Discussion on SD-WAN and IP Network Evolution

[[206217]]

SD-WAN Today

For most enterprises, IT systems have become a key infrastructure in enterprise operations, among which Internet access for network parts and VPN connections between enterprise branches/partners are important components of IT infrastructure. However, the price of MPLS VPN dedicated line access is high, which is a considerable expense for most enterprises. At the same time, for corporate headquarters or important sites running key businesses, it is often necessary to connect to multiple operators or use multiple access methods to provide network redundancy protection, which further increases the cost of WAN access. The essence of technological progress is to reduce costs, so that the simple needs and desires of organizations and individuals can be turned into affordable needs, thereby releasing purchasing power and creating new industry segments. Except for a few areas that use luxury as a selling point, any products and services that have practical value but are too expensive in terms of money and time are the next opportunity to be disrupted.

In the past twenty years, most enterprises have deployed various local WAN acceleration and application delivery products, including caching, multi-export traffic engineering, TCP acceleration, SSL Offloading and other features. Many have also deployed their own IPSec VPN for branch-to-headquarter VPN connections. However, these relatively isolated technical deployments are purchased from different suppliers, lack a unified management and maintenance mechanism, have high deployment barriers, and are difficult to guarantee results. On the one hand, the cost of MPLS dedicated lines occupies most of the budget, which has brought a serious burden to enterprises, especially small and medium-sized enterprises. Not to mention MPLS VPN dedicated lines, even ordinary Internet dedicated lines may exceed the budget limit. SD-WAN came into being under this circumstance. It is the culmination of various traditional WAN acceleration technologies, and on this basis, it provides a unified centralized policy management and automated service issuance platform. Through refined management and dynamic scheduling of multiple exports, it maximizes the use of WAN bandwidth and reduces the demand for MPLS dedicated line bandwidth for key businesses, thereby reducing corporate expenditures. Regardless of the type of SD-WAN, its key features are as follows:

1. Centralized application-based WAN policy management and automated configuration.

2. Management of multiple export links, including MPLS dedicated lines, ordinary PON/DSL Internet connections, LTE wireless networks, etc., maximizes service quality while making full use of multiple link bandwidths; through real-time measurement of link delay, packet loss and other qualities of multiple exports, applications with different quality and bandwidth requirements are scheduled to the best export, and fault switching is performed quickly.

3. Application identification and monitoring analysis, and combining the results of application identification with multi-export link optimization, define different QoS levels and SLA guarantee strategies for different applications, and dynamically select the best export link.

4. Overlay technology is used for connections between forwarding plane sites to eliminate reliance on the Underlay network. The SD-WAN controller controls the Overlay endpoints to automate policy configuration without having to intervene in complex Underlay network configuration.

5. Plug and play of enterprise CPE devices. Through pre-set certificates and boot process, the device automatically connects to the network after power-on. After terminal authentication, it connects to the SD-WAN controller, which automatically completes the initial configuration. Of course, USB Key can also be used to issue certificates, standardize the boot and authentication process of CPE to achieve a SIM mechanism similar to that of mobile phones.

6. Unified management of security policy applications, including basic ACL policies, firewalls, traffic cleaning and other applications. 7. Dynamic routing protocol support between multiple VPN tunnels. Considering that some branches use Internet connections and cannot be directly connected, they need to be transferred through branches or headquarters with public IP.

For enterprise network applications, in addition to basic Internet access, the network is mainly VPN connections between headquarters and branches, and branches and branches. In addition, as public cloud/hybrid cloud gradually become the main form of enterprise IT delivery, VPN access to public cloud is also an important application of SD-WAN. The typical method is that SD-WAN operators set up PoP points and AWS, Azure, Alibaba Cloud and other dedicated lines for direct connection. Enterprises and their branches are connected to the nearest operator PoP point, and directly connected to the enterprise VPC in the public cloud through VPN.

For the operational-level SD-WAN, it often also undertakes the responsibility of providing network value-added services and expanding sales revenue for operators. On the basis of providing connection services, it provides firewall security protection, traffic cleaning, Internet behavior management and other services. These value-added services are provided on a contract-based basis. Since these services often need to be deployed on the enterprise side, SD-WAN CPE equipment operators are more inclined to adopt the X86 architecture, which can flexibly deploy such value-added services in the form of virtual machines or containers. Since general cloud platforms can generally only manage hundreds of computing nodes, some manufacturers that adopt cloud/network integration solutions use OpenStack to manage CPE as ordinary computing nodes. SD-WAN solutions lack the necessary scalability for operational-level requirements.

Major consulting firms predict that the SD-WAN market will grow rapidly in the next few years. IDC predicts that it will reach $6B by 2020. However, the information expenditure of enterprises is basically rigid. This growing market is largely derived from the replacement of traditional export router equipment and WAN acceleration products and the savings of MPLS dedicated line expenses. Telecom operators also participate in this market, undoubtedly not simply to reduce their own MPLS dedicated line revenue, but to expand revenue sources and improve customer stickiness. In addition to pure dedicated line services, they provide a package of services such as Internet, wireless access and multi-export link management, security services, etc.

The evolution of SD-WAN

With the popularization of SD-WAN applications, it seems more likely that one or more overlay enterprise private line operators based on SD-WAN technology will emerge, just like the large number of VOIP operators that emerged after the development of the Internet in the late 1990s, including companies such as Skype and software such as Viber. In fact, today, the built-in voice function of software such as WeChat is powerful enough, and its multi-party call customer experience far exceeds the services provided by operators. The continuous improvement of software technology can completely offset the shortcomings of the underlying network infrastructure.

However, compared with the bandwidth of tens of Kbps for single-channel voice services, providing overlay transit for enterprise private lines requires building a certain number of PoP points and leasing a large amount of bandwidth from operators, which has a considerable capital threshold. However, this provides certain opportunities for secondary operators and cloud service operators with a certain network and data center layout. They do not have to stick to the customer's binding of their own Internet access or private line services, and can therefore provide a true multi-operator and multi-export solution.

As an operator-level Overlay solution, in order to provide a national or even transnational solution, there must be a certain number of PoP points so that the geographical distance between the customer and the nearest PoP is within a certain range to ensure that the transmission delay does not seriously affect the customer experience. Then the dynamic routing and link quality detection protocols must also be run between multiple PoP points for the best Overlay route selection. This is very similar to the relationship between super nodes and ordinary clients in P2P technology. The PoP points form a cluster of super nodes. Each ordinary customer can connect to multiple super nodes based on the network topology location and link quality. If neither of the two clients has a public network address, the SD-WAN will select at least 1 and at most 2 transit nodes for their connection to ensure the best link. In the network world, due to the large differences in interconnection bandwidth and latency between different operators, the direct route between two points may not have the best communication quality. Therefore, even if one of the two CPEs has a public network IP, it may need to be transferred through an intermediate node during scheduling to obtain the best end-to-end communication quality.

Overlay Routing needs to collect the BGP AS Path of the entire network, and even the topology of some IGPs. It can use the ALTO architecture of IETF to implement the route selection based on the network topology. But this is far from enough. As mentioned earlier, the Underlay topology may not have the best communication quality recently. It must be supplemented by the real-time detection of the link quality between PoP points (super nodes) as the basis for path selection. If the P2P architecture is further borrowed, some CPEs with public network addresses can be selected as super nodes to undertake part of the NAT traversal/relay traffic between CPEs (no surprise, P2P is the earliest sharing economy model, but sharing copyrighted digital assets is more likely to touch the legal red line than using self-purchased fixed assets to participate in operations), as a supplement to the operator's self-built PoP, so that the total scale of investment can be controlled. However, enterprise customers are more reluctant to share their bandwidth, so there must be a certain incentive mechanism, such as taking on super nodes so that SD-WAN services not only do not cost money, but can also make money.

When the client node joins, the number of relay nodes will be huge, and the global optimal Overlay path calculation is required. Today's SD-WAN CPE node single-point multi-exit automatic link switching selection method is no longer applicable. In the past, P2P systems such as BitTorent, Skype, and eMule used DHT distributed algorithms to maintain cluster and resource slice information between super nodes. The client downloads the resource node list from the super node and communicates. However, DHT algorithms such as CHORD, Kad, and Pastry are data-centric distributed algorithms that use mathematical distance to generate data routing tables and determine the storage relationship between data and nodes. They are suitable for maintaining content slices and routing, but are not completely suitable for optimizing communication relationships between terminals. As an operator-level Overlay routing algorithm, it is necessary to balance the cost of relays and path delays. In principle, it is necessary to ensure that at most two relay nodes pass between two clients. This requires global and quasi-real-time node and path status updates. In order to ensure the scalability of the system, path calculation and switching need to be completed through division of labor and collaboration between the centralized point and CPE devices.

Discussion on IP Network Evolution

For the network, the core design focuses on two points: addressing and routing, that is, how to number the communication terminals, and how to address and route end-to-end. Traditional voice networks use telephone numbers as terminal addresses, and devices use signaling point numbers or domain names for addressing. Mobile networks use HLR/HSS to store the attachment relationship between terminals and network devices, and signaling and media are addressed separately. IP networks use IP addresses as host addresses, and routing prefixes are announced between routing devices to achieve routing information propagation. There is no distinction between network devices and terminal devices, and applications can directly see IP addresses and communicate programmatically on the TCP/IP Socket interface. Therefore, the upgrade from IPv4 to IPv6 has become a major event that affects the entire system. More than 20 years have passed, and the IETF has been shouting that IPv4 addresses have been exhausted, but business migration has been slow; the expansion of routing table entries on the Internet backbone network is another problem.

In the past few years, academia and standard organizations have proposed many solutions for the evolution of future data networks. Most of the basic ideas are still the separation of name and address, but what is the name? Different technologies have different designs, and there are different views on the level at which to achieve the separation of name and address. For example, the CCN (Content Centric Network) proposed by PARC in 2009 believes that the future network must be content-centric, so the content name should be used as the addressing, and the content router should be used as the infrastructure of the data network. This technology was sponsored by the US NSF in 2010 and renamed NDN (Named Data Network). Later, the academic community gave it another name called ICN (Information Centric Network); whether the problem of low cache hit rate caused by the long tail effect of Internet content access is suitable for content routing will not be discussed here (CDN is an application layer solution). IETF began to standardize LISP (Locator and Identifier Separation Protocol) in 2009. Initially, it was to solve the problem of backbone network routing table expansion. Terminal addressing (name) was limited to the edge router, so that backbone network equipment had addresses. In essence, it is also a technology to separate the access edge and the core. In addition, IETF also has an earlier HIP (Host Identity Protocol) technology based on Overlay. MIP/PMIP, a past technology, was used for a generation in CDMA EVDO and was eventually completely replaced by 3GPP's GTP protocol. I will not go into details here.

In the name-address separation system, the standard routing method is the Map-Encap method. After the name resolution of the starting device is completed, the user message is encapsulated in the tunnel with the source/destination format as the underlying network address. The name is resolved at the tunnel exit on the other side and restored as the source/destination user message. The core of this system is the name-address resolution system, just like DNS. Of course, if it is a flow-by-flow/packet-by-packet resolution, it is beyond the capability of DNS. For the new name resolution system, those who are engaged in IP networks must move out the BGP/IGP protocol. Of course, the more general idea is to establish a centralized high-performance name resolution distributed system. For names that can be prefix-aggregated by location, it is the strength of the routing protocol; but the name-address separation realizes the separation of identity and location, and the name is destined to be movable and non-aggregatable. What can be aggregated is the address, and the address is only the address of the backbone device. It is no longer exposed in the end-to-end system and can be changed at any time. IPv4, IPv6, and IPv9 are also acceptable, and it will not affect the end-to-end architecture of the network. The following is an address addressing method for the business edge, and the above is another method.

However, what does all this have to do with SD-WAN? SD-WAN makes the networking concept of soft edge, overlay access and core separation gradually take root in the enterprise VPN dedicated line business. The mobile network is originally a GTP overlay located on the IP address, whether it is NFV-based or not. With the addition of BRAS overlay, the entire network, whether it is mobile access or fixed network access, tends to be consistent in architecture. For the increasingly complex IP network, more and more private networks behind NAT and firewalls, it is a feasible way to separate the edge network from the backbone network, separate user addressing from network device addressing, and simplify the backbone network through overlay technology. Different from LISP, which originally made Tier 2/Tier 3 operators invest in network transformation in order to solve the problem of Tier 1 operator backbone network routing table capacity, the overlay feature of SD-WAN allows enterprises to build independent networks for Over The Top operation and profit, with the same investment and income subjects, so that the network can start from a local and gradually evolve; even existing IP network operators can use the same technology for evolution.