Peter Sanders, VP Field Applications Engineering at Napatech, looks at the importance of zero packet loss to a successful IDS deployment - measured by its effects on intrusion alert generation and file extraction.
The ideas around Software-Defined Networking (SDN) and Network Functions Virtualization (NFV), each, have been around in the industry for many years and have garnered significant interest in the marketplace as methods to break the vertical market stranglehold that vendors have had on networking hardware and software products and associated technologies. These disruptive influences that SDN and NFV promise still share additional hurdles and shortcomings to overcome, real or perceived, to reach their full potential.
This article is a first of a two-part series, where I will be outlining the history of the NFV concept, and the challenges in realizing the vision, specifically in the context of 5G networks.
In the past, data centers, mobile operators and enterprises have built their network infrastructure mainly based on custom-designed, physical hardware and software. Example applications include network gateways, switches, routers, network load balancers, varied mobile applications in the mobile core and radio access network such as vEPC (virtual evolved packet core), vCPE (virtual customer premise equipment), vRAN (virtual Radio Access Network) and security applications like firewalls, NGFW, IDS/IPS, SSL/IPsec offload appliances, DLP and antivirus applications, to name just a few.
To summarize the idea behind NFV: the vision is that rather than procuring and deploying custom networking devices for these varied applications, operators would prefer to support these functions as software applications, called virtualized network functions (VNFs), running on virtual machines or in containers on standard servers rather than buying proprietary appliances to run each networking application. Moving away from discrete, customized architectures to a more consolidated “x86-only architecture” promises to reduce costs, simplify deployment and management of net¬working infrastructure, widen supplier choice and, ultimately, enable horizontal scale-out in the networking and security market.
NFV gives operators a vision to provide solutions with all the characteristics of dedicated appliances on standard compute platforms. Thus far, though, a stunning vision is all that it is. It is the shining star out there. It is a beautiful idea, but the idea has yet to be proven in deployment, seemingly too far away to realize experience in its true beauty. As carrier and enterprise networks are transforming and moving from closed, vertical, proprietary systems to standard computing platforms—which includes a standard server, motherboard CPU, memory and NICs—real NFV deployments thus far have been limited.
It is simply an unattainable goal in many instances today to assume that applications in software on standard platforms are going to be able to meet the throughout and latency demands that applications require without throwing significant CPU resources at the problem. Operators are realizing that the cost savings that NFV promises are offset by the need to deploy entire racks of compute resources at a problem that a single appliance could previously support. The CPU and server costs, rack space and power required to meet the same performance footprint of a dedicated solution ends up being as expensive as or more than custom-designed alternatives. The vision of dramatically lower TCO and operational simplicity are still a dream on the horizon.
While the benefits of general-purpose processing architectures, open software and standard compute platforms cannot credibly be argued, network architects must consider how various applications will scale on servers with applications simply running only in software. Certain applications and control plane workloads are completely appropriate and well-suited for x86-based architectures. On the other hand, other types of workloads including but not limited to networking, security, encryption, genomics, artificial intelligence (AI), parallel search, financial analytics, regular expression handling (regex) and video processing have been universally identified as inefficient users of general-purpose compute resources. These applications are poorly suited to the x86 instruction set, especially in conjunction with extremely high throughputs and high numbers of flows.
Traditionally, these compute-intensive applications were exclusively supported on custom platforms when performance is a critical requirement. When supported on general-purpose multicore CPUs and COTS servers, these complex applications require acceleration and offload of the general-purpose processing elements to workload-specific processing elements on specialized FPGA-based hardware. To meet the demands of applications that require sophisticated processing, a unique architecture that combines standard, high-volume servers with FPGA-based SmartNICs easily supports the aforementioned applications at high throughput while retaining all of the benefits of the COTS model.
5G Driving the Need to Reimagine Your Network
While SDN is common today in cloud and data center networks, mobile operators are taking advantage of the lessons learned by early-adopter hyperscale data networks and are building their new infrastructures on the same techniques and principles around SDN and virtualization. These technologies are proving broadly applicable to the visions that many mobile operators have for their new networks but also must meet the performance requirements that their customers expect.
To provide a simple example, NFV is built on the use of a virtual switch, usually OpenvSwitch (OVS), to demultiplex data into, out of and between VNFs. While virtual switching is paramount to NFV, the act of moving data into and out of the server alone can use 50 percent of the necessary CPU resources that are available. Encapsulated traffic in VXLAN, GENEVE and NVGRE encapsulations for millions of flows, which is critical for VNF overlay networks functionality and performance, can drive down the performance of the vSwitch even lower. As mentioned, virtual switching alone can be shown to take 50 percent or more of available CPU resources before any application processing is completed.
In addition, host-based virtual switching presents a new attack surface for snooping and/or modifying traffic due to lack of traffic isolation inherent in a traditional packet I/O between the host virtual switch and the VM. More fundamentally, from a business perspective and compounding these performance challenges, operators don’t really care about OVS per se. It is a necessary system architecture component, but OVS doesn’t make operators revenue and drive the bottom line. It’s the applications that customers care about, not how traffic gets into and out of and VNFs. For central offices to no longer have massive, vertically integrated big iron equipment for B-RAS, GGSN, SGSN and other mobile applications, mobile network operators will have to reimagine their networks.
There are numerous drivers for these new networks, as previously described, to take advantage of the cost and scale benefits that NFV promises. 5G networks, though, will only exacerbate the performance and scaling problems that operators face with generic NFV infrastructure (NFVi). The move to 5G brings new requirements to mobile networks, creating its own version of hyperscale networking that is needed to meet the performance goals for the technology but at the right economy scale. Numerous factors are fundamentally unique to 5G networks when compared to previous 3G/4G instantiations of mobile protocols. The shorter the distance, the higher the frequency – thus, the more bandwidth that can be driven over the wireless network.
Also fundamental to 5G is a massive increase in the number of users/devices (both human and IoT), which fundamentally affects the number of unique flows in the network and necessitates very low latency requirements. 5G also promises lower energy/cost than previous mobile technologies. These 5G goals, when realized, will drive the application of wireless communications to completely new areas never seen before.
In the next installment, I will be discussing the solutions that can help meet the NFV challenge in the 5G era. So, stay tuned.