 1. on the Heavy Reading NFV survey results and CenturyLink keynote may be read here.

Orange Keynote: Christos Kolias, Sr. Research Scientist, Orange – Silicon Valley

Christos first described the the NFV Concept and Vision from his perspective as a founding member of the ETSI NFV specifications group. It’s a quantum shift from dedicated network equipment to” virtual appliances.”

In the NFV model, various types of dedicated network appliance boxes (e.g. message router, CDN equipment, Session Border Controller, WAN acceleration, Deep Packet Inspection (DPI), Firewall, Carrier grade IP Network Address Translation (NAT), Radio/Fixed Access Network Nodes, QoS monitor/tester, etc.) become “virtual appliances,” which are software entities that run on a high performance compute server.

In other words, higher layer network functions become software-based, virtual appliances, with multiple roles over the same commodity hardware and with remote operation possible. “It’s a very dynamic environment, where (software based) network functions can move around a lot. It’s extremely easy to scale,” according to Christos.

[One assumes that each such virtual appliance would have an open or proprietary API for orchestration, automation, and management of the particular function(s) performed.]

A few examples were cited for a network virtualized telco DC:

  • Security functions: Firewalls, virus scanners, intrusion detection systems, spam protection
  • Tunnelling gateway elements: IP-SEC/SSL VPN gateways
  • Application-level optimization: Content Delivery Networks (CDNs), Cache Servers, Load Balancers, Application Accelerators, Application Delivery Controllers (ADCs)
  • Traffic analysis/forensics: DPI, QoE measurement
  • Traffic Monitoring: Service Assurance, SLA monitoring, Test and Diagnostics

Note: This author despises TLAs=three letter acronyms. In many cases, the TLA used in a presentation/talk is much more recognizable in another industry, e.g. ADC =Analog to Digital Converter, rather than Application Delivery Controller. Hence, I’ve tried to spell out most acronyms in this and the preceeding article on the NFV conference. It takes a lot of effort as I’m not familiar with most of the TLAs used so glibly by speakers.

The NFV Framework is shown in the illustration below. Kolias said that the migration from network hardware to software based virtual appliances won’t be easy. Decoupling NVFs from underlying hardware presents management challenges: services to NFV mapping, instantiating VNFs, allocating and scaling resources to VNFs, monitoring VNFs, support of physical/software resources.

An example of what the NFV Framework looks like from the Orange perspective.
Image Courtesy of Orange

NFV components in a virtualized telco DC might include: server virtualization, management and orchestration of functions & services, service composition, automation, and scaling (up and/or down according to network load). There are lots of servers, storage elements, and L2/L3 switches in such a DC. There’s also: security hardware (firewalls, IDS/IPS), load balancers, IP NAT, ADC, monitoring, etc.

NFV in the Data Center will be more energy efficient, according to Kolias. “It’s the greenest choice for an operator,” Christos said. With many fewer hardware boxes, NFV can bring the most energy efficiency to a data center (less energy consumed and lower cooling requirements). That’s a top consideration for those massively power-hungry DC facilities. “You have to dispose of telecom hardware, but when we move things into software, it becomes more eco-friendly,” Kolias said. “So yes, there is absolutely a fit for NFV in the Data Center,” he concluded.

Christos thinks it’s probably easier and faster to implement NFV in a telco DC, because there’s less compliance/ regulation and it’s a less complex environment – both technically and operationally.

Service chaining was referred to as “service composition and insertion,” with policies determining the chain order. Customized service chains are possible with NFV, Kolias added. Ad-hoc, on-demand, secure virtual tenant networks are also possible. For example, tunnels/overlays using the VxLAN protocol (spec from Arista, VMWare and Juniper).

Kolias also cited other benefits of “cloudification” — a term he admittedly hates. “For example, consolidating multiple physical network infrastructures in a cloud-based EPC (LTE Evolved Packet Core) can lead to less complexity in the network and produce better scalability and flexibility for service providers in support of new business models,” he noted.

Several other important points Christos made about NFV in the telco DC:

  1. Virtual switches can be key functional blocks for management of multiple virtual switches and for programmable service chains.
  2. The Control plane could become part of management and orchestration in a unified, policy-based management platform, e.g. OpenStack.
    [That’s radically different than the pure SDN model (Open Network Foundation), where the Control plane resides in a separate enitity, which communicates with the Management/ Orchestration platform (e.g. OpenStack) via a “Northbound” API.]
  3. Hardware acceleration can play a role in Network Interface Cards (NICs) and specialized servers. However, they should be programmable.
  4. Challenges include: Performance (e.g. increased VM-VM traffic requirements), Security Hybrid environment, and Scaling.

APIs will be important for plug-n-play, especially for open platforms like Google, Facebook, Microsoft, eg. WebRTC. They can enable a plethora of innovative (e.g. ad-hoc/customized) services and lead to new business models for the telcos. That would translate into monetization opportunities (e.g. for new residential and business/ enterprise customers, virtual network operators (VNOs), and others) for service providers.

Christos predicts that many service providers will move from function/service based networks to app-based models. They will deploy resources, including Virtual Network Functions (VNFs) on-demand, as an application when the user needs them. Here are a few examples he cited:

  • Different mobile apps may require different connectivity modes (3G, 4G, WiFi, multiple WiFi’s, hot spots, etc)
  • Customer-tailored, brokerage-based services (e.g. VoIP calls)
  • Managed services (the evolution of VPNs) – VNF as a Service, NFV Infrastructure as a Service, etc.
  • Integrate (network and business) intelligence: BYO VNF!

Christos predicted that smart mobile devices and the Internet of Things (IoT) will precipitate the adoption of APIs for telco apps.

Two use cases were then presented for NFV: Google’s Andromeda and the Telco Data Center (collapsing PoPs/COs into the DC). “Cloudification” of the Telco was then depicted based on the model of NFV IaaS providing end to end telco services (that seems years away to this author).

Kolias: “NFV can propel the move to the telco cloud. When this happens we will have succeeded as an NFV community! NFV removes the boundaries and constraints in your infrastructure. It breaks the barriers and opens up unlimited opportunities.”

In his work at Orange -Silicon Valley (which is actually located in San Francisco), Kolias has helped put together a number of Proof-of-Concepts (PoCs) with Orange’s vendors to showcase what NFV can accomplish in the telco DC. The next step is to ensure the vendors can match the performance that hardware delivers and do it at increased scale (like Google’s Andromeda platform). Orange Silicon Valley is already working on various types of virtualized platforms at its test bed in San Francisco, but Christos said they are far from commercial deployments.

“To me, performance is still a big question mark,” Kolias said during a panel session later in the afternoon. “What do we need to do to realize hardware like performance in a software defined data center (SDDC)? Google with its Andromeda platform says latency is not an issue. We know we can get there, but what will it take? 2020 is a bit aggressive to expect everything in the network to be virtualized,” Christos admitted.

NTT Com Keynote: Chris Eldredge, Executive VP of Data Center Services

Mr. Eldredge is employed by NTT America -the division of NTT Com that covers North America.

Background:  NTT Com is one of the largest global network providers in the world, in third [1] place behind Verizon and AT&T. They provide global cloud services, managed services, and connectivity to the world’s biggest enterprises. NTT Com has a physical presence in 79 countries, $112B in revenues, and 242K employees. It’s network covers 196 countries and regions. The company spent $2.5B in R&D last year, with a North American R&D center in Palo Alto, CA. Finally, they claim to be the #1 global data center and IP backbone network provider in the world. [Chris said Equinix has more total square footage in their data centers than NTT, but they don’t have the IP backbone network.]

Note 1. In the previous year, NTT was number one, but moved to third place this year due to the lower yen/US $ echange rate, Eldredge said.

Without naming names, Eldredge said NTT America recently gained a pharmaceutical customer with 177 physical locations connected by NTT Com’s global network. Another very large enterprise customer has 128 interconnected locations.

NTT Com was the first telco to offer an enterprise cloud which supports SDN. It’s now deployed in 14 global locations.

NTT Com’s enterprise customers mostly use cloud for development and test applications. “It’s bursty in nature. They turn it up and turn it down,” Eldredge said. It’s also used for OTT broadcasts of sporting events and concerts. On January 1, 2014, NTT spun up 200,000 virtual machines (VMs) to meet demand for Europeans watching soccer matches on their mobile devices. After the soccer match was over, those VMs were de-activated.

Chris Eldredge (via email):  “NTT Communications Universal One networking service incorporates Virtela’s SDN architecture is an open platform that provides great flexibility to incorporate any vendor’s equipment. We leverage the vendor’s user interface or API capabilities to facilitate communications with legacy networking equipment. The SDN platform features an abstraction layer to normalize the functions across different vendor equipment.”

Earlier this year, NTT Com announced their version of NFV capabilities in both their DCs and global network [2], along with SDN based provisioning.

Note 2.  On May 29, 2014, NTT Com announced the industry’s first set of cloud based network services that enterprise customers can activate themselves and pay for on a per-use basis. The services were developed by Virtela Technology Services Inc., which NTT acquired in January 2014.  According to the press release: “innovative NFV-enabled services are delivered from Virtela’s global SDN platform.”  They include: firewall, application acceleration, IP-SEC based VPN gateways and cloud-based SSL VPNs.

“SDN/NFV is a more scalable network technology that NTT Com is now using to provide cloud and managed services to a broad range of clients,” Eldredge said. “It allows us to specialize and provide custom solutions for our customers,” he added.

The NFV (higher layer) services NTT Com is now offering include: virtual firewall, network hosted applications accelerator, Secure Sockets Layer (SSL) VPN, IP-SEC gateway, automated customer portal (for full control of services, self deployment, self management, and full visibility), on premises harware based managed services which provide a fully integrated managed solution for NTT Com customers.

The above NFV enabled services can be easily applied, monitored and rapidly changed. NTT Com can customize applications performance and service levels for specific users and profiles. In conclusion, Chris said that “NFV has become the next phase of the virtualized DC, extending the enterprise DC into the cloud. [Such an extension, by definition, would be a hybrid cloud]

In answer to this author’s question on when and if NTT Com would use NFV to deliver pure network connectivity (L1-L3) services, Chris confessed that it wasn’t on their road map at this time.

Security for NFV and Virtualized Networks:

The importance of security permeated the conference. A recent study of Palo Alto Networks’ customers found that 95% of attacks logged against customers came from only 10 apps; nine of which are commonly used and can’t just be blocked.

“That’s why telcos have to be able to inspect traffic at a deeper level,” said Adam Geller, vice president of product management at Palo Alto Networks. “Security can’t be based on physical appliances, and it can’t be generic,” he added. Moving to a more cloud-like data center that is scalable and flexible complicates the decision of where security should be inserted in the network. Decisions made on physical ports and destinations ignores fluid apps and activity outside the core of the network.

Deb Banerjee, chief architect of data center security at Symantec said that segmentation is needed for security so that it’s not tied to a set of physical hardware or racks. Segmentation leads to threat isolation. It lets telcos use policies to chose which sets of traffic to scan through a firewall. Also needed are virtual security appliances, deployed in the fabric of the data center on every host. “Risk is more dynamic; not as static as it used to be,” Banerjee said. He believes that combining compute virtualization, SDN and NFV can enable security on demand. [Many others don’t agree or are unsure if that vision is realizable anytime soon].

Panelists seem to agree that NFV security needs to be virtual, segmented and on-demand. Palo Alto Networks’ Geller said that a good security solution has to fit into various technology architectures today and in the future. “Any good security solution that’s going to be effective has to be orchestrated and tie into existing solutions,” he said. A centralized policy management platform is required to do anything at scale, and it must also use context awareness and sharing, which isn’t happening much today. “Two-way communication is still at early stages for a lot of organizations. When they see that, they see there is significant opportunity to add security dynamically.”

Opinion:  This author believes security is a greatly underestimated problem for NFV.  When the functionality of closed/dedicated network equipment is moved to virtual appliance software running on a compute server, the attack surface/vulnerability becomes much greater, especially when a lot of open source code is used.  Of course, security has to be segmented and operational for each virtual appliance, but how will that be done effectively?

Summary and Conclusions:

Operators are planning for NFV and some – like NTT Com – already have implemented several NFV enabled services. Examples of NFV capabilities were clearly stated by Kolias of Orange Silicon Valley and Eldredge of NTT America (speaking on behalf of parent company NTT Com). It starts with higher layer (L5-L7) network functions/capabilities, cloud and managed services.

However, it will take considerable time before the entire network is completely virtualized.  “NFV everywhere by 2020” is too aggressive for some of the network operators. Moreover, don’t expect mainstream connectivity functions (including Carrier Ethernet services, private lines, circuit switching, etc) to be virtualized anytime soon.

Early NFV adopters will be challenged as they work through internal issues like breaking down their organizational silos and adapting their business models to a quicker, more agile manner of provisioning and controlling network resources and services.

What happens to the network IT guy when the majority of network equipment disappears and is transformed into virtual appliances? Who maintains a compute server that’s also implementing many higher layer networking functions? What trouble shooting tools will be available for NFV entities?

Automation and self service are crucial for the network operator to deploy services quicker and hence realize more revenues. CenturyLink’s Feger (see part 1. of this article series) underscored those needs when he said, “If you’re on a nine-month release strategy, your network isn’t really programmable.”

“Agility is an asset. You can only tame complexity,” noted Heavy Reading analyst and event host Jim Hodges, who quoted Brocade’s Kelly Herrell from an earlier presentation.  “As an industry, we realize complexity is an inherent part of what we’re doing, but it’s something we have to address.”

Addendum – Missing Pieces for “Open” NFV Implementations:

Not discussed at this conference were important NFV issues that this author has been raising for almost three years now: vendor inter-operability (via standardized interfaces and protocols) and open APIs (for management and orchestration of NFV entities). The ETSI NFV specifications group is NOT specifying any of those. Their deliverables are limited to high level functional requirements, white papers, and reference architectures.

Network operators have not addressed some very important questions, perhaps because they want to keep everything related to their NFV plans/implementations close to the vest and proprietary. Here’s my list of questions for “open” NFV platforms:

  1. How do those NFV software entities (“virtual appliances”) communicate -via APIs or other means- with local management, orchestration , and automation entities above or to the side?
  2. How do NFV entitities communicate with legacy network equipment that’s deployed in revenue producing networks?
  3. How do the NFV entities communicate with peer NFV entities- resident in the same telco DC or in a different telco DC?
  4. Is there any protocol/ hand shaking/ coordination needed between NFV entities (running on compute servers) and physical network hardware – like switch/routers or add/drop multiplexers?
  5. What type of operations/network monitoring and management will be used to maintain and track NFV entities? Will that be proprietary or in an open standard?

Don’t hold your breath for an answer to any of the above questions.

Till next time……………………

Author Alan Weissberger

By Alan Weissberger

Alan Weissberger is a renowned researcher in the telecommunications field. Having consulted for telcos, equipment manufacturers, semiconductor companies, large end users, venture capitalists and market research firms, we are fortunate to have his critical eye examining new technologies.

2 replies on “Light Reading’s NFV and the Data Center- Operator Keynotes, Security & Summary-Part 2”

Finally, I’m learning why standardized/open SDN and NFV can’t happen any time soon. An orchestration/management software entity is required with an API to either the SDN Control Plane entity (“Northbound API”) or to the NFV “virtual appliances.” Chris Kemp, founder of Nebula & Open Stack Foundation told me today that Open Stack is the best solution for that. But it’s years away and not yet specified by any networking standards body (e.g. ETSI, ITU, ANSI, ATIS, etc). Stay tuned for a forthcoming article on this topic, with the help of Mr. Kemp!

Thanks Alan for this two-part, comprehensive post. It definitely seems like there are opportunities for telcos to rethink the data center. It will be interesting to see how smaller telcos will be able to apply virtualization, given they don’t have the R&D capabilities of an NTT and aren’t big enough to create a proprietary approach. I wonder if some of their consortiums will step in to help them.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.