Virtualized Networks: The Power of Abstractions

Virtualization has changed the world of datacenter infrastructure. It has helped IT groups reduce the hardware footprint in their datacenters, avoid CapEx and reduced OpEx by decoupling the workload from the hardware, and enabled consolidation of workloads. With virtualization, the compute nodes can now be provisioned in a matter of seconds and has received great acceptance. Although virtualization is a well-known concept in data centers, and they tend to focus on the compute side of the three-part solution for IT – compute, storage and networks. We will examine some of core benefits of virtualization, which I claim is based on its ability to abstract resources, as opposed to some well known benefits such as server consolidation, and use networking as an example.

Let’s look at compute virtualization which most people are familiar with. Most people equate compute virtualization with virtual machines, which has been popularized by VMware in the 2000’s and also available under open source projects such as KVM or Xen. But the origins reach back into the 1960’s and 1970’s with systems such as CP/CMS and OS/360. More recent developments in containers, such as LXC, Docker, or other systems have received notice mostly due to the perceived lower overhead of containers compared to full virtualization, and its ability to encapsulate programs into an easy to deploy package. Although people often state that containers are low overhead version of full virtualization, when the workloads do not require as much isolation, the ability to package programs has been a key benefit and that is derived from ability to provide portability through a separate namespace. This is particularly true for workloads that are trusted, such as in a large-scale SaaS provider that does not require strong isolation. If you look carefully at the benefits of all of these systems, it’s the abstraction of capabilities, as well as the consolidation capabilities that drove adoption.

Storage virtualization has also developed slowly, and it has not become as pervasive as compute virtualization. These systems also vary in implementation and benefits but mostly provide for a common abstraction of storage, which again points to the power of abstraction and logical separation.

Let us focus on the issues related to network virtualization and see how abstractions assist that area. The benefits of virtualization have been evident to users before any notions of cloud computing has emerged, but agile systems with rapid changes, and separation of infrastructure owner vs. tenant has pushed the need to virtualize since it creates an abstraction layer. Network virtualization provides for these basic benefits:

  • Agility – virtual devices such as firewalls, load balancers can be provisioned or de-provisioned quickly. Capability to manipulate them can be granted to infrastructure owners (those who run the entire cloud) or to individual tenants independently.
  • Cost reduction – logical devices may be created without hardware (of course, there is an underlying hardware that runs it all) but virtual devices can be created
  • Overcoming limits imposed by physical devices and their protocols – Limits such as VLAN (max 4096 due to a 12-bit field) or the inability to elastically scale services, dynamically, can be overcome with software-based devices.

Let’s assume that the aforementioned benefits virtualization has been accepted, but there are a few items that are not commonly known – which are how network virtualization can be used as (1) expression of IT policy and (2) providing for security. (Note: Security is actually a form of policy, but a particularly important one) These are some IT needs that may be solved with virtualized networks in particularly novel ways.

Policies have been important in networking for a long time, based on conventional constructs such as ACLs. But in general, policies are more general constructs and can express needs for security, quality of service or other performance requirements. This is a recently popular concept where you define SDN policy based on a set of declaration of intent rather specifying how it’s done, which is also known as imperative models. This is, in itself, not truly tied to virtualized or non-virtualized networks, but virtualization greatly assists in this area, in ways we describe below.

Virtualization, in this case, takes on a slightly different meaning. When we think of virtualized, or overlay networks, we think of an alternate, logical instantiation of the network. Virtualized networks are one key application of SDN, which is has traditionally been a separation of the control and data planes. However we want to view it in an alternate way, where virtualization is a way to express policy requirements by embodying the requirements in form of (1) Topology and (2) a platform in which to run services and manipulate network traffic. The services interpret rules that apply to the network traffic between the networking elements.

Topology As a Way to Express Policy

Here is an example. Let us say that you want to construct a network topology to enforce some security requirements. Those items can be enforced by traditional access control lists, but another way to manage that is to impose a network topology and perhaps add appropriate middle boxes. Policies are a high level abstraction and can be rendered to a physical network. This is analogous to a higher level programming language compiling down to a machine code. What this means is that rather than configuring a set of ACLs to enforce security policies, one can create a virtualized network topology that force network traffic to be constrained or limited from access. One can ask whether or not the actual implementation of this form of security (at the physical network level) is done by ACLs, or some other mechanism.

In practice, it does not really matter, since the system that implements these policy rules, can express that through a variety of mechanisms. It may have constructed VLANs to isolate traffic, use traditional ACLS, or most likely in the case of overlay network virtualization, by encapsulation, where the traffic for the virtual network is placed into (encapsulated) within another network packet, and delivered in a manner that follows the virtual (overlay) network topology implemented atop a physical (underlay) network. What really matters here is that the virtual network defines all the abstractions and policies that the application owner wants.

Services to Express Policy

The topology alone cannot express all the policy needs. There are other elements such as redirection and QoS, but they may be expressed through a policy definition language, or expressed by network services. Within the virtualized network, one can insert services (or possibly a chain of services) to manipulate the traffic. In a traditional physical network, the services are often implemented by a set of middle boxes, such as an ADC. More recently, these middle boxes have been supplanted by virtual machines. Yet, if one combines a virtual network with these virtualized network services, one can get another level of flexibility that is difficult to attain in a purely physical network. Having a virtual network now enables the attachment of one or more of these network services into the topology. These services can no longer be thought of as analogues to physical middle boxes, but general software modules that may be instantiated and run to manipulate traffic.

Simulation of Network

Finally, we has assumed that the network packets are manipulated by a variety of systems that exist in a virtualized world, but ultimately the packets are manipulated by (a) devices or (b) virtual machines that emulate middle boxes. In reality, since a network virtualization system run the packets through a software layer, it is possible to manipulate the packets at a low level, and avoid having packets being transported and transformed in a standard way. For example, if a packet needs to move through several routers in a network, elements in the packet header, such as the TTL (time to live 8-bit field with a typical value of 64) get decremented as its traverses devices. If we have treated the virtual network as an analogue to a physical network, the packet would have bounced between virtualized instances of the routers, and it would have the TTL counters decremented. In an actual virtual overlay network, since a piece of software can manipulate packets and calculate what the network packet would have done via a simulation, packet transformations may be done in one place before the packet is transmitted efficiently to a destination, and avoid a “hop by hop” simulation in an analogue of a physical network. This makes packet delivery much more efficient.

Abstraction offered by network virtualization is an unexpected benefit, as opposed to simple consolidation (CapEx reduction) or operational expense (OpEx) reduction. By creating logical topologies, creating a platform for services and simulating packets, it is possible to implement complex IT policies that are not easily performed in a physical network, or even in a quasi-virtualized network where devices are virtualized as network-device virtual machines. A true virtual network that separates and abstracts the topology and services from the underlying network affords flexibility that is uncommonly attained in a traditional network.

  wired As published on Wired Innovation Insights on August 14th 2014  Read more:

Comments are closed.

Post Navigation