Intent-based networking: Closing the network complexity gap

In the past decade, networks have undergone a variety of changes. In essence, networks have become complex and difficult to manage using traditional mechanisms. There is now a pressing need to design and integrate equipment from multiple vendors and adopt new technologies such as virtualization and cloud services to manage networks.

Every network is unique, and you’ll never encounter two networks that are exactly the same. Vendors provide products as building blocks for engineers to design solutions that work for them. If we all had a simple and predictable network, this wouldn’t be a problem. But there is no global reference to follow, and designs vary from business to business. This results in network variation even when providing similar services.

[[272889]]

It is estimated that more than 60% of users believe that their IT environment is more complex than it was two years ago. We can only assume that network complexity will increase in the future.

Large enterprises and service providers need to manage this complexity to ensure their traffic flows, policies, and configurations are all in compliance with requirements and objectives. You can’t manage complex networks manually. Human error will always cost you and ultimately slow down the network, hampering agility. The fact that networks are complex and error-prone encourages automation, and how this actually happens depends on the level of automation. Therefore, networks require higher-level orchestration.

The need for modernization

This complexity is compounded by the fact that enterprises are looking to modernize their business processes and networks. Traditional vertically integrated monolithic network solutions prohibit network modernization. This creates a gap between the architect’s original intent and the actual runtime behavior.

If you examine it, you will find that the content of the design document is loosely coupled to the network implementation. First, there is no structured process for how to translate the design document into an actual device. How to implement it is entirely up to individual interpretation.

These networks were built for a different era. Therefore, we must now shift our focus from traditional network specifications to intent-based networking (IBN). IBN is a technology that enables the modernization of networks and aligns them with overall business goals. It allows you to tightly align design rules with the network.

The need for new tools

It is clear that we need new tools, not only from the physical device perspective, but also from the traffic perspective. Manual methods of verification will no longer work. We have 100 bits in a packet, which means that traffic can perform multiple conversations simultaneously. Therefore, it is impossible to track the end-to-end flow using manual methods.

When it comes to configuration, the CLI is the most common method used to make configuration changes. But it has many disadvantages. First, it provides the wrong level of abstraction. It is targeted at operations personnel and does not verify that engineers will follow the correct procedures.

Additionally, the CLI language was not standardized across multiple vendors. The industry responded to this and introduced NETCONF. However, NETCONF has many inconsistencies across vendor operating systems. Many companies use their own proprietary formats, making it difficult to write NETCONF applications across multiple vendor networks.

NETCONF is fundamentally about simplifying automation, but in reality, the irregularities it presents make automation much more difficult. Additionally, the old-school troubleshooting tools we use (like ping, traceroute) cannot fully assess the behavior of the network. Traceroute has problems with IP unnumbered links, which is advantageous in a fully automated network environment. Ping, on the other hand, tells you nothing about how the network is behaving. These tools were originally built for simpler times.

We need to develop a vendor-agnostic solution that can verify intent against configuration policies. This should be agnostic to the number of devices, installed OS, traffic rules, and any other type of configuration policies. We need network automation and predictability. Existing common tools offer no value.

In short, we need a new model that can figure out all device and traffic interactions, not just at the device level, but at the entire network level.

IBN and SDN

The users of software-defined networking (SDN) are mainly large companies that have the resources to build their own hardware and software, such as Google and Facebook.

For example, Google's B4 project aims to dynamically build an efficient wide area network (WAN) through flow-based optimization. However, this cannot be achieved if traditional WAN architecture is used on production networks.

IBN is the natural successor to SDN as it borrows the same principles and architecture; the division between applications and network infrastructure. Similar to SDN, IBN is making software that controls the entire network, rather than device to device.

Now the question is, as a concept, can SDN automate as needed? In reality, SDN uses software to configure the network, driving software-based networking. However, IBN is the next step where you need to put a clearer emphasis. Intent-based systems work higher up in the application level to provide true automation.

What is IBN?

IBN is the need for greater network automation, and IBN is a technology that provides enhanced automation and network insight. It represents a paradigm shift that focuses on "what the network should do" rather than how network components are configured. It monitors whether the network design is doing what it should do.

IBN does this by generating designs and configurations that devices implement. Additionally, it verifies and validates compliance with the original intent in real time. For example, if the desired intent is not met, the system can take corrective action such as modifying QoS policies, VLANs, or ACLs. This makes the network more compliant with both; business objectives and compliance requirements.

It uses declarative statements, i.e. what the network should do, rather than imperative statements describing how it should be done. IBN is able to understand a large number of heterogeneous networks consisting of a range of different devices that do not have a single API. This essentially allows you to focus on business needs rather than the limitations of traditional networks.

IBN Journey

The first step on the road to IBN is to translate all of this into explicit logic rules, which are essentially part of the IBN software. You also need to understand the traffic to see if reality matches the intent. To do this, the system builds a model of the network and then verifies that model; this is known as formal verification in computer science. This is a method where we mathematically analyze the network to see if it matches its intent. This involves certain calculations to contain the logic.

Network Authentication

Network verification is a critical part of any IBN system. It requires a basic mathematical model of network behavior to analyze and reason about the design and strategy of the target network. The system needs to verify all conceivable packet flows and traffic patterns.

Although there are no clear IBN architecture guidelines, mathematical models can be used to handle each network device. This can be seen as a set of algebraic and logical operations on all packet types and traffic flows at each device level. This allows the IBM system to evaluate and verify all possible scenarios.

When a device receives a packet, it can perform a number of actions. It can forward the packet to a specific port, drop the packet, or modify the packet header and then forward it to a port. A mathematical model determines how each device responds to each possible type of packet and evaluates the behavior network-wide, not just at the device level.

In principle, the verification process must be end-to-end. It must collect configuration files and state information from every device on the network. The behavior of all possible traffic flows is then mathematically analyzed on a hop-by-hop basis. The IBM system builds a software model of the network infrastructure. The model first reads the configuration details from Layer 2 to Layer 4, and then collects the state from each device (IP routing table).

With IBN we will see a shift from a reactive approach to a proactive approach. It will have a profound impact on the future of networking as we move to a model that focuses primarily on business needs and makes things easier. We are not as far away as people think, but you can start your IBN journey today if you want. So the technology is there and a phased deployment model is recommended. If you look at IDS/IPS deployments, you will see that most are still changing.