Application-Aware Networking White Paper
Transcription
Application-Aware Networking White Paper
White paper Application-Aware Networking at A Glance OVERVIEW Application-Aware Networking (AAN) designates a set of tools and solutions for boosting utilization of network resources based on customer demand through applications such as CRM systems (e.g. Salesforce.com) and video conferencing systems (e.g., Skype, MS Lync, etc.). Although in the past relatively dumb networks may have sufficed in coping with customer demands, but this is no longer the case today. As more and more applications migrate into the cloud and best-effort Quality Of Service (QoS) is no longer a satisfactory solution, a new breed of intelligent networks is required. In addition, as service providers (SPs) see their revenues shrink and an increasing number of business slip to application providers or Over-The-Top (OTT) players, a new strategy is needed that enables them to regain their position in the market. This strategy calls for the adoption of new business models that require deeper analysis of protocol stacks. In this white paper we provide a detailed description of the changing network environment that sheds light on AAN. We also describe a set of tools for monitoring customer applications, compare the merits of each tool, explain how one controls resources based on this knowledge, and eventually show how all of this relates to the new trend of Software-Defined-Networking (SDN). WHAT IS APPLICATION-AWARE NETWORKING ? Application awareness is a broad term that has different meanings for different network appliances. Some appliances, such as firewalls, WAN optimizers, and application-delivery controllers are application aware by definition and implement various actions on transferred application data. Even these appliances have changed their “awareness” level significantly in the past 10 to 15 years as they are now looking deeper into the protocol stack in order to make the right decisions and take the appropriate actions. The term Deep-Packet-Inspection (DPI), associated with Application Awareness, describes the actual technical functionalities performed in AAN. However, the term is usually used in a much broader context and it describes a broader set of functionalities than the one we’ll address in this paper. In the world of Layer 1 – Layer 3 transport services, Application Awareness refers to the set of tools service providers and enterprises can use to optimize network resources and meet the actual performance requirements (bandwidth, delay, jitter, etc.) of the overlay applications. A good example of such optimization is the use of dedicated hardware queues and a choice of the shortest path for mission critical, delay-sensitive, financial applications such as algorithmic trading. Another good example is the provisioning of high-priority Service Levels Agreements (SLAs) for video conferencing as opposed to medium and low-priority SLAs for email exchanges or standard CRM1 systems, such as Salesforce.com. Carrier-Ethernet devices, such as MRV’s OptiSwitch® series, are deployed by service providers to deliver business services. Accordingly, they will mainly facilitate the transfer of business applications and not private consumer applications. Typical business applications would include: Salesforce.com, Microsoft 365, Oracle cloud applications, SAP cloud applications, Microsoft Lync, Skype, and so on. In the past, these applications resided within the enterprise LAN. However, with the massive transition to cloud-based services2 virtually all application traffic will traverse WAN links beyond the LAN. A new study, conducted at the end of 2012, shows that 82% of European organizations suffer from application performance problems3 caused mainly by data transfer bottlenecks and unpredictability on the WAN. The market trends and difficulties noted above, together with the requirement of business-critical applications4 , create new opportunities for service providers in delivering dedicated application-based services. Ten years ago, providing such services might have been as simple as providing Layer 4 visibility. If a router could inspect the TCP/UDP port destination, it could have made an educated guess about the nature of the application and apply the appropriate QoS policy. CRM = Customer Relationship Management Global IT spending on Cloud Computing will reach $US109 billion in 2012 (Gartner - http://www.gartner.com/newsroom/id/2163616 ). 3Easynet study - May 2012 (http://www.easynet.com/gb/en/about/pressRelease.aspx?TertiaryNavID=783&PressReleaseID=1586) 12- 1 White paper With the same information, a firewall could decide whether to allow or deny traffic. If traffic was headed to TCP Port 80, for example, it was pretty clear that it was HTTP traffic and typically received only best-effort QoS. Today, as we mentioned above, best effort isn’t good enough and knowing the Layer 4 port is inconclusive. Why? Simply because in today’s networking world, hundreds of applications can run over the same TCP/UDP port. Only by getting more detailed information about each application can a network element make the proper decisions and take the appropriate actions. How Do Protocols Relate to TCP/UDP Ports # ? Protocol HTTP SMTP FTP TELNET NTP BGP TCP/UDP Ports # 80 25 20/21 23 123 179 Protocol Figure 1: Recognizing Protocols and Applications WHY IS APPLICATION-AWARE NETWORKING IMPORTANT ? AAN is not a new concept. It regained momentum in the last few years due to several emerging technological and market trends. First, from the commercial and market perspective, the ruling business model that separates the application providers (Netflix, Yahoo, Google, Amazon, Salesforce.com, etc.) from the service providers that own the network infrastructure turned out to be a big problem for the service provider. Application providers have been increasing revenues by monetizing the major network infrastructure investment made by the service providers. Application-awareness enables service providers to regain control over their network resources and take back some of the power the OTTs have gained and put it back into the hands of the actual owners of network infrastructures. New business models, widely known as Telco 2.05 , are based on intelligent networks that collect and maintain information about the applications using the network resources. As a result, network resources can be optimized to suit the exact needs of the applications. This enables service providers to monetize their investments in network infrastructure by offering end-customers and OTTs new tailored services. Upstream Customers Telco Developers Retailers Goverment Media Advertisers Utilities Finance Core Services Assets and Capabilities New B2B Platform Services Downstream Customer Millions of customers Thousands of Segments Hundreds of devices Figure 2: The High-level Telco 2.0 Business Model 45- See Enterprise Management Association (EMA) report at http://www.enterprisemanagement.com/web/ema_ac0113.php See http://www.stlpartners.com/telco2_index.php White paper Another trend that stirs up market discussion on application awareness is network appliance convergence. As service providers seek to reduce their capital and operational spending, the attempt to converge various departments in the organization and to build a leaner and easier-to-manage network becomes one of their primary goals. As a result, telecom equipment vendors are bringing new and more powerful platforms to market that support the convergence of services. Packet Optical Transport Platforms (POTP) that facilitate the convergence of L1 to L3 services in a single platform is one such example. New routers that support firewalling and WAN optimization services are another example that offers a huge advantage. These routers closely integrate all these services in a single application-aware device that can pass specific applications to the firewall, or can optimize (throttle) the delivery of certain applications across the WAN. HOW COMPLICATED IS THE TRANSITION TO APPLICATION-AWARE NETWORKING ? While application awareness for Layers 4-7 already exist within appliances focused on applications, such intelligence in basic OSI layer network elements is obviously missing. Incorporating intelligence there is a challenging task for both the telecom equipment vendors and the service providers that are about to deploy them. First, from the engineering perspective, transport devices are optimized for L1-L3 forwarding and do not have the proper hardware to perform line-rate forwarding while examining applications. Proper application-aware devices might need a dedicated hardware engine to perform DPI actions while maintaining a reasonable level of device performance. So far, the additional hardware cost led the industry to incorporate DPI engines only in large core devices that are less sensitive to increasing cost versus multi-layer access devices that are more cost effective to produce. We will later show, however, that incorporating such engines within the multi-layer access device is actually the best and most cost effective way to build modern and intelligent networks. Second, even after new application-aware multi-layer access devices have been developed, transport departments within service providers need to overcome their own set of obstacles in order to deploy and use these appliances properly. They must acquire the needed technical skill-set and become familiar with the various applications used by their customers. They also need to become familiar with the performance requirements of these applications. And last but not least, service providers must adopt new business models that justify the investments needed to transition to application-aware networking. WHERE SHOULD SERVICE PROVIDERS IMPLEMENT THEIR DEEP PACKET INSPECTION FUNCTIONS? DPI technologies have existed for around 15 years. Most of the vendors associated with this market have built large and dedicated DPI chassis that are usually deployed in the network core and peer6 segments. Internet EPC DPI eNodeB Mobile Backhaul 6 Figure 3: A Common Deployment Scenario of a DPI function in LTE Backhaul The benefit of placing such appliances in these strategic network locations is usually associated with simple management as such network locations require less devices to manage than in locating multiple devices in aggregation and access segments. Yet the need to place large DPI dedicated appliances in a provider core might explain why the DPI market is not as large as we expect a 15 year old industry to be (the market was found to garner around $600 million USD by the end of 20127). In addition, placing DPI devices at the network peering points also creates technical difficulties as a lot of traffic passing to and from the ISPs is asymmetric. Often this asymmetry causes these DPI platforms to see only partial flows and to encounter difficulties in analyzing them. These processing difficulties arise even before QoS policies are applied in processing. 67- The network peer is where the wireline and wireless carriers connect to the Internet-Service-Providers (ISPs) See: http://policychargingcontrol.com/market-forecast-deep-packet-inspection White paper The alternative for deploying expensive DPI-dedicated platforms in the core is to incorporate relevant DPI engines in access platforms such as multi-layer access devices. For the purpose of providing the right end-to-end QoS for business applications passing to and from the enterprise, DPI supporting multi-layer access devices is the right way forward. First, multi-layer access devices are exposed to all traffic entering and leaving the enterprise and thus asymmetric flows are no longer an issue. Second, CPEs are the enterprise gateway to the service provider; they place application frames in the right queues and perform the right DSCP or L2 priority-bits marking for end-to-end QoS policies. Access Aggregation Core Peering ISP 1 BGP ISP 2 Dedicated DPI Chassis Multi Layer Access Device - Full clarity of customer traffic - Existing appliances - Cheaper Solution - Relevant to all business models - Large and expensive devices - Problems of Asymmetric traffic - Doesn’t support all business models Figure 4: Placing QoS Enforcing DPI Engines in Scattered Locations of the Network TWO BASIC PROTOCOLS FOR APPLICATION MONITORING There are two industry-accepted protocols for application monitoring which is usually considered a first phase toward AAN. These are sFlow, an IETF (RFC 3176) standard, and promoted by the sFlow consortium8 , and Netflow, a Cisco Systems proprietary protocol that has also become an IETF standard (RFC 3954). The latest version of sFlow is v59 and that of Netflow is v10. sFlow randomly samples network packets and sends these samples to an outside sFlow Collector that functions as the monitoring station. For the purpose of monitoring actual usage of various applications and statistical analysis of network utilization, a uniformly distributed sampling method such as sFlow is considered accurate and robust enough to cope with high bandwidth services. sFlow defines two different sampling mechanisms: • Packet-based sampling: Samples one packet out of a specified fixed number of packets • Time-based sampling: Samples one packet every specified time interval Network Figure 5: The sFlow Model - Monitored Devices Send Sampled Frames to an sFlow Collector 89- See www.sFlow.org Implemented on new generation OptiSwitch® Carrier Ethernet 2.0 Series (OS906G and OS940) White paper sFlow frames sent from the sFlow supporting Network Elements to the sFlow collector are UDP packets destined to the specified host and UDP port (by default, this is port 6343). The lack of reliability in the UDP transport mechanism does not significantly affect the accuracy of the measurements obtained from an sFlow agent. Each sFlow datagram provides information about the sFlow version, the originating device’s IP address, a sequence number, the number of samples it contains and one or more frames and/or counter samples. Similar to sFlow, NetFlow also collects traffic frames and later exports a statistics summary of the analyzed flow via a standard NetFlow record which is also a set of UDP frames (usually destined to port 2055). The Netflow system is also comprised of a Netflow client (or Exporter) and a NetFlow Collector, typically, a server that does the actual traffic analysis. Internet Remote Site #2 NetFlow Exporter Remote Site #1 NetFlow Exporter NetFlow Exporter LAN Queries Flow Storage Analysis Console Figure 6: The NetFlow Model - Monitored Devices Send Flow Summaries to Flow Collectors Figure 7: sFlow Collector Showing what Applications are Running in the Network THE DIFFERENCE BETWEEN SFLOW AND NETFLOW The most important fact to recognize is that unlike sFlow, Netflow is not based on a sampling technology. Its monitoring methodology is based on receiving and analyzing every frame in the packet flow. This enables Netflow to provide the “full-story” behind the flow and thus better recognize security threats as well. Moreover, as Netflow captures the first frames of each flow, it can easily recognize the user’s applications that are several times harder to recognize than when frames are captured in the middle of the flow. The need to capture full wire-speed traffic will have severe implications on the performance and design of the Netflow supporting systems : White paper 1. Unlike sFlow systems in which the collectors (usually servers) are doing all the traffic flow analysis and the clients simply send the original frames wrapped in sFlow PDUs, Netflow implementations put much more responsibility on the Netflow clients (usually routers). The clients analyze packet flows and send the collectors Netflow PDUs with data portraying the used applications and associated statistics and not the original customers’ frames. 2. Without dedicated hardware engines, the Netflow clients (the routers) will have roughly 30% degradation in performance due to the above described implementation and the need to inspect the entire traffic flow. Though a Netflow supporting system can offload traffic to a hardware-based DPI engine in order to avoid degraded performance, that doesn’t mean the engine is necessarely cost-effective. 3. The effect on performance usually forces service providers to incorporate Netflow systems only for low-speed services (having bandwidth in the range 10Mbps to 100Mpbs). These low speeds are usually common in L3 services and are no longer sold by service providers for L2 services. Netflow sFlow Not sampling - analyzes every frame Sampling Based Tapping Service If there is no dedicated hardware it will be done on the CPU and leads to ~30% degradation in performance Does not exhaust substantial resources from device (CPU or switching bandwidth) Provides the full story and can be used for network security purposes (implemented on most firewalls) Good enough to know what your customers are doing with their network Not adequate for detecting / handling with security breaches Figure 8: Netflow vs. sFlow FROM SFLOW/NETFLOW TO A COMPLETE AAN AND HOW IT IS ALL CONNECTED TO SDN As mentioned before, since most applications today cannot be identified or correctly prioritized y standard TCP/UDP ports, critical applications (for instance, Lync video conferencing) might get poor QoS in competing for the same resources as other non-critical applications (for instance, standard web surfing). Web Surfing Video Conferencing Figure 9: Critical Applications Might Get Poor QoS White paper Therefore, the real motivation behind AAN is to provide each application its actual desired transport characteristics, or more formally, to enable service providers to set QoS parameters to the application flows, to dynamically manage bandwidth consumption of every application,and perhaps even to choose optimal routes between application clients and their respective servers. sFlow and Netflow are both monitoring standards. As such, they can only be considered a first phase toward AAN. As a sampling mechanism, sFlow cannot provide a solution to the problem we just described. At most, it can only be part of such a solution. In order to guarantee certain QoS to specific applications, the system must access all frames belonging to the application flow. Though Netflow complies with this last requirement, it still needs to be associated with a marking mechanism that has an adverse effect on the already problematic performance issue we described in the previous section. To really achieve the goal described above without significantly impacting traffic performance there are two feasible solutions: A A hardware based solution: Adding a hardware-based DPI engine to the deployed multi-layer access device. Once this functionality is activated, traffic passing through the standard switching-fabric of the device will be directed to this engine. The emergence of multi-core CPUs capable of transferring multiple 1GE and 10GE traffic are considered a perfect fit for DPI functionality. These CPUs are de-facto programmable and thus support for new applications can easily be added without the need to perform forklift upgrades to the hardware. B A software-based solution: Using mainly heuristics and algorithms, the solution uses sFlow for sampling the customer data and uses heuristics to better recognize the used application and to identify recurring patterns within the flows’ frames. Software Defined Networking (SDN) is not the scope of this white-paper. However, we may note that the term indicates a movement toward software-programmable or software-replaceable network elements. The first approach proposes the use of programmable multi-core CPUs to which an outside server can connect and download newly supported applications (a new ERP application, a new e-commerce application, etc.). The second approach can benefit from SDN in two ways. First, by enabling outside appliances to add new protocol recognition and new pattern recognition algorithms to the local CPU via software upgrade. Second, by actually running those algorithms on an outside server separate from the forwarding machine. Dedicated HW DPI Engine Offloading full flows to new engine Sampling to CPU Software Solution Activated on Commercial off-the- shelf Customer traffic Adding support for new protocols SDN View (from Service Management & Provisioning System) Figure 10: Software/Hardware based Solution for the Next Phase into AAN White paper MRV APPROACH TO AAN MRV’s approach to AAN solution is implemented through a cost effective solution without forklift upgrades. MRV’s solution is based on three pillars including: 1- A multi-layer access device (OptiSwitch® Series); 2- A Linux-based Operating System (Master-OS™ control plane software); 3- Orchestration software (Pro-Vision® service provisioning and management system) that enables visibility into multiple layers across the network, application awareness and sophisticated analytics that help service providers to monetize their network infrastructure assets. MRV’s approach to AAN solution provides a software programmable multi-layer access devices which is one of MRV’s SDN solution components. MRV’s comprehensive solution is one of the key ingredients for the new networking paradigm of intelligent and Flexible networks including virtualization, programmability & control, layer convergence, and application awareness. SUMMARY In this white paper we provided a detailed explanation about Application Aware Networking. We started with a short description of the term in the context of network elements that usually provide standard L1 to L3 transport services. We outlined the rationale behind the transition from simple dumb forwarding to application-aware forwarding is so critical to the service provider’s survival and yet why this is not a simple transition from both the technical and business perspectives. We provided a broad view on the various benefits and drawbacks of placing DPI appliances in different locations of the network and emphasized our belief that locating such appliances at the edge of the service providerís network is the right strategy. We then moved to describe the two most common standards for monitoring application usage by customers: sFlow and Netflow, and provided a detailed comparison between the two. We proceeded with a description of two alternative techniques for actually providing application-based QoS - a software solution that utilizes heuristics in order to fill the required gaps in common switching fabrics and a programmable hardware solution that supports DPI with wire-speed forwarding and remains programmable enough for upgrades of new supported applications. We concluded with a description of MRV’s innovative and unique approach to AAN solution that is implemented through a cost effective solution without forklift upgrades. MRV’s approach to AAN solution provides a software programmable multi-layer access devices which is one of MRV’s SDN solution components. MRV’s comprehensive solution is one of the key ingredients for the new networking paradigm of intelligent and Flexible networks including virtualization, programmability & control, layer convergence, and application awareness. MRV operates worldwide sales and service offices across four continents. Contact us at [email protected] MRV Communications Corporate Headquarters 300 Apollo Drive Chelmsford, MA 01824 www.mrv.com For more information contact [email protected] or visit www.mrv.com All statements, technical information and recommendations related to the products herein are based upon information believed to be reliable or accurate. However, the accuracy or completeness thereof is not guaranteed, and no responsibility is assumed for any inaccuracies. Please contact MRV Communications for more information. MRV Communications and the MRV Communications logo are trademarks of MRV Communications, Inc. Other trademarks are the property of their respective holders. The OptiSwitch®, Master-OS™ and Pro-Vision® Trademarks and MRV Company Logo are the sole and exclusive property of MRV Communications. All other trademarks and logos mentioned in this white paper are the property of their respective owners. MRV-WP-AAN Copyright © 2013 MRV Communications, Inc. All Rights Reserved.