Nuage’s VNS COULD Open a New Network Model

Alcatel-Lucent announced last week that it was getting into the virtual router business, and at the same time announced an evolution to their Nuage SDN platform strategy.  The Nuage stuff it good; some of what they did is what Alcatel-Lucent and others should have done from the first with SDN.  Some of it also creates a vision of network services that could actually have made a better and broader business case for a virtual router.  All of it has potential, but it’s still not clear how far Alcatel-Lucent will push it nor how easily customers will accept it.

We’ve always tended to build IP networks using either a single large address space (the Internet) or by partitioning forwarding in some way to isolate portions of the network (VPNs).  When Nicira came along and proposed an overlay VPN, they opened the door for a different conception of network services.  In the overlay model, traditional networking (IP, Ethernet, even vanilla optical paths) simply provides routes for a new layer that’s “above” the traditional Level 3 but below Level 4 in the OSI model.  It plays the role of Level 3 but structurally uses services that would include “real” level 3 services.

Alcatel-Lucent’s Nuage approach has always focused on expanding on the overlay model by proposing that network equipment that could live in both worlds, to create a more effective network services by hybridizing overlay and traditional switching/routing.  However, it was initially focused on the data center, and so it just had the potential to create a different network service model.  What Alcatel-Lucent has now done is explicitly extend the model to branch or satellite locations, and thus realized that end-to-end property that’s obviously critical if you’re going to build a useful “network”.  Without it, you’re building only a network segment.

I’ve always liked the idea of using overlay SDN principles to create end-to-end networks and services.  What this would allow you to do is to establish application and service networks in the cloud and then pair them with edge/access services to create a complete pathway between user and resources.  I noted the potential Nuage had for creating such a service when their product first came out.  Now, Alcatel-Lucent has introduced most of what I’d hoped for in Nuage Virtual Network Services (VNS), and there are potentially significant benefits.

One benefit is that any combination of transport/connection resources can be used under VNS (you might have to fiddle to use underlayment services below the IP layer but it should be possible).  This would offer more choices in VPN provider, harmonize multiple providers, and combine all of that with public Internet where nothing else was available or feasible.

Related to this is the fact that since your overlay routing is highly flexible, you can select different paths for different types of traffic, using a more expensive service for stuff that justifies it and the Internet for lower-value traffic.  You can also fail over from one to the other under policy control to manage availability and cost.

A third benefit is that the overlay network is more secure.  While it may still be possible to attack points in the underlayment through DDoS for example, you can’t get onto the overlay easily because access is security/policy controlled.  You could even use the strategy to create application-specific networks and join groups of authorized users to them.

There are a couple of possible benefits too, ones I think either are already supported or are likely to be near-term extensions.  I can’t find validation in the documentation so we’ll have to retail the qualified notion of benefit for now.

The first of the possible benefits is application-specific networking all the way to the user.  If you could create multiple overlays, per-application or group thereof, in the data center and if you could link these to the branch, then selectively to “class-of-user” groups in the branch, you could fully segregate application traffic for security purposes.  I think this can be supported in the data center but I can’t see specific claims to be able to terminate multiple application networks in a single branch gateway.  It would be a great feature.

The other relates to the cloud.  Since the gateways can be either physical devices (appliances) or virtual ones, it would appear that you might even be able to put one of them into a cloud.  If that’s true then this could be a way for users to merge multiple cloud providers and internal data center resources into a single network.

The user could build VNS overlays on their own, but it’s also possible for an operator to build services based on this framework and offer them to users.  That could make VNS available to even SMBs, and it could open a pathway toward creating custom network relationships for cloud services.

If you think about the VNS approach, it raises some interesting questions about the broader application of IP to services.  Suppose we were to build a network infrastructure entirely of low-level pipes or tunnels, which could be based on any handy point-to-point protocol.  We could lay something like VNS on top of this and essentially do without routing in the traditional sense.  There might be scaling issues, but there might also be a way to overcome them—and create some agility at Layer 3 at the same time.

Suppose we go back to our low-level pipes, and instead of directly laying VNS on them, build instead a layer made up of virtual routers. Yes, the same kind that Alcatel-Lucent announced last week.  If we presumed that our low-level “pipe infrastructure” linked cloud data centers, then we could host router appearances in these data centers and create what would be parallel disconnected Level 3 networks.  The virtual nature of the routers means that you could select a Level 3 topology based on your traffic topology (likely based on branch/satellite office locations and connectivity).  You stick the routers where the traffic pattern says you need a node.  If it changes, you change node locations.  These could be offered per customer, per service, or whatever.  Again, this isn’t a complete replacement for IP and routers as we know them, but it could be an alternative way of offering business services.

And maybe more.  This model would allow operators to separate how VPNs and business services are offered.  It could also allow them to separate consumer services by service type, aggregating the traffic in serving offices and cell sites to create a single address space.  There might be less need for lower-level switching/routing using real devices; the “bottom of the stack” could be agile optics and tunnels—including SDN.

How far we’ll go along these lines is hard to say, and it’s harder to say how fast we might progress to whatever the destination happens to be.  Vendors may have a choice here—do they embrace the virtual model of the router, which would lower their revenue but also eliminate hardware cost and perhaps raise their margins?  Do they embrace the migration of lower-layer connectivity downward to the optical layer?  It think it’s clear that vendors like Alcatel-Lucent have more incentive to change the game in routing because they have related service and optical technologies that will still sustain them.  For the pure-play switch-router vendors, this trend might be a difficult one to navigate.