128 t networking platform

Microsoft Word - 128T Networking Platform PDD_v3.docx29 November 2016
Abstract This document provides the reader an overview of the 128T Networking Platform
product, technology and use cases
V3.0
SAVE HARBOR STATEMENT
This document may describe future product capabilities and therefore may contain forward- looking statements. 128 Technology has made no commitments or promises orally or in writing with respect to delivery of any future software features or functions. All information is for informational purposes only and 128 Technology has no obligation to provide any future releases or upgrades or any features, enhancements or functions, unless specifically agreed to in writing by both parties.
128 T Networking platform 2
TABLE OF CONTENTS
Executive Summary ................................................................................................................................................................ 5 Introduction – The Problem ......................................................................................................................................... 5 Advanced Secure Networking Principles .......................................................................................................... 6
128T Networking Platform overview ........................................................................................................................... 7 Platform Components ...................................................................................................................................................... 7
128T Conductor ................................................................................................................................................................. 8 128T Slice ................................................................................................................................................................................. 8
Versatile distributed router architecture ............................................................................................................ 9 Multiple software deployment models ............................................................................................................... 9 Resiliency architecture ................................................................................................................................................... 10
Synchronizing Flow State ......................................................................................................................................... 11 Failure Scenarios ............................................................................................................................................................. 12 In-service Software Upgrades ................................................................................................................................ 13
Service Centric Data Model ......................................................................................................................................... 13 Authority ............................................................................................................................................................................... 14 Router ...................................................................................................................................................................................... 14 Global Services, Tenancy and Policy ............................................................................................................... 15
Routing with words; QSNs and STEP .................................................................................................................. 16 Qualified Service Names (QSNs) ........................................................................................................................ 16 STEP (Services and Tenancy Exchange Protocol) Overview ......................................................... 17
Secure Vector Routing ........................................................................................................................................................ 17 Session-aware Data Plane ........................................................................................................................................... 18
Session awareness ......................................................................................................................................................... 19 Session based signaling – metadata ............................................................................................................... 19 Waypoints ........................................................................................................................................................................... 20 Packet Processing ......................................................................................................................................................... 20
Services Control Plane .................................................................................................................................................... 21 STEP Operating Basics .............................................................................................................................................. 22
Service Centric Abstraction, Automation, and Analytics .................................................................... 25 DevOps Ready ................................................................................................................................................................. 25
One platform– broad set of use cases ................................................................................................................... 27 Next Generation WAN ................................................................................................................................................... 27
Solution Highlights ...................................................................................................................................................... 27 Key Capabilities .............................................................................................................................................................. 28
Software-defined Datacenter .................................................................................................................................. 28 Solution Highlights ...................................................................................................................................................... 29
NFV – ETSI Framework for Telco Cloud ............................................................................................................. 30 Virtual Edge .............................................................................................................................................................................. 31 Datacenter Interconnect .............................................................................................................................................. 33 Network as a Service ........................................................................................................................................................ 33
DEFINITIONS
128T Platform: Represents a single 128T routing instance. A 128T Platform contains one logical 128T Control and one or more SLICEs. The collection of these nodes can be viewed as a single logical IP Router.
Authority: Represents a single managed network of 128T routing instances (128T Platforms). This describes a single network, a collection of networks, or single managed entity for a group of routers, and can be considered to be conceptually equivalent to an Autonomous System.
Tenant: Represents a single sub-network or network segment that is to be segregated and separated from all others for security, manageability, and analytics. This is akin to VLAN or VxLAN or VRF.
Service: Represents a single named application and is the target of a route. This is similar to an IP address after DNS resolution. A Service is named by a Tenant with a text string that normally matches the URL of a service.
Service Group: Represents a portion of a sub-network (tenant) that is to be segregated for manageability and analytics. There is no comparative current world element.
QSN: Qualified Service Name is a 128 Technology concept for an addressable Service resource and associated tenancy using URI Generic Syntax defined by RFC 3986. Example: QSN://Subtenant.Tenant.Authority/Service/ServiceGroup
EXECUTIVE SUMMARY
The 128T Networking Platform is a software-based, distributed routing and network services solution. The 128T Networking Platform uses Secure Vector Routing to simplify network architectures and provide fine-grained, end-to-end control and visibility. 128T software runs on general-purpose compute platforms and allows a wide range of deployment models - from remote branch offices to high-capacity network edges to hyper-scale data centers. The platform enables greater control, security and agility by distributing intelligence throughout
the network - without disrupting your existing network infrastructure.
INTRODUCTION – THE PROBLEM
For many companies, the network is a core part of their business – and in some cases, the network is their core business. However, most networks haven’t been architected to handle the next generation of business and application requirements. Networks have gradually become too complex, too fragile and too costly to deliver the necessary advances in agility, security, and control needed for cloud, mobile and emerging applications such as IoT. Even modern SDN approaches still rely on a decades-old network paradigm based on complex overlays, proliferation of stand-alone network functions, outmoded security models and a fragmented
approach to end-to-end networking.
Overlay sprawl
Overlay sprawl is responsible for a large component of legacy network complexity. Legacy approaches are overloaded with overlays such as MPLS, IPsec, VxLAN, VPLS and more. Overlay networks are layered on top of IP networks in large part to deliver deterministic routing, network virtualization and segmentation to stateless IP networks. These state-ful and largely tunnel-based overlays carry with them significant networking overhead, fragmentation issues, scaling challenges and operational costs while rendering useless most security and monitoring
systems.
Complexity and cost proliferates with middle-boxes
Middle-boxes proliferation constitutes another significant challenge to simplifying networks. Advanced session-aware network functions such as firewalling, load balancing and WAN optimization have been “bolted onto” networks as independent middle-boxes, each one carrying continuous CAPEX and OPEX spend. As security models evolve and IP traffic is increasingly encrypted end-to-end, from device to application, the role of many of these middle-box functions will need to change dramatically. Time is ripe for a consolidation of L4-L7 network services functions and a re-thinking of the role of many of these advanced network services.
Networks lack application and services context
Bringing applications and network closer together promises to deliver vast improvements in efficiency, greater visibility, improved application performance and open the doors to long term
innovation. Legacy networking approaches remain fixed in the original guiding design principle that the network should remain dumb and intelligence should reside in hosts and applications. Modern SDN approaches attempt to bridge the applications and networks divide through abstractions and APIs however fall short by leaving the network dumb. A smarter networking model that is session-based and application aware with a native services centric context can create a breakthrough in creating intelligent networking and fostering long term innovation.
ADVANCED SECURE NETWORKING PRINCIPLES
128 Technology believes the networking should be more simple, agile and intuitive while providing advanced security, reliability and inter-networking. This vision for Advanced Secure Networking requires some re-thinking of traditional networking precepts.
The 128T’s Advanced Secure Networking vision is rooted in five basic principles.
IP networks should be natively session-aware
All meaningful IP services and applications are based on sessions, not packets. Most advanced network capabilities such as firewalls, load balancers and WAN optimizers are based on state-ful management of sessions. Session-aware IP networking opens the door to a new realm of simplified intelligent networking and fine-grained analytics.
Security, load balancing and monitoring are not stand-alone functions
A session-based network is the foundation for the consolidation of network functions beginning by making security and load balancing native.
Networks must evolve to be application and services-centric
Routing and routing control planes should evolve from simple IP address and cost based metrics to encompass service topologies and policy frameworks based on a distributed and abstracted data model. Multi-tenanted policy and control logic should exist within, not on top of, the IP network.
Overlays are not the answer
Overlay networks such as MPLS, IPsec and VxLAN are layered on top of IP networks in large part to deliver deterministic routing, network virtualization and segmentation. These largely tunnel-based overlays carry significant networking overhead, fragmentation issues, scaling challenges and high operational costs while obfuscating most security and monitoring systems. Session-aware networking enables the replacement of overlays with more secure, scalable and agile end-to-end virtual networking at a fraction of the cost and overhead.
Zero trust security must be everywhere
Perimeter security models are no longer sufficient. Every aspect of networking will require that no user, traffic source or connected network is considered as trusted. IP routing is not an exception.
128T NETWORKING PLATFORM OVERVIEW
The 128T Networking Platform is fully software-based, distributed and programmable routing and network services platform. The platform is designed based on advanced secure networking principles and delivers a new session-aware and secure networking architecture, Secure Vector Routing.
PLATFORM COMPONENTS
The 128T Networking Platform is comprised of three building blocks: the 128T Conductor, the 128T Control and the 128T Slice (Software Line Card Engine). A combination of one or many 128T Controls and 128T Slices together form a single logical router supporting a wide range of deployment models scaling from a remote branch office to a high capacity edge router to a hyper-scale software-defined datacenter.
Figure 1: 128T Networking Platform Architecture
128T Conductor i
The 128T Conductor is a management, policy and analytics engine that provides centralized orchestration, administration, monitoring and analytics aggregation for multiple geo- graphically dispersed 128T Routers. The 128T Conductor maintains a network-wide, multi- tenanted services and policy data model which is exposed via northbound RESTful and Netconf APIs and distributed to 128T Routers.
The 128T Control is the centralized network and services control plane and analytics engine for a 128T Router. This includes computing and preparing all IP routing tables, managing service policies, collecting analytics, and configuration management. Through 128T Control, the IP routing information base (RIB) is combined with service policies to create a Services Information Base (SIB) which is distributed to each 128T Slice. Each 128T Control defines a single instance of a 128T Router.
Capabilities include:
2. IP control plane and routing stacks (OSPF, IS-IS, BGP)
3. Services control plane via STEP (Services and Tenancy Exchange Protocol)
4. Federating with other 128T Routers
5. Analytics engine and database
6. Traffic and topology visualization
7. Scalability up to thousands of 128T Slices
8. High availability clustering
10. RESTful and Netconf northbound APIs
128T Slice
The 128T Slice is a Software Line Card Engine is an analog of a physical line card of a chassis- based IP router. 128T Slice software performs high-speed packet forwarding, classification, and security functions. It operates with its own integrated control plane for complex packet handling decisions, without the need to consult a remote controller.
Capabilities include:
11. Distributed IP routing and packet forwarding
12. Each SLICE maintains a complete copy of the distributed routing information base (RIB) combined with services policy to form a services information based (SIB)
13. State-ful session detection, classification, routing, and traffic management
14. Application specific routing and QoS treatment
15. Dynamic multipath traffic steering
16. Integrated session-based load balancing
17. Integrated ACLs, DDoS protection, and session-based traffic shaping/admission control
VERSATILE DISTRIBUTED ROUTER ARCHITECTURE
The 128T Networking Platform software was designed from the start with broad scalability and architectural versatility in mind. The entire system may be deployed as a single 128T Router instance running on one system platform or as a single virtual machine. For large-scale distributed environments such as a datacenter or high capacity edge routing, a highly available 128T Controller and many 128T Slices are deployed.
MULTIPLE SOFTWARE DEPLOYMENT MODELS
Multiple server environments are supported. These include bare metal, Linux – KNI, and virtual machines. As a networking platform for cloud environments, the 128T solution will integrate with most industry leading hypervisor and orchestration solutions including KVM/OpenStack and VMWare EXSi /VCloud Director.
Figure 2: 128T Networking Platform distributed architecture models
The 128T router supports various deployment models to enable flexibility and deployment agility. In its simplest form the 128T router can be deployed on any Intel DPDK enabled platform. CentOS is the preferred OS. We also support Red Hat and Fedora. The 128T system also supports Kernel Network Interface (KNI). In this scenario packets to and from the Guest VMs will be forwarded to the 128T system by the kernel through Vhost-net or KNI interface. The 128T router supports both Direct Path IO and SR-IOV to provide direct access to the NIC. DPIO has a one to one mapping between the physical and virtual NIC ports. With SR-IOV it is possible to have 8 VFs per NIC port. Finally, 128T also supports para-virtualized drivers. This provides optimized Rx/Tx queue handling through shared memory queues. The 128T system can thus be deployed on any Intel based COTS platform whether physical or virtual. It can also work with OpenStack and vCloud Director for deployment in private clouds. It can also be hosted in public clouds like AWS, Azure, or Google Cloud Platform for providing routing and other integrated functions.
RESILIENCY ARCHITECTURE
The 128T resiliency solution provides virtually zero downtime by maintaining sessions though redundant clusters in a single or multi-site environment. It provides unprecedented elasticity through an N+M redundancy model, high reliability through fast failover by continuous flow state synchronization between appliances and innovative multi-site failover, and unlimited scale through hardware agnostic redundancy.
The solution operates in Active/Active clustering mode. Multiple routers are grouped together as clusters, with multiple Active units processing traffic and sharing the network load. Each cluster node contains a minimum of two units acting as a State-ful HA pair. Active/Active clustering provides State-ful failover in addition to load sharing. The customer may choose to pass all traffic through one of the routers in the cluster. In this case the remaining routers in the cluster will not be processing traffic but they are all in Active mode with ability to process traffic if required.
The 128T solution operates in N+M redundancy mode where any number of routers participate in a cluster and they can act as backups of one or multiple routers in the cluster. Interfaces on different routers can be configured as redundancy groups. These redundancy groups are collection of resources that need to failover between the routers. An interface in a redundancy group is chosen as the primary and another as the secondary. This is done via a leader election or based on user defined priorities. Primary interfaces are used to route traffic through the cluster. In case of failure the traffic from the primary interface is switched to the secondary interface in the redundancy group via Gratuitous Address Resolution Protocol (GARP) or other routing protocol exchange.
A fabric link between the routers is used to route traffic between them in case of failure. In the diagram these are shown as directly connected links but they do not have to be. Also the diagram shows two routers in a cluster for ease of understanding however there can be multiple routers in the cluster.
The management link between the routers is used to exchange routing and flow information between the routers. This is shown as a separate directly connected link between the routers in the diagram however it can share any link. All information between the routers are shared using highly efficient in-memory data- bases to minimize bandwidth usage and to enable instantaneous information exchange.
All processes in a 128T router are self-resilient. They can regenerate themselves independently in case of process failures or exceptions. Unless there is a dependency that requires other processes to restart or the device to switchover, the process will rebuild itself and establish communications to the existing processes. If a process failure requires another process to be restarted due to a dependency, then that process is restarted automatically. In-built self- checking mechanisms managed with software diagnostics ensure the integrity of the entire system.
The distributed nature of the 128T system and complete independence from the underlying hardware ensures that there is no limit of the number of routers that are part of a cluster. There is also no restriction on the number of interfaces that can be part of a redundancy group. This ensures that the solution is abundantly elastic. It can scale from a 1+1 configuration in a branch office to a fully distributed cluster in a large data center with N+M redundancy. This ensures a scale out architecture that can span numerous use cases and any possible scenarios.
Synchronizing Flow State
Resiliency Solution Note
SOLUTION NOTE
2 2
The 128T resiliency solution ensures that the failover and switchover mechanisms are session-aware and completely secure.
128T RESILIENCY SOLUTION
The solution operates in Active/Active clustering mode. Multiple routers are grouped together as clusters, with multiple Active units processing traffic and sharing the network load. Each cluster node contains a minimum of two units acting as a Stateful HA pair. Active/Active clustering provides Stateful failover in addition to load sharing. The customer may choose to pass all traffic through one of the routers in the cluster. In this case the remaining routers in the cluster will not be processing traffic but they are all in Active mode with ability to process traffic if required.
The 128T solution operates in N+M redundancy mode where any number of routers participate in a cluster and they can act as backups of one or multiple routers in the cluster. Interfaces on different routers can be configured as redundancy groups. These redundancy groups are collection of resources that need to failover between the routers. An interface in a redundancy group is chosen as the primary and another as the secondary. This is done via a leader election or based on user defined priorities. Primary interfaces are used to route traffic through the cluster. In case of failure the traffic from the primary interface is switched to the secondary interface in the redundancy group via Gratuitous Address Resolution Protocol (GARP) or other routing protocol exchange.
A fabric link between the routers is used to route traffic between them in case of failure. In the diagram these are shown as directly connected links but they do not have to be. Also the diagram shows two routers in a cluster for ease of understanding however there can be multiple routers in the cluster.
The management link between the routers is used to exchange routing and flow information between the routers. This is shown as a separate directly connected link between the routers in the diagram however it can share any link. All information between the routers are shared using highly efficient in-memory data- bases to minimize bandwidth usage and to enable instantaneous information exchange.
All processes in a 128T router are self-resilient. They can regenerate themselves independently in case of process failures or exceptions. Unless there is a dependency that requires other processes to restart or the device to switchover, the process will rebuild itself and establish communications to the existing processes. If a process failure requires another process to be restarted due to a dependency, then that process is restarted automatically. In-built self-checking mechanisms managed with software diagnostics ensure the integrity of the entire system.
The distributed nature of the 128T system and complete independence from the underlying hardware ensures that there is no limit of the number of routers that are part of a cluster. There is also no restriction on
Figure 11: Redundancy
The 128T system syncs TCP and UDP flow state information between routers to ensure that no flows are lost and applications are not disrupted due to network outages. To ensure that no bogus or random packets cause the system to attempt to sync state, the 128T system only syncs state for established sessions. The 128T system also syncs all routing information to forward packets as traditional routers do in case of failure.
TCP Flow
The 128T router creates an established flow record in its local in-memory database when a TCP flow is established. This is done when the 128T router receives a SYN-ACK packet in response to a SYN packet that it has forwarded recently. Once this record is created for that particular flow, it is synced with routers in the cluster so that interfaces in redundancy groups can take over traffic forwarding in case of failure. This state information is maintained as long as the flow is active. The record is removed when the TCP session ends or when an inactivity timer expires. All information related to the flow like policy, security, and quality of service rules are observed by all routers in the cluster to ensure complete reliability and security.
In the figure only two routers are depicted for ease of understanding. The 128T system can work with many routers in a cluster.
UDP Flow
The 128T router creates an established flow record in its local in-memory database when a UDP flow is established. This is done when the 128T router has forwarded a preset number of packets related to that UDP flow. Once this record is created for that particular flow, it is synced with routers in the cluster so that interfaces in redundancy groups can take over traffic forwarding in case of failure. This state information is maintained as long as the flow is active. The record is removed when the UDP session ends or when an inactivity timer expires. All information related to the flow like policy, security, and quality of service rules are observed by all routers in the cluster to ensure complete reliability and security.
Failure Scenarios
The 128T resiliency solution can enable zero downtime failure protection for all types of planned and un- planned network outages. It ensures that the end user application is oblivious to any network outage. The solution can provide high availability protection and switchover in case of process, interface, component, device, and cluster failovers. These may be caused by power outages, human errors, or other factors.
In case of normal operation all traffic is forwarded through the primary interfaces of the redundancy groups. These may be on a single router or may be spread across the router resulting in different flows to go through either router.
In case of a single primary interface failure, traffic will be routed through the fabric link to the secondary interface on the other router. This fabric link does not have to be a dedicated directly connected link. In case of process, device, component, or dual interface failures that completely disables the router passing traffic then the traffic switches over completely to the other router. By intelligently identifying and syncing established flows, the 128T system is able to guarantee that end user applications do not see any interruption due to network failure.
In-service Software Upgrades i
The 128T resiliency solution enables the ability to support in-service software upgrades. This reduces downtime due to planned upgrades. The 128T system provides information to switch traffic to different routers in a cluster. Any router within the cluster can be isolated to prevent traffic forwarding through it while other routers in the cluster continue to forward all the traffic. This isolated router can then be upgraded. The upgraded router can then continue to participate in the cluster. Traffic can be switched back to this router or it can remain dormant in the cluster while fully Active to process traffic if required.
SERVICE CENTRIC DATA MODEL
SOLUTION NOTE
4 4
MULTI-SITE FAILURES
The distributed nature of the 128T system allows it to easily extend to multi-site failure scenarios. Router clusters in multiple sites can be configured as a collection. A router or router cluster configured as the Prime acts as a master store of flow information across the collection. In case of failure traffic can be rerouted via a secondary disaster recovery site. The secondary site can either query the master store on the Prime for information or the Prime can send the master store information to sites in the collection.
Another option is for the secondary site to send traffic directly to the Prime. The Prime already knows the flow information from its master store. It forwards traffic based on this information to the destination. This ensures that traffic flow is not interrupted while querying the master store and waiting for the information as is the case for many multi-site failover solutions today. If the flow information does not exist on the Prime, then the primary site had never seen this flow and it is just dropped.
On receiving packets back from the destination, the Prime forwards this to the secondary site from which it had received the packets. Once the secondary site gets these packets from the flow, it creates an appropriate record for this flow. The Prime can also respond back to the secondary site with the flow information if it does not receive any return packets. The secondary site can now forward packets for this flow directly to the destination without forwarding it to the Prime.
FAILURE SCENARIOS
Services are placed at the heart of the Secure Vector Routing design and the 128T data model is the language for describing the services, tenancy and associated policies. The 128T data model has local elements (e.g. router specific) and global elements. The 128T global data model is automatically shared across and between networks using a new services and tenancy control plane protocol (STEPi). The data model is expressed in YANG and exposed via northbound REST and Netconf APIs to deliver full suite of application and orchestration integration services.
Authority
The topmost configuration container in the 128T data model is called the authority. Conceptually, the authority represents the complete set of all 128T routers managed under a single organizational entity. The global data within the authority container includes service- layer and policy-layer configuration that applies to all of the 128T routers within this organizational entity. (In this document, the term “authority” and “organizational entity” are synonymous, unless specifically referring to the 128T router’s configuration object container.)
Router
Within the authority is the router object, which describes a single instance of a 128T router deployed within a network. (Note well that a 128T router itself consists of several distinct components which may be deployed co-resident such as a branch router or fully distributed across a software-defined datacenter) The configuration work done within the context of a router is referred to as local data (as opposed to the global data within the authority). Said another way: objects configured at the authority level of the hierarchy apply to all routers, and objects configured at the router level of the hierarchy apply only to that specific router.
Included in the local data of the router hierarchy are the software components that comprise that router (referred to as nodes, which can be any of Controls, Slices, and/or Combos), router- specific routing attributes – including both “classic” routing protocols such as BGP, as well as 128T-specific “service routes”, defined in the section on Configuring the Service Layer later in this document. Localized policies, primarily focused on the traffic distribution and traffic engineering behaviors of an individual router, are also part of this local data within the router hierarchy.
Global Services, Tenancy and Policy
Service configuration, which represents the cornerstone of the 128T router’s worldview, is part of the set of global data within an authority. The 128T global service centric data model is shared across all 128T routers in an authority and is comprised of three simple configuration elements, namely services (including service agents), tenants and policies.
Services and Service Routes/Agents
Services represent specific applications that a network delivers; e.g., web services, database services, or voice/video services. Using a top-down approach, the 128T data model asks that administrators define the services that their network will deliver, the requirements that the service demands (in terms of latency, packet loss, jitter, etc.), and the network topology – and the 128T router will deliver traffic to the service using the optimal paths through the network. Because they are global data in an authority, all services defined within an authority are part of the dataset for each 128T router that is also a member of that authority. Services are location independent and most often have multiple instantiations across a network or datacenter. Service agents (Service Routes) define specific physical instances of a service.
Tenants
Services are said to reside within tenants, a term used to represent a segmented partition within a L2/L3 network. Unlike other networking paradigms, where segmentation is done using overlay networking techniques (such as VLANs, VxLANs, etc.), the 128T router uses a novel tenancy model to place traffic sources and routes to their services (also referred to as service routes) into logical partitions within the underlay network itself. Tenancy is hierarchical and there are no practical limits to the number of levels of the hierarchy. A rich set of hierarchical access control policies built into the tenancy model ensures that network traffic flows along prescribed paths, and only from eligible sources. Tenants, like the services that they contain, are
Figure 3: 128T Networking Platform Global Service Centric Data Model
also part of the global data within an authority. A tenant defined within a 128T authority is said to “stretch” across all 128T routers that are members of that authority, and tenant information is shared between 128T router instances (in fact, it is shared both intra-router and inter-router).
Policies
A set of global policies rounds out the data model; complementing the router-specific policies, the global policies describe the treatment of traffic that flows between 128T routers. This includes information on how packets are classified into their various types (e.g., how to differentiate between web traffic, voice traffic, proprietary application traffic, etc.) and the requirements that those traffic varieties have from a networking perspective.
Policies fall in three categories:
SERVICE POLICIES
Service policies define all of the expected “per session” attributes. This includes a QoS service class that defines routing priorities, DSCP and minimal acceptable quality thresholds. Rate constraints policies for service agents and load balancing policies are used for link and agent load balancing. Service Policies apply to both tenants and services.
ACCESS POLICIES
Access policies define access control lists, specifying who and what applications can access a given service or tenant. Access policies apply to services and tenants by association with services.
SECURITY POLICIES
Security policies are used to describe the encryption and authentication requirements for a specific service. If a security policy is applied to a tenant, all traffic in that tenant’s network will use the prescribed encryption mechanism. If a security policy is applied to a service, then this will override any configured policy on a given tenant. This behavior allows for fine-grained control of what types of encryption should be applied at the tenant or service.
ROUTING WITH WORDS; QSNS AND STEP
This service centric data model provides a foundation for a new type of routing and policy management that uses the services language of the data model rather than traditional IP address prefixes and distance vectors.
Qualified Service Names (QSNs)
A Qualified Service Name (QSN) provides a mechanism to address a resource or service using a name instead of an IP address. To hide the complexity of dealing with IP addresses, 128 Technology replaces the routing logic with words in the form of named services and tenancy hierarchy. Services or service routes are defined using a hierarchical uniform resource identifier (URI) known as Qualified Service Name (QSN).
Qualified Service Name is a 128 Technology concept for an addressable Service resource and associated tenancy using URI Generic Syntax defined by RFC 3986. The QSN has two components, the hierarchical tenant descriptor and the services descriptor. The hierarchical tenant descriptor defines the multi-level tenancy for a service. The services descriptor defines the service itself (and its service group).
STEP (Services and Tenancy Exchange Protocol) Overview i
Service and Tenancy Exchange Protocol (STEP) is a routing protocol developed by 128 Technology which enables dynamic exchange of services, tenancy, and policy between 128T routers to create dynamic service and policy federations. STEP uses QSN’s to propagate a global view of services, topology, tenancy, and policies. It complements IGPs and BGP facilitating network stretching and slicing end-to-end along with distributed access control and Quality of Service (QoS). STEP provides a mechanism for 128T Routers to discover and share services with other 128T Routers.
STEP and QSNs enable the ability to stretch a network end-to-end as one routing scheme can be used for any combination of private networks, public networks, IPv4 addressing models, and IPv6 addressing models. Services and policy become location independent as they are no longer tied to physical IP addresses. Workload elasticity becomes native. Underlying network complexity is completely abstracted away enabling a much simpler and agile network for services.
SECURE VECTOR ROUTING
The 128 Technology Networking solution introduces a breakthrough session-based, service centric and security-infused networking paradigm called Secure Vector Routing. Secure Vector Routing is fully compatible and interoperable with existing data and control plane architectures. Secure Vector Routing replaces and augments complex out-of-band routing protocols, tunnel-based network overlays and cumbersome provisioning systems with centralized control, simple intelligent service routes and in-band (data plane) signaling.
Secure Vector Routing advances the existing art of routing without introducing point solutions into an existing network. It works seamlessly with existing protocols and architectures while enhancing their capabilities.
Figure 4: Qualified Service Name (QSN) Structure
Secure Vector Routing leverages learning from mobile networking to ensure path symmetry and guarantee that segmentation rules remain intact while devices are in motion. Location independent routing ensures integrated load balancing and workload/device mobility. As devices and workloads move or new devices appear, established access control and segmentation rules are automatically instantiated.
The Secure Vector Routing architecture is comprised of three components:
• Session Aware Data Plane
Through these components, Secure Vector Routing brings inherent directionality, security, hyper-segmentation, and dynamic traffic steering capabilities.
SESSION-AWARE DATA PLANE
128T Routers, deployed at network edges, transform a state-less L2 fabric or L3 network data plane into a fully session aware data plane through session-based signaling and waypoint routing. In place of multiple state-ful overlays, end-to-end route vectors are created that are:
• Deterministic – Session traffic steered in segments between waypoints while double- NAT ensures path and flow symmetry.
• Secure – Each route vector carries ACL and firewall rules controlling access and directionality of session initiation. Every session is authenticated at each hop. Payload encryption is defined per-tenant and applied per-session.
• Dynamic – Paths are established dynamically, by session based on application policies and network state. Statically provisioned state-ful tunnels are replaced with a model based on ephemeral session state that is relinquished upon session termination. Link and endpoint session load balancing is native.
• Multi-tenant – Hierarchical multi-tenancy and secure segmentation is supported end- to-end across network and NAT boundaries.
Figure 5: Secure Vector Routing Architecture
Session awareness
Secure Vector Routing utilizes deep protocol analysis to recognize IP packets as IP sessions. Each IP session has a distinct start and end point. Sessions have directionality as they are initiated from a start point to an end point. Sessions consist of two flows, one in the forward direction and one in the reverse direction. After a session is established, subsequent packets in the session transit through two unidirectional flows that are instantiated.
In traditional switching and routing infrastructures, forward and reverse flows may take asymmetric paths through the network. Traditional routers utilize a stateless per-packet “hot potato” forwarding approach with no notion of session. With the 128T solution, all packets associated with a session are routed along the same path. The packets from the response associated with the same session are routed along the same reverse path. This symmetrical flow or bi-flow enables packets to be intelligently routed, sessions to be controlled, traffic to be proactively analyzed, and prevents unauthorized flows from using the specific path.
The bi-flow enables conversations to be treated as individual sessions bringing true application and service context to the network.
Session based signaling – metadata
Secure Vector Routing introduces an in-band session based signaling. To establish a bi-flow, the ingress 128T Slice adds a metadata to the first packet of each session. This metadata is understood only by 128T Slices. The metadata is only included when the 128T Slice knows that there is another 128T Slice downstream. This metadata is used to signal information about a session. All subsequent packets for the same session follow the same path. Reserve metadata is included in the first packet on the reverse path for the same session. The metadata is only included once in each direction within the first packet sent between the two 128T Slices
IP packets may be dropped or lost so the metadata is sent on each packet until a response packet is received. For TCP sessions, this is the SYN/ACK. For UDP sessions, the metadata may be transmitted several times before a response packet is received.
The metadata includes original source IP address and port, original destination address and port, desired QSN, desired IP address (if local to the 128T platform), desired Class of Service, and other policy and control information. The reverse metadata includes utilization metrics and possible service class modification information.
The 128T Slice receiving the first packet uses deep packet inspection to retrieve the metadata to become session aware. Packets with the same forward equivalence can be separated into individual sessions and managed as sessions. This enables context aware multi-path routing. The 128T Slice remembers this information and associates it with the TCP or UDP session. Fast path routing is enabled once the first packet has forged a path in the network.
This context awareness per conversation or session enables 128T routers to guarantee application awareness and granular quality of experience.
Waypoints
The 128T solution uses waypoints to define start and end points of a path that may go through one of more routers that provide connectivity between the two points. Waypoint addresses may be considered similar to “in-care-of” addresses in Mobile IP or Segment ID’s in IPv6 Segment Routing. Waypoint addresses are IP addresses and ports configured on 128T Slice that are used to steer and anchor sessions across network paths. All traffic between 128T Slice are steered through waypoint addresses. The ports used as part of the waypoint addresses are dynamically assigned by the 128T Slices.
Inter-Slice Bidirectional Forwarding Detection (BFD) is used to test connectivity and path attributes between the waypoints.
Packet Processing
When the first packet corresponding to a new session arrives at a 128T Slice, it determines the appropriate route corresponding to the session. If a route is found:
1. The 128T Slice translates the source address of the packet to its own IP address. The destination address of the packet is translated to the waypoint address of the destination 128T SLICE.
2. The 128T Slice adds metadata to the packet. This metadata includes the original source and the destination address of the packet along with other policy and control parameters.
3. The metadata is then signed and optionally encrypted based on policy.
4. The payload is then optionally encrypted depending on the policy associated with the flow.
The packet is then forwarded to the waypoint address of the next 128T Slice in the vector.
The intermediate 128T Slice receiving a new session verifies signature data for authenticity and authorization. This process repeats until it arrives at the final destination 128T Slice on the service route. If an intermediate 128T Slice is unable to verify the authenticity of the packets or is not authorized to forward the packets, then the packets are dropped ensuring that unauthorized flows do not traverse the network. At the last hop 128T Slice, once authenticated and authorized, the original packet contents are re- stored and it is forwarded to the final destination.
Secure Vector Routing Whitepaper
5 5
configured on 128T SLICES that are used to steer and anchor sessions across network paths. All traffic between SLICES are
steered through waypoint addresses. The ports used as part of the waypoint addresses are dynamically assigned by the 128T SLICES.
Inter-SLICE Bidirectional Forwarding Detection (BFD) is used to test connectivity and path attributes between the waypoints.
PACKET PROCESSING
When the first packet corresponding to a new session arrives at a 128T SLICE, it determines the appropriate
route corresponding to the session. If a route is found:
1. The 128T SLICE translates the source address of the packet to its own IP address. The destination
address of the packet is translated to the waypoint address of the destination 128T SLICE.
2. The 128T SLICE adds metadata to the packet. This metadata includes the original source and the
destination address of the packet along with other policy and control parameters.
3. The metadata is then signed and optionally encrypted based on policy.
4. The payload is then optionally encrypted depending on the policy associated with the flow.
The packet is then forwarded to the waypoint address of the next 128T SLICE in the vector.
The intermediate 128T SLICE receiving a new
session verifies signature data for authenticity and authorization. This process repeats until it arrives at the final destination 128T SLICE on the
service route. If an intermediate 128T SLICE is unable to verify the authenticity of the packets or is not authorized to forward the packets, then
the packets are dropped ensuring that unauthorized flows do not traverse the network. At the last hop 128T SLICE, once authenticated and
authorized, the original packet contents are re- stored and it is forwarded to the final destination.
The first packet serves to establish an end-to-end path across the network via waypoints of intermediate 128T SLICES. It also instantiates a single transient end-to-end session from ingress to egress 128T SLICE. Sub-
sequent packets that are part of the flows belonging to the already established session and are sent along the path associated with the session. Inter-128T Slice traffic is completely secured by Secure Vector Routing. These packets traverse the network on a per-session basis without any form of tunnel overhead.
POLICIES
Security policies are used to describe encryption and authentication requirements for a specific service.
They allow a client request to pass through in one direction only if there is specific policy. Fine grained and
Figure 6: Waypoint Addresses
The first packet serves to establish an end-to-end path across the network via waypoints of intermediate 128T Slice. It also instantiates a single transient end-to-end session from ingress to egress 128T Slice. Subsequent packets that are part of the flows belonging to the already established session and are sent along the path associated with the session. Inter-128T Slice traffic is completely secured by Secure Vector Routing. These packets traverse the network on a per-session basis without any form of tunnel overhead.
SERVICES CONTROL PLANE I
The session-ware data plane makes dynamic routing decisions based on fully distributed knowledge of services topology and policies. Multi-tenant service and policy based federations are created across and between networks using STEPi (Services and Tenancy Exchange Protocol) that operates in conjunction with the existing IP control plane. Services and related policies are configured at their local 128T router and propagated to other 128T routers within the authority or selectively to other authorities. Service policies and IP routing tables are combined in a fully distributed Services Information Base (SIB).
Benefits include:
• Virtual network stretching across the fragmented infrastructure including data center, wide-area network, Internet and the branch.
• Automation of interconnect between different service providers, cloud providers and enterprises.
Figure 7:
STEP is a unilateral routing protocol. This is similar to current BGP or OSPF/IS-IS routing models where all router adjacencies are defined or declared. So a STEP Link starts at one 128T Platform, and terminates on another. Unlike BGP, all routing with STEP is defined and controlled on a 128T Platform to 128T Platform basis, and not on an amorphous Authority (ASN) level3.
There are two major differences between STEP and current IP routing protocols
18. First, STEP is ALWAYS between two parties, and there is never any aggregation or repackaging of any routes. This actually will make sense as one begins to understand that STEP is not a replacement for the current routing protocols, but rather an extension of capabilities to provide new kinds of secure routing that were not possible before.
19. Second, STEP supports a separation between Service relationships and Transit relationships. The current routing protocols only deal with Transit (and are 100% based on IP Addresses that are routable), while STEP has two types of bilateral relationships. One for obtaining access to a Service (often in a private network), and a second for obtaining access to a next hop transit network (public or private).
Actual Routing Destinations are actually defined within 128T Platforms. These destinations are actually Service Instances or Transit Routes. These physical instances of a service or route are called Service Agents. Service Agents define all of the properties of a specific route instance.
The STEP protocol unilaterally advertises and shares QSN’s when there are 1 or more instances of a service agent to bilateral peers. The QSN’s offering 128T Platform is recorded and associated with the QSN. The advertisement is withdrawn when the number of instances transitions from one or more, to zero. Separately for adjacent transit networks, the STEP protocol updates the routing table with the waypoints of other 128T Platforms (by name). When no local routes satisfy a request, these remote routes will be used. The 128T Platform (by name) will be used as the target of the route.
STEP Operating Basics
STEP 1: DECLARE ADJACENCY
All 128T Platforms within a single authority are automatically declared adjacent. In fact, all global data objects are shared utilizing database techniques and/or extensions to YANG/NETCONF (128T Control+ architecture). Tenants and services are global. Also global within an authority are service classes and session types. This ensures that QoS treatments will be uniform. Importantly, the public addresses of the remote 128T Platform will be exchanged during this process as well.
STEP 2: MESH-UP PROCESS The mesh-up process is the key step in turning logical adjacency into physical adjacency. This step is completely automated. The two principle components of the mesh-up process are first
the exchange of adjacent waypoint addresses and second the connectivity test for paths between waypoints.
Most often, as with hybrid-WAN and datacenter interconnect environments, two 128T Platforms could be interconnected through multiple paths on multiple technologies. MPLS, Ethernet Pseudo wires, Broadband, Direct Internet Access and public Internet could all be used for interconnecting 128T Platforms. Each interconnection type carries its unique characteristics with respect to performance, quality, availability and cost. The mesh-up process establishes baseline link connectivity and observed quality measurements used make policy based routing and load balancing decisions.
The Mesh Up begins shortly after adjacency is established. The Mesh Up is automated, and it begins with an exchange of externally facing waypoint addresses allocated for networking.
Each 128T Platform’s 128T Control looks up all externally facing waypoints that are to be considered “candidates” for connectivity. These waypoints candidates are sent through the STEP protocol from each side to the other.
The next step in Meshing Up is to assess the IP Addresses received from the other 128T Platform for reachability.
1. Any Private (RFC1918) Address is assumed reachable
2. Public addresses are processed through the OSPF/BGP/IS-IS Routing table to determine how many AS Hops away the IP Address is, or what the cost or distance is. These numbers are used to prioritize these routes.
3. Starting with Private Addresses first, a connectivity check is performed with BFD.
4. The BFD message has the proper authentication cookies such that it can’t be faked by an attacker. If a SLICE on the proper 128T Platform receives this BFD message, it responds. The response includes information about the interface (size, Class of Service, quality attributes, etc.). Once a response is received, the IP Address is kept as a candidate.
5. Public addresses are likewise tested with a connectivity check. If there is a response, the information is also recorded.
Figure 8: Example Datacenter-Branch mesh-up connectivity checks
6. Non-Working addresses are kept, but recorded as non-working or out of service (OOS)
The Mesh Up is performed by both sides, with each SLICE having an external interface each looking for and testing connectivity with the addresses shared. As soon as there is at least ONE working address, then the 128T Platform to 128T Platform connection is declared operational.
Once operational, BFD is used to test connectivity. If an interface becomes non-working, then it is added to the non-working addresses list. When there are no remaining working interfaces, the 128T Platform-to-128T Platform connection is disabled and an alarm notification is generated. BFD is performed on all previously working links to test for links coming back into service. For addresses that never worked, there is a very infrequent re-testing utilizing BFD. Addresses that begin to work will be added to the connection. Any change in externally available Waypoints will generate an update to all existing Mesh-Ups.
Upon completion of the mesh-up process, each 128T Router in an authority will have established a full topology of 128T Routers in the authority and have performed multi-patch connectivity and quality checks for all inter-authority links.
STEP 4: SERVICE EXCHANGE
Upon the completion of the mesh-up process, each 128T Router will share it’s locally configured services with other members of the authority. In the example below, services and tenants hosted by the datacenter are first configured on the distributed 128T Router in the datacenter. The service routes, defined as QSNs, and related policies are then propagated to every branch 128T Router in the authority. All service related QoS, security and access control policies are also propagated automatically. When services are exchanged with other authorities, as with a peering scenario or private-public cloud interconnect, inter-authority filters are used to control what may be advertised and received.
Figure 9: Example Datacenter-Branch mesh-up services exchange
SERVICE CENTRIC ABSTRACTION, AUTOMATION, AND ANALYTICS
The Secure Vector Routing architecture employs multi-tenanted policy provisioning, control and analytics which abstract complex network technologies to simple service-centric and business constructs. This abstraction, based on 128T’s data model, is not merely a translation of underlying complexity but is inherent throughout the 128 Technology architecture and interfaces. Network requirements are described in application terms. Session based analytics provide application insights in a services context. RESTful and Netconf APIs provide a full suite of integration capabilities with applications, orchestration and DevOps.
Benefits include:
DevOps Ready
128 Technology supports frameworks of commercial DevOps tools to automate a variety of management tasks across an authority. With this approach, users can easily automate custom processes for their network.
128 Technology leverages several commercial DevOps tools to automate a variety of management tasks, enabling zero-touch operations. We employ DevOps management from a central location with secure connectivity to all Control and Slice instances in the authority. Customers can use DevOps stand-alone to automate common tasks on 128T Routers, or they can incorporate DevOps automation of 128T instances into a multi-vendor framework. Our DevOps Network Development Kit (NDK) provides examples of automation of a number of key
Figure 10: Service Centric Abstraction, Automation and Analytics
tasks including zero-touch installation, authority-wide software upgrade, and zero-touch provisioning for branch offices. We support several well-known DevOps platforms including Puppet, Chef, SaltStack, and Ansible.
ONE PLATFORM– BROAD SET OF USE CASES
128 Technology has created a fundamentally new approach to networking – one that delivers improved security, programmability, and agility across networks. The 128T Networking Platform solves problems for enterprises, service providers and cloud companies alike. 128T Networking Platform addresses a broad spectrum routing applications from the branch, across the wide area network to the datacenter and the edge. What’s more, the platform can be deployed to either augment or replace existing network routing solutions, simplifying adoption and speeding time to value. Here are a few examples use cases of our software-based network platform.
NEXT GENERATION WAN
Tomorrow’s wide area networks (WANs) will need to deliver much more than just automated and optimized transport connectivity between sites. Next Generation WANs will need to empower distributed cloud-driven applications that are consumed by a changing array of users. The 128T Networking Platform goes beyond traditional Software Defined WAN (SD-WAN) offerings by solving the underlying network challenges that are the real culprits of complexity and cost. 128 Technology's session-based solution offers end-to-end fine-grained segmentation, security, and access control without the overhead, cost and scaling challenges of overlays.
Solution Highlights
SESSION CENTRIC IP ROUTING creates symmetrical bi-flows that enable packets to be intelligently routed, sessions to be controlled, and traffic to be proactively analyzed. The solution can monitor network and session performance to proactively route traffic along paths that meet the SLA requirements for the application.
HIGHLY PROGRAMMABLE solution enables to stretch and slice networks end-to-end as a single routing scheme can be used for any combination of private and public networks. It also enables dynamic workload elasticity. Location in-dependent routing ensures integrated load
balancing and workload/device mobility. The 128 solution operates as a distributed virtual router sharing tenancy and service information inherently.
PRIVATE-PUBLIC-PRIVATE INTERNETWORKING offers end-to-end virtual networking without tunnels and overlays. This eliminates complex stitching operations and removes the need for masking convolution with orchestration.
HYPER-SEGMENTATION goes beyond any existing segmentation techniques to deliver uniform and scalable traffic isolation, hierarchical multi-tenancy and network slicing end-to- end, from the datacenter server to the branch. Overlay-based segmentation maintains unnecessary complexity while saddling networks with scaling and quality challenges.
ZERO TRUST SECURITY ensures each flow is encrypted and authenticated based on associated security policies which enables enterprises to offer secure micro-segmented connections or individualized VPNs to different lines of businesses within a large enterprise.
DYNAMIC SESSION AND APPLICATION AWARENESS provides load balancing and traffic steering based on the session policies and status of the network.
Key Capabilities
• Dynamic Traffic Steering
• Branch Virtual Networks
• Dynamic Enterprise VPNs
• Private-Public-Private Internetworking
Emerging cloud applications place unprecedented demands on the WAN. Enterprises cannot rely on Band-Aid solutions that mask network issues by introducing automation alone. This may provide some savings in terms of ease of deployment and choosing lower cost paths. However, they cannot meet the needs of future networks. It is imperative for networks to become application aware, remove overlays, and provide infused security to provide unparalleled experiences and savings in the WAN. The 128 Technology solution provides a NG- WAN solution that goes above and beyond traditional SD-WAN offerings by solving underlying network issues and delivering unparalleled experiences.
SOFTWARE-DEFINED DATACENTER
Cloud companies, enterprises and service providers are rapidly modernizing their data center architectures and operations to deliver infrastructure resources as easily provisioned, highly flexible services. In doing so, data center networks will need to accommodate new types of traffic patterns, enable dynamic workload mobility, and respond to rapidly evolving security threats. The 128T Networking Platform distributes application intelligence, fine grained segmentation, security, load balancing and control throughout the data center, without the unnecessary overhead of overlay techniques.
Today’s enterprises and service providers can achieve the agility and efficiency benefits of hyper-scale datacenters such as those developed by Google and Facebook. The software- defined data center, in which all elements of the infrastructure (networking, storage, compute and security) are virtualized along with abstraction and automation concepts, has widely been touted as the solution for hyper-scale.
Software-defined networking has been seen as essential to the software-defined datacenter’s network virtualization and there are a number of SDN “network virtualization overlay (NVO)” vendors who market products to enable virtual network overlays, designed to abstract networking from the physical networks on which they ride.
The challenge with existing network virtualization overlays lies in their reliance on overlays themselves. These state-ful and largely tunnel-based overlays carry with them significant networking overhead, fragmentation issues, scaling challenges and operational costs while rendering useless most security and monitoring systems. Furthermore, most NVO solutions still largely depend on complex service chaining architectures to insert advanced (and session state-ful) network functions such as firewalls and load balancers, each of which proliferate
continuous capex and opex spend. Many agree time is ripe for functional consolidation.
The 128T Networking Platform delivers a much simpler more scalable solution for software- defined datacenter using new session-based, secure and service-centric networking model, Secure Vector Routing.
Solution Highlights
HYPER-SEGMENTATION goes beyond any existing segmentation techniques to deliver uniform and scalable traffic isolation, hierarchical multi-tenancy and network slicing end-to- end, from the datacenter server to the branch and across multiple datacenters. Overlay-based segmentation maintains unnecessary complexity while saddling networks with scaling and quality challenges.
SESSION CENTRIC IP ROUTING creates symmetrical bi-flows that enable packets to be intelligently routed, sessions to be controlled, and traffic to be proactively analyzed. The solution can monitor network and session performance to proactively route traffic along paths that meet the SLA requirements for the application. Session-based load balancing is native to every 128T Router node.
ZERO TRUST SECURITY ensures each flow is encrypted and authenticated based on associated security policies which enables enterprises to offer secure hyper-segmented connections or individualized VPNs to different lines of businesses within a large enterprise. Session state-ful firewall capabilities are native to every 128T Router, mitigating the need for expensive perimeter security solutions.
HIGHLY PROGRAMMABLE solution enables to stretch and slice networks end-to-end as a single routing scheme can be used for any combination of private and public networks. It also enables dynamic workload elasticity. Location in-dependent routing ensures integrated load balancing and workload/device mobility. The 128 solution operates as a distributed virtual router sharing tenancy and service information inherently.
PRIVATE-PUBLIC-PRIVATE INTERNETWORKING offers end-to-end virtual networking without tunnels and overlays. This eliminates complex stitching operations and removes the need for masking convolution with orchestration.
DYNAMIC SESSION AND APPLICATION AWARENESS provides load balancing and traffic steering based on the session policies and status of the network.
NFV – ETSI FRAMEWORK FOR TELCO CLOUD
With Network Functions Virtualization (NFV), network operators are reducing their dependence on single-purpose appliances by taking functions that were previously built into hardware and implementing them in software that runs on industry-standard servers, network, and storage platforms. Beyond reducing network operators’ dependency on dedicated hardware, leveraging NFV (and SDN) enables more programmability in the network and greatly reduces the complexity and time-to-market associated with introducing new services. While NFV is about network equipment virtualization, SDN is about network virtualization. SDN calls for the separation of the control plane from the data plane, making the latter simple and fast, dealing mostly with the media access control and Internet Protocol layers.
The NFV architecture comprises major components – including virtualized network functions (VNFs), NFV management and orchestration (MANO), and NFV Infrastructure (NFVI) – that work with traditional network components like OSS/BSS. The 128 Technology delivers carrier-grace solutions for VNFs, VNFI virtual networking.
NFVI Virtual Networking – Software-defined Datacenter
The 128T Router NFV Infrastructure (NFVI) is a key component of the NFV architecture that defines the hardware and software components on which virtual networks are built. A key component of the NFVI is the Virtual Network component. The 128T Networking Platform provides a fully distributed virtual routing solution that transforms any datacenter fabric into a single logical router, with 128T Slices deployed on NFVI servers taking the place of Open vSwitch and 128T Control providing centralized control plane, policy management and analytics. The 128T Conductor provides centralized management, automation and visibility and integrates with higher level Network and Service Orchestration functions through REST and Netconf APIs.
Virtual CE and PE
The 128T Router is also packaged as a VNFs delivering CE Router and PE Router capabilities. As a CE or PE, each VNF combines the 128T Control and 128T Slice functionality in a single virtual machine. The 128T Conductor provides 128 Technology VNF specific management and orchestration, integrating with higher level MANO functions through REST and Netconf APIs.
VIRTUAL EDGE
Service providers and enterprises are looking to simplify that way WAN connectivity and applications are architected, provisioned and managed. WAN architectures are moving from dedicated private connectivity models based on dedicated circuits and MPLS to distribute hybrid-connectivity solutions that leverage multiple heterogeneous connectivity solutions including public internet, broadband, and LTE. These requirements have given rise to a new set of SDN based solutions called SD-WAN.
Meanwhile enterprise and service provider network managers are tired of complicated edge networks that require multiple purpose-built appliances, specialized knowledge and complicated configurations. Service providers seek a simpler way to deploy managed services to their customers. The network edge is traditionally the land of specialized equipment – including routers, firewalls, WAN optimization and VPN. The industry is trying to change that, replacing specialized appliances with commodity hardware and software based solutions. Some of these specialized network functions can be pulled out and executed in software based VNFs in the enterprise/service provider cloud/datacenter (vCPE) or on customer premise equipment but managed by the cloud. A simpler, software-defined virtual edge is emerging.
The goal of the virtualized edge is to simplify the customer edge while pushing more functionality into software that can be provisioned and automated from the cloud. This together with virtualizing hybrid WAN connectivity promises huge capex and opex savings for enterprises and service providers alike.
128 Technology’s Next-Generation WAN solution beyond most SD-WAN offerings bringing together SD-WAN hybrid-WAN networking and virtual CPE in a new Secure Vector Routing architecture.
The 128 Technology’s Virtual Edge solution has three key components:
Virtual Edge-CPE
The 128T Router is deployed at the enterprise branch or datacenter WAN edge on bare metal CPE. As a NG-WAN edge, the 128T Router delivers all the benefits of the NG-WAN offering previously discussed in this paper, while enabling dynamic service insertion of VNFs either co- located on the edge or in the cloud.
Virtual CE and PE Router
The 128T Router also packaged as a VNFs delivering Customer Edge (CE) router functionality. As a CE, each VNF combines the 128T Control and 128T Slice functionality in a single virtual
machine. The 128T Conductor provides 128 Technology VNF specific management and orchestration, integrating with higher level MANO functions through REST and Netconf APIs.
NFVI Virtual Networking
The 128T Networking Platform provides a fully distributed virtual routing solution that transforms any datacenter fabric into a single logical router, with 128T Slices deployed on NFVI servers taking the place of Open vSwitch and 128T Control providing centralized control plane, policy management and analytics. The 128T Conductor provides centralized management, automation and visibility and integrates with higher level Network and Service Orchestration functions through REST and Netconf APIs.
DATACENTER INTERCONNECT
The exploding requirements for cloud services, streaming video, and nonstop “anywhere, anytime” access – all with little or no downtime – is creating a dramatic shift in where data centers are built and how they are interconnected. Existing purpose-built data center interconnect (DCI) approaches help eliminate bottlenecks, enable data and workload mobility, and maintain uptime – but include enormous complexity and cost. The 128T Networking Platform provides dynamic and secure DCI capabilities without relying on overlays or domain stretching, while providing a scalable, flexible connectivity platform.
NETWORK AS A SERVICE
In order to stay competitive, cloud and service providers need to rapidly develop and deliver new revenue-generating services to customers faster than ever. Yet, provisioning and configuring reliable and secure network access can be cumbersome, slow, and expensive for providers and customers alike. The 128T Networking Platform provides the ability to spin up new services and establish network connectivity faster, cheaper, and with more confidence. The solution offers full network quality-of-service (QoS) control, end-to-end zero trust security and real-time visibility and analytics into how each service is performing.
i

128 t networking platform

Documents