Software Defined Wide-Area Networks
by Nick Feamster
Designers of wide-area networks are turning to Software Defined Networking (SDN) to overcome the limitations of existing network protocols for setting up wide-area network configurations. Software Defined WANs (SD-WANs) refer to any wide-area network that is managed by software control; there are generally two types of SD-WANs:
- Intradomain SD-WANs, where a single administrative domain uses SDN-controlled switches to accomplish various network management tasks, such as provisioning of secure tunnels between multiple geographically distributed portions of a network that are under the control of a single administrative domain.
- Interdomain SD-WANs, where multiple independently operated domains connect to one another via a shared layer-2 switch to accomplish various network management tasks, including inbound traffic engineering and denial-of-service (DoS) attack prevention.
In this article, we briefly discuss some of the current approaches to SD-WANs.
Some of the most prominent intradomain SD-WANs include those that interconnect the data centers of very large commercial providers, such as Google’s B4 network architecture, an SDN-controlled backbone network that controls how network traffic is routed between geographically distributed data centers. In its B4 network architecture, Google employs the unique properties of its inter-data center traffic and the programmability of SDN switches to run its backbone at more than 90% of capacity, an incredible achievement in a conventional network. Similarly, Microsoft’s SWAN architecture takes advantage of SDN’s central control paradigm to achieve utilization that is 60% higher than its older network sans SDN. In comparison to existing approaches, such as MPLS TE (Multiprotocol Label Switching traffic engineering), the SD-WAN approach can allocate network resources more flexibly, resulting in much higher network utilization.
Large enterprise networks such as financial institutions are also beginning to use SDN to simplify network provisioning between remote branch offices. In these settings, enterprise networks often aim to deploy secure WAN architectures, where traffic may be segmented according to application or customer. Additionally, operators of these networks may wish to establish a single coherent network by “stitching together” disparate underlying network transport technologies (e.g., a wired IP backbone or an LTE network) and optionally inserting virtual network functions at various places along the end-to-end Internet path. Vendors such as Viptela and CloudGenix enable network operators to achieve inter-branch connectivity by abstracting the details of the underlying network transport. Each of these products also offers capabilities that will be important for the emerging Network Functions Virtualization (NFV) paradigm; for example, Viptela provides capabilities for steering traffic through virtual middle boxes, and CloudGenix offers the ability to manipulate traffic at the granularity of applications and sessions, both of which are important abstractions for NFV. Both solutions offer abstractions for building virtual network topologies that are independent of the underlying transport.
At a higher layer of the network stack, Glue Networks aims to enable integration, management, and orchestration of heterogeneous network components; this framework uses a superset of Netconf and Yang to build a data model that integrates a variety of heterogeneous network components. If a network device—ranging from a hardware switch to a virtual network function—can be expressed in terms of a simple data model, the Glue Networks controller can integrate it.
Another emerging space is interdomain SD-WANs at locations such as public Internet exchange points (IXPs). In these settings, multiple distinct and independently operated networks interconnect at a Layer-2 exchange point to exchange traffic with one another. In these settings today, these networks use an interdomain routing protocol called the Border Gateway Protocol (BGP) to exchange routing information with one another, which in turn controls how traffic flows between these networks. Interconnection is an increasingly important topic in the interdomain setting, where networks that interconnect with one another need more flexibility than current routing protocols provide. For example, BGP makes it difficult for one network to control how traffic enters its network from another network (a process known as inbound traffic engineering), and certain types of business relationships—such as interconnecting only for certain types of traffic or at certain times of day—are particularly difficult to implement using BGP. Moreover, it is also difficult for one network to control the paths that networks that are not directly connected choose to reach it.
The shortcomings of using BGP for interconnection have become more acute recently, as we have seen in the inability for large ISPs and content providers to negotiate peering relationships and control how traffic is distributed across multiple peering and transit links. The shortcomings are also exacerbated by the lack of security in BGP; although some variants of BGP do incorporate some security properties (e.g., the BGPSEC proposal), these solutions are generally afterthoughts that are shoehorned into the current interdomain routing protocol that are neither flexible nor considered from first principles. As a result, they lack even basic mechanisms that many of today’s network applications need, such as the ability to delegate the right to redirect traffic through a third-party network or service (as in Radware’s Defense4All or Verisign’s DDoS protection offerings, each of which requires a network to allow a third-party service to “hijack” its IP prefix using BGP).
Professor, Princeton University
Nick Feamster is a professor in the Computer Science Department at Princeton University. Before joining the faculty at Princeton, he was a professor in the School of Computer Science at Georgia Tech. He received his Ph.D. in Computer science from MIT in 2005, and his S.B. and M.Eng. degrees in Electrical Engineering and Computer Science from MIT in 2000 and 2001, respectively. His research focuses on many aspects of computer networking
and networked systems, with a focus on network operations, network security, and censorship-resistant communication systems. In December 2008, he received the Presidential Early Career Award for Scientists and Engineers (PECASE) for his contributions to cybersecurity, notably spam filtering. His honors include the Technology Review 35 “Top Young Innovators Under 35″ award, the ACM SIGCOMM Rising Star Award, a Sloan Research
Fellowship, the NSF CAREER award, the IBM Faculty Fellowship, the IRTF Applied Networking Research Prize, and award papers at the SIGCOMM Internet Measurement Conference (measuring Web performance bottlenecks),
SIGCOMM (network-level behavior of spammers), the NSDI conference (fault detection in router configuration), Usenix Security (circumventing web censorship using Infranet), and Usenix Security (web cookie analysis).