The modern view of a virtual private network is clearly trying to balance the “virtual” part and the “private” part. Private networks based on dedicated per-tenant facilities were the rule up to sometime in the 1980s, when IP VPNs came on the scene and introduced shared-tenant VPNs. Now the VPN space seems to be moving toward the use of the Internet as the shared resource, the “software-defined WAN” or SD-WAN. Cisco’s buy of Viptela, an SD-WAN player started by former Cisco employees, is perhaps a critical validation of the space, and at a critical time.
SD-WAN technology is based on the notion of an overlay network, a layer higher than Level 3 (IP). Each user gets a box (or software element) at each site, and that box terminates “tunnels” or overlay connections over which the user’s VPN traffic is carried. In most SD-WAN implementations today, there is no presumption of internal “nodes”, and in effect the sites are fully meshed using these overlay tunnels.
For enterprises, SD-WAN can be a boon. Internet connectivity is far less expensive than IP VPNs, and SD-WANs are also far easier to use and manage than MPLS VPNs that require implementation of BGP. You can extend an SD-WAN to anywhere that Internet connectivity is available, and you can even make sites “portable”. Since SD-WAN VPNs can be sold by anyone, not just by MPLS network operators, it’s inevitable that users will be exposed to them and consider them, so even some network operators are offering SD-WAN today. Most use it to supplement their MPLS VPN offerings, but there’s a trend toward SD-WAN-only options.
The big problem with SD-WAN Internet overlay VPNs is the lack of QoS (or, in buyer terms, lack of a good service level agreement). The Internet is a best-efforts service, which makes senior managers cringe when they consider that “best” efforts at any point might equate to “no effort.” Some buyers also worry about security, given that Internet overlay networks can be attacked from the Internet using DDoS techniques because the endpoints are all addressable.
Mainstream equipment vendors haven’t been thrilled by SD-WAN, in part because they saw it as a threat to their carrier and even premises router business. However, refusing to sell a given product doesn’t mean the buyer won’t get it, only that they won’t get it from you. “Better to overhang your own product than to let someone else do it!” is how one vendor put it years ago. Still, it does seem odd that Cisco would jump into the space now. Why would they?
One reason is that operators and enterprises are already slow-rolling capital spending on networking, and seeking lower-cost options. Cisco has never been a price leader, and price pressure either hurts their margins or (gasp!) shifts the deal to Huawei. SD-WAN gear could offer Cisco a way of supporting VPNs at a lower cost than before, which makes their gear more attractive in a capex-constrained market.
Another factor is the explosion in the use of the Internet as a front-end. Companies reach their customers almost exclusively through the Internet, and more of them use the Internet every day to reach workers, particularly mobile workers. With the growth in enterprise commitment to the Internet, CIOs and senior managers have accepted much of the risk of Internet best-efforts service and even security problems. SD-WAN is less threatening.
But there’s a new issue on the table now, that of “Internet QoS”. While senior management tends to rate lack of an Internet SLA and lack of Internet security almost equally important in preferring another VPN technology over SD-WAN, CIOs say it’s lack of an SLA by almost five to one. Internet QoS, in regulatory terms, means two things—paid prioritization of traffic and settlement among ISPs for premium handling. In the US, both these QoS requirements were off the table—until recently. Now FCC Chairman Pai seems headed to eliminating the FCC’s classification of Internet services under Title II (common carrier). That would, based on my reading of the court opinions on prior orders, eliminate the FCC’s authority to regulate either paid prioritization or settlement practices.
Settlement and paid prioritization on the Internet could create an SD-WAN boom to end all booms. It would almost guarantee that network operators would adopt SD-WAN on their own, and create a whole new managed service industry around third-party SD-WAN services. Cloud providers like Google, Amazon, Microsoft, Oracle, and (now that IBM has bought Verizon’s cloud business) IBM, would probably offer SD-WAN in conjunction with their cloud services. Given that the overall market trends favor SD-WAN anyway, the regulatory shift would only make things better and faster, and that could well be why Cisco is moving in now.
There’s also talk that an SD-WAN boom created by incumbent network providers or cloud providers could boost virtual CPE sales, which could boost NFV. The only bright spot for NFV so far has been vCPE, but it’s not a huge opportunity given that most of the value would be in enterprises, and most enterprises already have their own solutions for vCPE features like firewall. What vCPE needs is a camel’s nose, something that is new and thus not already fulfilled by customer equipment on the premises. SD-WAN, anyone?
An Internet-overlay SD-WAN could also be much more tactical, since the only special network feature needed is the “paid prioritization”. You could spin them up, expand and contract them, and change their QoS and capacity pretty much at will, because all would draw on an enormous reservoir of Internet bandwidth. You could also implement 5G network slicing using SD-WAN, better support cloud services and content delivery.
Perhaps the most interesting thing about this SD-WAN trend is the impact it could have on global telecom infrastructure. No more specialized VPN technology, clearly, but there are two seemingly contradictory offshoots of the trend. First, the Internet could become a truly universal data dialtone service and eventually be the only “transport” service that’s available. Second, all services including the Internet could become overlays on any mixture of transport that happened to be available. Think the MEF’s Third Network. Which of these might happen would likely depend on the pace of regulatory reform globally, the success of optical vendors in defining virtual-wire services, and the insight of SD-WAN vendors show in promoting the notion.
The notion of an overlay-driven service network isn’t new. I encountered it almost ten years ago when Huawei proposed the “Next-Generation Service Overlay Network” concept to the IPsphere group, and subsequently got it moving in the IEEE. We’ve never quite gotten the idea over the finish line in terms of fulfilling its potential, but it just might now be taking that critical step. The question may well be whether Cisco is actually going to promote SD-WAN, or is just creating a nice home for some former engineers.