Much has been made about the “conscious uncoupling” of the control plane and the data plane in network architectures. This notion is central to the Software Defined Networking (SDN) philosophy – where a centralized, software based control plane dictates traffic handling rules (usually as a Forwarding or Routing Information Base) to the data plane elements that do the actual work of moving packets. In theory, this offers a number of advantages – 1) centralized, programmable control over a network that can quickly be modified to adapt to varying application needs 2) use of lower-cost commodity forwarding hardware, and 3) improved network management via automation and orchestration.
Separating the control plane from the data plane makes absolute sense in terms of flexibility, scale, and management. However, an emphasis on placing all the intelligence in the control plane – leaving a “dumb” data plane – poses challenges of its own, and misses a huge opportunity for innovation.
At 128 Technology, we’ve created a routing platform that leverages the benefits of separated control and data planes, while at the same time drives NEW capabilities into both. In fact, we’ve developed a data plane that understands the unique characteristics of sessions, and uses this understanding to establish end-to-end route vectors that are deterministic and secure.
In a 128 Technology routing instance, we call the data plane element a “Slice” – short for “Software Line Card Engine”, given that its role in the network is similar to a line card in a traditional router. The Slice recognizes the beginning of a session when it sees the first packet of an exchange between two hosts. Based on the 5-tuple information within that first packet (source address and port, destination address and port, and protocol), the Slice can intelligently route the session to its destination via the best paths available — as well as enforce access, quality, and security policies associated with that session.
Here’s how it works:
- When the first packet of a new session arrives at a 128T Slice, it determines the appropriate route using an enhanced Forwarding Information Base (FIB). If a route is found, the slice then changes the packet’s source and destination addresses to “waypoint” addresses used by 128 Technology Slices closest to the source and destination.
- The original addresses — along with other policy and control information — remain with the packet, and are stored as metadata. The metadata is then signed, optionally encrypted, and forwarded to the next waypoint address in the route.
- When it reaches the last waypoint in the route – closest to the destination — the original packet contents are restored and it’s delivered to the final destination.
- Subsequent packets from the same session are automatically recognized and forwarded along in the same way, but without “first packet processing”. Additionally, the 128 Technology platform applies the same treatment to the entire session — including packets returning to the source – processing them bi-directionally.
It’s important to note that at every intermediate hop between the source and destination Slices, the first packet signature data is verified for authenticity and authorization. If an intermediate 128T Slice is unable to verify the authenticity of the packets or is not authorized to forward the packets, the packets are dropped. If an intermediary hop is a non-128 Technology element, the packets are simply forwarded on to the next Slice, with no processing.
This approach to intelligent packet forwarding has a number of advantages:
- It creates an in-band signaling system in the network, enforcing path selection and segmentation, without relying on the use of tunnels or out-of-band control mechanisms, both of which can add complexity and overhead.
- It enables a hop-by-hop authentication and encryption scheme, infusing zero trust security at a highly granular level throughout the network.
- It allows the routing function to hold small amounts of state for the duration of the session, which opens the door for advanced network functions (firewalls, load balancers, etc.) to be incorporated natively into routing.
- It provides a powerful, session-specific enforcement mechanism for security, access, and quality of service policies established at the Control Plane.
Most importantly, a session-oriented data plane can tightly align applications and services with the underlying network, delivering on the promise of a highly intelligent, dynamic “application aware” network architecture. You could call it “conscious intelligent uncoupling” of the control and data planes – we simply call it Secure Vector Routing.