By Patrick MeLampy
The market for software-defined networking (SDN) and network functions virtualization (NFV) technologies continues to thrive as their benefits are touted left and right. However, as their popularity grows, it’s essential to recognize that these implementations are limited by the absence of a holistic signaling system, à la Signaling System 7 (SS7). SS7 mediated how resources were applied to calls and managed the progression of connections through the hierarchy of switches in the days of public switched telephone networks.
In order to be the most effective in controlling and managing networking, SDN and NFV should use signaling. In fact, all modern IP networking could operate more efficiently with a signaling system; something that will likely be required in SDN and NFV architectures soon.
Tom Nolle, president of consulting firm CIMI, put it this way: “when you try to build extensive SDN topologies that span more than a single data center, or when you build an NFV service over a practical customer topology, you encounter several key issues. Most can be attributed to the fact that both SDN and NFV depend on a kind of ‘out of band’ connectivity.”
Before continuing, we should first define signaling for real circuits, virtual circuits, and signaling for a specific use. For real circuits or pathways, we currently employ Interior Gateway Protocols (IGPs) — such as Open Shortest Path First (OSPF) or Intermediate System to Intermediate System (IS-IS) — that maintain our local area network systems. We also have Exterior Gateway Protocols (EGPs) for managing inter-authority pathways. So, there is indeed a system in place to learn pathways in the public internet.
Networks at an Impasse
There are two public Internets — IPv4 and IPv6 — and neither share signaling information with each other. The two networks are connected by stateful, brittle NAT64 devices but do not have any support for signaling between the network boundaries. There are also millions of private networks that connect to either IPv4 or IPv6 networks through stateful network address translations (NATs), and also do not share signaling support.
Therefore, in actuality, our current network routing systems do not signal properly. Many consider this problem unfixable, which results in SDN/NFV use cases adding proprietary systems of overlay, or tunnel connections between various networks. Both of these solutions gather connectivity and performance information for each tunnel in a collection of tunnels to create still, another closed network.
It’s safe to say there is no network information exchange between IPv4 public networks, IPv6 public networks, private IP networks, and subnetworks (or SDN/NFV implementations). To truly fix the problem at hand, the aforementioned signaling system will need to work across and in between any combination of these networking solutions.
Applications Can Do It, Why Can’t Networks?
With all this information, it’s ironic that the application makers seem to have no problem signaling across all of the above networks. By using application layer mechanisms involving sessions, cookies, tokens, dynamic domain name systems (DNS), and other techniques, applications are now seamlessly moving authenticated sessions from one network to another. Applications are also re-routing traffic, performing load balancing, adding authentication, and supporting mobility without any network involvement.
Think about cookies and single sign-on tokens; these application layer mechanisms are truly showing us the way forward. They help make network edges smart enough to insert, process, and remove metadata once per session to signal for network resources on a session-by-session basis.
Nolle writes that “even the operators who say they’ve seen the early signs of the signaling issue say that they see only hints today because of the limited scope of SDN and NFV deployments.” To truly make the most of our SDN and NFV implementations, we will need to adopt Nolle’s belief that we need a SS7-like network for virtualization, and that signaling should be session-based like SS7.
Signaling should take advantage of all existing networks but pass through NATs and network boundaries. The insertion of signaling information should only occur once a session, and signaling should only be inserted if the network is sure it can be used and removed by upstream network equipment. The requirements for an end-to-end signaling system include:
- Must be in the payload: To cooperate with decades of middleboxes that have been deployed
- Must support hop-by-hop authentication: To avoid the pitfalls associated with source-based routing
- Must be inserted only when upstream equipment can process the information: Lest applications will be broken
- Must pass through any number of NATs, tunnels, and networks
- Must speak the language of services and not IP addresses: To be available to IPv4 and IPv6, unilaterally
- Must be included only as needed (often just the first packet): To avoid the tax imposed by tunnels and overlay networking techniques
Like any signaling protocol, backward signaling is as important as forward signaling. If networking equipment had information about the already established sessions and sent metadata backward, each participating network element could learn about conditions on the selected pathway and route future sessions accordingly. Once again, this signaling metadata could be inserted into the payload and be removed by a participating network element, transparent to the end application.
The final and critical requirement for session-based signaling is that routing equipment needs to be session-stateful. We need to force a bi-directional flow to go through the same router; the NAT boundaries between networks are guaranteed. This is because a session-based signaling system could make NATs invisible, just as IP networking makes media access control (MAC) addresses invisible. A real life, scalable example is local number portability; the public switched telephone network (PSTN) address space has both real numbers and virtual numbers. Most phone calls are signaled with both addresses, but the real numbers do the actual routing. Data networks can follow similar models to communicate and force bi-directionality where needed.
It is only a matter of time until we recognize the restrictions placed on NFV & SDN deployments, due to the lack of a true signaling system. With that, an unavoidable networking revolution is coming as our tens of millions of unconnected IP networks start to communicate through signaling at the session layer. With that revolution comes the hope and promise for renewed and true innovation in networking.
Patrick MeLampy is the Co-Founder and Chief Operating Officer at 128 Technology
The original post can be found here.