SD-WAN (Part 2)

The previous article "Things about SD-WAN (Part 1)" deduced the changes in wide area network architecture, from WAN acceleration to Hybrid-WAN, and then to enhanced hybrid WAN - SD-WAN. The use of SD-WAN technology allows enterprises to obtain features similar to dedicated lines through cheap Internet, which is more adaptable to the needs of cloud services and enhances the agility and robustness of the network. This article continues to briefly describe the features and technical implementation of SD-WAN around the hybrid WAN scenario.

[[221473]]

The pooling of computing resources constitutes cloud computing. The goal of SDN can be seen as the cloudification of the network, because network services have the same functional requirements as cloud computing, such as elastic scaling, on-demand services, and rapid deployment. SD-WAN abstracts the WAN link into a resource, namely a virtual overlay service for business, shielding the specific form of the underlying link, and helping the business quickly obtain resources that match the needs. From the implementation of SD-WAN, it can be roughly divided into three categories.

1. Traditional equipment manufacturers

Traditional network devices add SD-WAN functions. For CPE or headquarters egress gateway, according to the pre-configured strategy, the link detection protocol to the destination detects the link load, delay, jitter, and packet loss rate, and selects the link that meets the service SLA requirements for routing. For example, the following strategies are sent to the controller:

• Video service A needs to select a link with a latency of less than 20ms
• Data service B needs to select a link with a remaining bandwidth greater than 10M

Based on the controller's policy, the device identifies applications A and B, selects the link that meets the conditions for forwarding, and dynamically adjusts based on the link quality. Another common policy is load sharing, which can dynamically select and modify the route based on the link load to maximize the use of link resources.

Figure 1 Application-oriented multi-export selection

In this scenario, services without confidentiality requirements enter the SP network directly, and services that require encrypted transmission enter the SP network through tunnels. This tunnel can be considered a P2P overlay, but no matter which method is used, traffic enters the SP and loses control, and is routed traditionally by the Underlay network. SD-WAN services are deployed by enterprises themselves, which is more controllable, but due to the suddenness and uncertainty of Internet traffic, it may sometimes be impossible to select a link that meets SLA requirements, requiring enterprises to provide multiple links.

SD-WAN Service Providers

SD-WAN service providers represented by Viptela and Velocloud provide access methods of software (NFV) or devices. By leasing SP lines and data centers, they establish an Overlay logical topology consisting of multiple POP points on the Underlay network. As shown in Figure 2, the SD-WAN device at the user edge accesses the nearest POP and adopts a strategy similar to the above. Through application identification and link detection, it selects a path that meets business needs from the Overlay logical network for routing, or selects a comprehensive Overlay and Underlay. Since there are many POP network elements, the controllability and visibility of the network are enhanced, and it is often easy to select links that meet the conditions. Service providers save enterprises from having to deploy services such as controllers by themselves. Users only need to define policy templates to achieve this, which reduces the technical requirements for enterprises to use SD-WAN.

Figure 2 Application-oriented Overlay routing

3. Operators

Operators have the conditions to provide SD-WAN services directly on the Underlay network, and implement policy-oriented and business-oriented routing based on traditional routing. However, due to willingness and deployment difficulties, this idea may be just an idea. SD-WAN has many features. For hybrid WAN scenarios, branch CPE that provides software-defined functions needs to meet the following business requirements:

1. Actively connect back to the controller to obtain configuration and strategy

Traditional networking CPE devices are highly autonomous. Whether it is the command line, network management interface, or the so-called zero deployment functions implemented by the manufacturer, they are still oriented towards isolated network elements and are still configuration-driven. Changes in the business model mean that branch sites need to modify their configurations. SD-WAN stipulates the separation of control and transmission. Business configuration and policies are all issued by the controller. Through functional layering, the user interface is transformed from configuration-oriented to application-oriented, and it is truly plug-and-play.

Netconf is a typical southbound protocol in SD-WAN. It is a C/S model protocol that uses SSH or TLS as a secure channel and YANG as metadata to complete the definition of command description. The controller, as a client, converts the upper-layer REST call into XML-RPC carried in NetConf according to the YANG definition. The configured device, as a server, verifies the legality of the RPC according to YIN and converts it into the final device configuration.

2. Deep identification of applications

The premise of application-oriented is to be able to identify applications. Traditional 5-tuple-based flow classification and routing strategies are too rigid and require a lot of configuration to match applications one by one, and the interface is not user-friendly. In the SD-WAN scenario, the device needs to be able to perform in-depth detection, classify applications through local or cloud identification, and dynamically schedule traffic and ensure key business based on controller strategies.

3. Link quality detection

Traditional routing-based traffic scheduling is static, but the network environment changes in real time and cannot be dynamically adjusted based on changes in link quality. In the SD-WAN scenario, the device is required to be able to perform quality detection on multiple dedicated lines or Internet links and dynamically select routes for traffic according to business classification and controller-delivered policies.

4. Firewall function

Branches are connected to the Internet, which diverts dedicated line traffic and provides a better user experience by accessing the public cloud nearby. However, security issues are also introduced. Branch CPE needs to provide a secure gateway function to divide security boundaries, clean illegal traffic, and prevent hacker intrusion. The firewall function can be completed locally or implemented in the cloud through virtualization.

5. Encrypt VPN connection

In order to prevent leakage when enterprise data is transmitted on the Internet, a secure channel needs to be used for transmission. The CPE needs to be able to establish an end-to-end IPSEC tunnel with the public cloud, headquarters or other branch VPN gateways, and the traffic is transmitted through the IPSEC tunnel in an encrypted manner.

6. NAT function

For Internet traffic that does not require encryption, NAT conversion is required when entering the Internet. This solves the problem of limited public network address resources and also achieves the hiding of internal addresses.

7. Authentication and Auditing

All traditional networking exports are located at the headquarters, and authentication and audit functions can be deployed at a single point at the headquarters. The authentication and auditing in the SD-WAN scenario has also become distributed, requiring each branch CPE device to have corresponding functions and be able to regularly send back data logs for synchronization.

SD-WAN can be implemented with dedicated hardware or VNF orchestration. As long as it meets the ideas of centralized control, elastic scaling, and dynamic programmability, it can be classified as software-defined. SD-WAN is not a concept, but the inevitable result of rethinking the network using software ideas. It is an effective technology that can complete network reconstruction and effectively solve users' high-frequency pain points.