Network Functions Virtualisation — fit for purpose?
The virtualization of essential network functions – such as firewalls, BRAS, even customer premises routers etc – is catching on. You could say it had to happen, given the ubiquity of virtual technology and Moore’s Law increases in server power.
For many users the first experience of virtualization was a workaround for proprietary operating systems – the remarkable discovery that one could run a Windows PC on a Mac computer. Then came datacentre consolidation, where racks of autonomous servers converged into a single data processing resource out of which one could mould any number of virtual machines flexibly, as and when needed. From there to software-defined networking (SDN) where the new techniques allow the network infrastructure to be re-configured as needed via software and without needing to move or manually configure any physical cables or boxes.
But what about those physical boxes on the network? Large networks are populated with a growing number of proprietary hardware appliances – not just switches and routers but also security and deep packet inspection devices, QoE monitors, WAN accelerators and other specialist functions. Each time a service provider adds a new service it may be necessary to install further devices – time consuming in itself but also demanding additional space and power. What’s more, hardware goes out of date, and the whole expensive cycle from procurement to deployment has to be repeated.
Is it possible then to follow the datacentre consolidation approach and replace many of these specialist devices with software functions running in a small number of general purpose servers?
This is the essence of Network Functions Virtualisation (NFV). In the words of the original NFV White Paper it involves: “leveraging standard IT virtualisation technology to consolidate many network equipment types onto industry standard high volume servers, switches and storage, which could be located in Datacentres, Network Nodes and in the end user premises”. The idea is that ultimately any data plane packet processing and control plane function in fixed and mobile network infrastructures could be virtualized in this efficient manner.
It isn’t such a radical notion either, as PC-based network devices have been around for a while, providing cheap networking solutions for small businesses. Recent advances in last-mile Ethernet, improved network interface cards, and Intel’s increasing focus on integrated networking processing – allowing processor cores to be re-programmed into network processors – mean that today’s PC-based network devices are increasingly capable of handling traffic up to hundreds of Gbps.
NFV is already happening. In October 2012 a group of telcos including AT&T, BT, China Mobile, Deutsche Telekom and many others published an NFV Call to Action document, and an ETSI (European Telecommunications Standards Institute) committee was set up to promote the project.
NFV and SDN
SDN began as an academic project: a quest for flexibility in the network that would make it easier to in a research setting – and then industry caught on to the business benefits of a nimble network structure. NFV, however, began with that consortium of service providers sharing a solution to a challenge.
The idea of removing every network box and ending up with one central server installation is attractive, but a little too simple, because some network functions are tied to a physical location. Just as switches need to be at network junction points, a firewall, for example, needs to be at the edge where the internal network connects to the public network. Allowing external traffic to travel through the internal network to a central server could be risky SDN facilitates simple stateless firewall rules within a network switch but full statefull functionality is still required. A pure NFV play may deploy virtual machine-based firewalls to servers at every entry point within the network; something that could be prohibitively expensive if using hardware appliances.
The ideal solutions could involve a combination of SDN and NFV: because a virtualized network is far less restricted by location. In the above example: once the firewall function has been allocated to a specific virtual machine, then a software defined network could place it at the network edge regardless of its actual physical location, by providing a direct, quarantined link from the Internet to the virtual firewall before traffic entered the internal network.
At present, most providers using NFV are still relying on manual reconfiguring of the network to route traffic to the virtual network functions, but combining SDN and NFV in this way has incredible potential. Not only could a costly hardware device be run as a virtual machine in an off-the-shelf server, but in the event of network problems the task could shift to a different virtual machine and the network reconfigure immediately to make this possible.
Testing virtual network functionality
There is no doubt that NFV has a great future, all the more so when combined with SDN to allow automation and near real-time response to business needs. A golden future lies ahead but, as with so many technological advances, a swamp of uncertainty lies between the present situation and that future. The problem is this: can we trust a network based on NFV?
Logically we should be able to, provided the functions are properly virtualized. But complex systems don’t always reflect simple logic, and surprising behaviour can emerge in a complex network. A virtual network must be aware of the constraints imposed by the underlying physical topology. In practice, a security system that re-routed signals to a central controller for packet inspection could add latencies that lead to unexpected consequences. A DoS attack, or simple “domino effect”, could crash the system internally.
Of course, the only sure solution to such uncertainties is stringent testing under realistic operating conditions. In the case of a fast-evolving virtual system this also includes on-going monitoring as the system reconfigures to make sure that the new configuration has not introduced a problem.
After all, a ‘virtualized network’ function is still a network function. It can be tested as such in much the same way as it’s physical equivalent. However, physical test ports are now no longer sufficient. Testing needs to come from within the virtual infrastructure and should also seamlessly span the virtual and physical realms.
Performance, availability, security and scale of any proposed solution must be assessed as before particularly given the potential of the new networking paradigms to affect these aspects both positively and negatively.
The good news is that the network test industry is ahead of the virtualization game – test and monitoring devices have themselves been virtualized and, in this form.they can adapt as rapidly as the systems they are testing. Using the latest test techniques correctly, you can be as well assured of the performance of virtual systems as of any physical set up.
But is that all there is to it? Not quite, because every major new development requires new learning. We have the tools for testing virtual systems, but the swamp of uncertainty still lies between now and the golden future of NFV and SDN.
The only way to tackle such uncertainty is to call on the wisdom of acquired experience. When new challenges arise, even though they really are new they can still be analysed in terms of what has already happened before. The network test industry has many years experience of not only testing networks but also adapting to constant changes in the technology and the business environment.
We can be pretty sure that NFV will throw up some surprises, and maybe need drastic remedies. But we can also be sure that test teams with sufficient experience and skills will find a way around these problems and learn to anticipate them – as they have always done in the past.
The moral of this tale? Get on the NFV bandwagon, grab the opportunities and competitive advantages it promises — but make sure you do it in the company of truly experienced network test specialists!