The Internet2 community has added a network virtualization capability, using software-defined networking (SDN) to let research and educational organizations create their own programmable, private networks on the Internet2 nationwide backbone.
Today’s announcement is that the capability, made possible by a new piece of software called the FlowSpace Firewall, has reached general availability, although the elements have been in place since July.
“By using virtualization on our network, [a user] gets access to these same endpoints that are moving 61 petabytes a month on our network. He gets access to a test bed at large scale,” says Rob Vietzke, Internet2’s vice president of network services.
Internet2 can even connect into partner networks — research networks in Europe, say — and similarly make the connection look like it’s part of the LAN.
At least six organizations will be demonstrating their plans for the new capability at the 2014 Technology Exchange, a conference being hosted by Indiana University in Indianapolis. I’ll be chairing a panel that features three of them, during which we’ll be discussing how they’ll use the new feature to tap the Internet2 backbone.
SDN’s Sequel to Flowvisor
The SDN capability is a followup to the OpenFlow-enabled, 100-Gb/s backbone network that Internet2 launched in the summer of 2012. The aforementioned 61 petabytes is the amount of data being pushed across that backbone — “small by a Google standard, but big for a little network like us,” Vietzke says.
The backbone has had only one hour’s worth of SDN-related downtime since Internet2 hit the “on” switch, and most of that was due to hardware failures, he claims. The moral: OpenFlow, in 2012, was stable enough for production work. Now comes the chance to do something bigger with it by letting users run their own network slices.
Network virtualization is a familiar idea by now, but Internet2 is doing it down at the hardware layer. That’s different from the usual Layer 2-3 SDN approaches, or from MPLS virtual routing and forwarding (VRF), which operates at Layer 3.
“If you think about all the network-to-network interfaces, you’re talking about these east-west interfaces way up in the software stack. What we’re doing is down at the hardware,” Vietzke says. “You’ve never been able to do this on networks except way up the stack.”
The key is to avoid having these different flows steal capacity from each other as they share switches and other hardware. The computing world has had this separation for years; it’s a key element of server virtualization. But for its hardware-level network virtualization, Internet2 had to create something new.
So, Internet2 commissioned the FlowSpace Firewall, a software project that ended up being led by Indiana University. Conceptually, it’s related to FlowVisor, a Stanford-built piece of software allowing multiple OpenFlow controllers to share one piece of hardware. FlowSpace Firewall extends the idea to arbitrary controllers and hypervisors.
Groups such as the Global Environment for Network Innovations (GENI) have been clamoring for this kind of capability, Vietzke claims. “They use Flowvisor, but they have lacked the firewalling,” he says.
One catch: The process isn’t fully automated. The process of contacting Internet2 to request access to the backbone is still manual.
But overall, the virtualized backbone a step forward as far as network capabilities go. And the hope, as with many projects on Internet2, is that the users will find applications for it that wouldn’t otherwise be considered.
“As with all things SDN, there’s both a short-term need — making current applications work better — and then there’s the long term: How do I transform the way networks are thought about? We think this enables both,” Vietzke says.