Several enterprise IT innovators are working on the next generation of “application aware” networking. Until recently, most IP network payload was sent “in the clear” (not encrypted), and vendor solutions for “identifying” traffic flows were getting increasingly accurate at sniffing around in the payload to figure out what was what. The bad news is that the direction of network solutions development needs to change because, increasingly, all interesting network payload is being encrypted end-to-end.
The folks at Microsoft IT have worked with systems vendors on deep packet inspection (DPI) based solutions and are now considering other approaches to recognizing important network traffic. They, along with an increasing number of other forward thinking IT leaders have begun looking at a new approach. Along with volunteers from the open source development community, and in cooperation with the Open Networking Foundation (ONF), these operators of global enterprise IT infrastructure have begun working on a solution to support the Skype for Business (SfB) unified communications solution, based on having the application (Skype server),which is initiating creation and encryption of packet streams to “tell” the controller how to identify the encrypted media flows “on the wire”. It uses a software-defined networking (SDN) controller north bound interface (NBI) to explicitly and unambiguously identify the encrypted flows with specific application layer needs for network treatment. This represents the first move in the changing of the guard as the industry necessarily transitions from advanced guessing (DPI) to trusted authority as the source for classification information for network traffic.
The Intent Based Networking principles defined by the ONF NBI working group defines a system to enable application and network abstractions to be coupled with real-time updates from trusted sources of implementation details for reliable handling of network application needs. This collaboration to support SfB, using the intent based networking mapping service, represents a major milestone and possible tipping point in our understanding of how a network controller can be designed to bring new capability through intelligent software. Many distributed enterprises see SfB as a desirable collaboration tool but need smarter networks to allow it to be used as a reliable, productive, and scale-able business tool.
The intent based unified communications and collaboration (UCC) solution that is being developed under ONF’s open source SDN (OSSDN) project Atrium is based on a simple SDN controller NBI that makes it easy for application layer software systems to tell the network about specific traffic flows that will appear, how to identify them “on the wire,” and what specific behaviors they need in order for the application to perform correctly. The initial use case involves connecting this NBI to the Skype for Business server, which dynamically creates end-to-end media flows, encrypts them, and assigns them random IP addresses and port numbers. As sessions are created and cleaned up, the SfB server transmits the necessary information for identifying the associated traffic to a central controller, which further distributes this information to switching devices in the network. For this particular application, the benefit of project Atrium is that enterprise IT departments currently have expensive private wide-area network (WAN) circuits that they use for all inter-branch traffic because they have found that they can’t rely on application classification or policy-based routing. By introducing the capability to identify and special-case the Skype media sessions, this solution allows cost saving reductions in capacity for circuits with strong service level agreements (SLAs) and intelligent offloading of traffic without security or time sensitivity to less expensive best-effort Internet circuits. This solution has a strong business case and can rapidly pay for itself.
Michael Martin, a networking and security architect with a global management consulting firm, is enthusiastic about this new approach: “The need for an application layer interface to the network has been a long-standing hurdle to providing a true, quality assured application delivery experience. The historical approaches of qualifying traffic using signatures are great for collecting data and identifying threats, but they fall short when used to provide the end-to-end visibility needed to assure bi-directional QoS and capacity allocation.” He further emphasizes, “What is particularly attractive about the ONF intent NBI used in project Atrium, is that it provides a framework that could potentially be utilized in both public and private environments. This effort really shows the potential of SDN for moving past simply transforming delivery of the old experience, to creating amazing new user experiences, while also creating new business models and revenue opportunities,” Martin said.
Gert Vanderstraeten, Network Architect in Microsoft’s IT organization, is exploring plans to deploy the intent-based UCC solution, in his many global offices to “improve user experience and secondarily, to reduce required WAN budgets”. He says, “We are hoping to get a simple solution to a simple problem, that can reliably identify Skype for Business traffic and assign the behaviors we need for our business goals.” He goes on to say, “I expect that a simple SDN solution can be a better fit for this problem than something based on complex applications of traditional routing and switching gear.”
The interest from large enterprises in the UCC use case is important, however, it is really only when we expand this interface to support real-time updates from other application layer creators of encrypted traffic, that we see the real power of application-driven networks. A smart controller can optimize resource usage across a huge shared pool to achieve application and user layer outcomes that have never been possible before. With scale-out solutions, we can potentially optimize and increase infrastructure utilization in ways that have never been possible and enable new applications and capabilities.
In the interest of full disclosure I will note that the folks at UC Berkeley EECS, have proposed an innovative technical approach that could some day allow DPI and encryption to coexist. However, most people agree that the heuristics, algorithms, and signatures for DPI require ongoing, constant change and will not reliably support agile application development.