Microsoft Word - 128T Networking Platform PDD_v3.docx29 November
2016
Abstract This document provides the reader an overview of the 128T
Networking Platform
product, technology and use cases
V3.0
SAVE HARBOR STATEMENT
This document may describe future product capabilities and
therefore may contain forward- looking statements. 128 Technology
has made no commitments or promises orally or in writing with
respect to delivery of any future software features or functions.
All information is for informational purposes only and 128
Technology has no obligation to provide any future releases or
upgrades or any features, enhancements or functions, unless
specifically agreed to in writing by both parties.
128 T Networking platform 2
TABLE OF CONTENTS
Executive Summary
................................................................................................................................................................
5 Introduction – The Problem
.........................................................................................................................................
5 Advanced Secure Networking Principles
..........................................................................................................
6
128T Networking Platform overview
...........................................................................................................................
7 Platform Components
......................................................................................................................................................
7
128T Conductor
.................................................................................................................................................................
8 128T Slice
.................................................................................................................................................................................
8
Versatile distributed router architecture
............................................................................................................
9 Multiple software deployment models
...............................................................................................................
9 Resiliency architecture
...................................................................................................................................................
10
Synchronizing Flow State
.........................................................................................................................................
11 Failure Scenarios
.............................................................................................................................................................
12 In-service Software Upgrades
................................................................................................................................
13
Service Centric Data Model
.........................................................................................................................................
13 Authority
...............................................................................................................................................................................
14 Router
......................................................................................................................................................................................
14 Global Services, Tenancy and Policy
...............................................................................................................
15
Routing with words; QSNs and STEP
..................................................................................................................
16 Qualified Service Names (QSNs)
........................................................................................................................
16 STEP (Services and Tenancy Exchange Protocol) Overview
......................................................... 17
Secure Vector Routing
........................................................................................................................................................
17 Session-aware Data Plane
...........................................................................................................................................
18
Session awareness
.........................................................................................................................................................
19 Session based signaling – metadata
...............................................................................................................
19 Waypoints
...........................................................................................................................................................................
20 Packet Processing
.........................................................................................................................................................
20
Services Control Plane
....................................................................................................................................................
21 STEP Operating Basics
..............................................................................................................................................
22
Service Centric Abstraction, Automation, and Analytics
....................................................................
25 DevOps Ready
.................................................................................................................................................................
25
One platform– broad set of use cases
...................................................................................................................
27 Next Generation WAN
...................................................................................................................................................
27
Solution Highlights
......................................................................................................................................................
27 Key Capabilities
..............................................................................................................................................................
28
128 T Networking platform 3
Software-defined Datacenter
..................................................................................................................................
28 Solution Highlights
......................................................................................................................................................
29
NFV – ETSI Framework for Telco Cloud
.............................................................................................................
30 Virtual Edge
..............................................................................................................................................................................
31 Datacenter Interconnect
..............................................................................................................................................
33 Network as a Service
........................................................................................................................................................
33
128 T Networking platform 4
DEFINITIONS
128T Platform: Represents a single 128T routing instance. A 128T
Platform contains one logical 128T Control and one or more SLICEs.
The collection of these nodes can be viewed as a single logical IP
Router.
Authority: Represents a single managed network of 128T routing
instances (128T Platforms). This describes a single network, a
collection of networks, or single managed entity for a group of
routers, and can be considered to be conceptually equivalent to an
Autonomous System.
Tenant: Represents a single sub-network or network segment that is
to be segregated and separated from all others for security,
manageability, and analytics. This is akin to VLAN or VxLAN or
VRF.
Service: Represents a single named application and is the target of
a route. This is similar to an IP address after DNS resolution. A
Service is named by a Tenant with a text string that normally
matches the URL of a service.
Service Group: Represents a portion of a sub-network (tenant) that
is to be segregated for manageability and analytics. There is no
comparative current world element.
QSN: Qualified Service Name is a 128 Technology concept for an
addressable Service resource and associated tenancy using URI
Generic Syntax defined by RFC 3986. Example:
QSN://Subtenant.Tenant.Authority/Service/ServiceGroup
128 T Networking platform 5
EXECUTIVE SUMMARY
The 128T Networking Platform is a software-based, distributed
routing and network services solution. The 128T Networking Platform
uses Secure Vector Routing to simplify network architectures and
provide fine-grained, end-to-end control and visibility. 128T
software runs on general-purpose compute platforms and allows a
wide range of deployment models - from remote branch offices to
high-capacity network edges to hyper-scale data centers. The
platform enables greater control, security and agility by
distributing intelligence throughout
the network - without disrupting your existing network
infrastructure.
INTRODUCTION – THE PROBLEM
For many companies, the network is a core part of their business –
and in some cases, the network is their core business. However,
most networks haven’t been architected to handle the next
generation of business and application requirements. Networks have
gradually become too complex, too fragile and too costly to deliver
the necessary advances in agility, security, and control needed for
cloud, mobile and emerging applications such as IoT. Even modern
SDN approaches still rely on a decades-old network paradigm based
on complex overlays, proliferation of stand-alone network
functions, outmoded security models and a fragmented
approach to end-to-end networking.
Overlay sprawl
Overlay sprawl is responsible for a large component of legacy
network complexity. Legacy approaches are overloaded with overlays
such as MPLS, IPsec, VxLAN, VPLS and more. Overlay networks are
layered on top of IP networks in large part to deliver
deterministic routing, network virtualization and segmentation to
stateless IP networks. These state-ful and largely tunnel-based
overlays carry with them significant networking overhead,
fragmentation issues, scaling challenges and operational costs
while rendering useless most security and monitoring
systems.
Complexity and cost proliferates with middle-boxes
Middle-boxes proliferation constitutes another significant
challenge to simplifying networks. Advanced session-aware network
functions such as firewalling, load balancing and WAN optimization
have been “bolted onto” networks as independent middle-boxes, each
one carrying continuous CAPEX and OPEX spend. As security models
evolve and IP traffic is increasingly encrypted end-to-end, from
device to application, the role of many of these middle-box
functions will need to change dramatically. Time is ripe for a
consolidation of L4-L7 network services functions and a re-thinking
of the role of many of these advanced network services.
Networks lack application and services context
Bringing applications and network closer together promises to
deliver vast improvements in efficiency, greater visibility,
improved application performance and open the doors to long
term
128 T Networking platform 6
innovation. Legacy networking approaches remain fixed in the
original guiding design principle that the network should remain
dumb and intelligence should reside in hosts and applications.
Modern SDN approaches attempt to bridge the applications and
networks divide through abstractions and APIs however fall short by
leaving the network dumb. A smarter networking model that is
session-based and application aware with a native services centric
context can create a breakthrough in creating intelligent
networking and fostering long term innovation.
ADVANCED SECURE NETWORKING PRINCIPLES
128 Technology believes the networking should be more simple, agile
and intuitive while providing advanced security, reliability and
inter-networking. This vision for Advanced Secure Networking
requires some re-thinking of traditional networking precepts.
The 128T’s Advanced Secure Networking vision is rooted in five
basic principles.
IP networks should be natively session-aware
All meaningful IP services and applications are based on sessions,
not packets. Most advanced network capabilities such as firewalls,
load balancers and WAN optimizers are based on state-ful management
of sessions. Session-aware IP networking opens the door to a new
realm of simplified intelligent networking and fine-grained
analytics.
Security, load balancing and monitoring are not stand-alone
functions
A session-based network is the foundation for the consolidation of
network functions beginning by making security and load balancing
native.
Networks must evolve to be application and services-centric
Routing and routing control planes should evolve from simple IP
address and cost based metrics to encompass service topologies and
policy frameworks based on a distributed and abstracted data model.
Multi-tenanted policy and control logic should exist within, not on
top of, the IP network.
Overlays are not the answer
Overlay networks such as MPLS, IPsec and VxLAN are layered on top
of IP networks in large part to deliver deterministic routing,
network virtualization and segmentation. These largely tunnel-based
overlays carry significant networking overhead, fragmentation
issues, scaling challenges and high operational costs while
obfuscating most security and monitoring systems. Session-aware
networking enables the replacement of overlays with more secure,
scalable and agile end-to-end virtual networking at a fraction of
the cost and overhead.
128 T Networking platform 7
Zero trust security must be everywhere
Perimeter security models are no longer sufficient. Every aspect of
networking will require that no user, traffic source or connected
network is considered as trusted. IP routing is not an
exception.
128T NETWORKING PLATFORM OVERVIEW
The 128T Networking Platform is fully software-based, distributed
and programmable routing and network services platform. The
platform is designed based on advanced secure networking principles
and delivers a new session-aware and secure networking
architecture, Secure Vector Routing.
PLATFORM COMPONENTS
The 128T Networking Platform is comprised of three building blocks:
the 128T Conductor, the 128T Control and the 128T Slice (Software
Line Card Engine). A combination of one or many 128T Controls and
128T Slices together form a single logical router supporting a wide
range of deployment models scaling from a remote branch office to a
high capacity edge router to a hyper-scale software-defined
datacenter.
Figure 1: 128T Networking Platform Architecture
128 T Networking platform 8
128T Conductor i
The 128T Conductor is a management, policy and analytics engine
that provides centralized orchestration, administration, monitoring
and analytics aggregation for multiple geo- graphically dispersed
128T Routers. The 128T Conductor maintains a network-wide, multi-
tenanted services and policy data model which is exposed via
northbound RESTful and Netconf APIs and distributed to 128T
Routers.
The 128T Control is the centralized network and services control
plane and analytics engine for a 128T Router. This includes
computing and preparing all IP routing tables, managing service
policies, collecting analytics, and configuration management.
Through 128T Control, the IP routing information base (RIB) is
combined with service policies to create a Services Information
Base (SIB) which is distributed to each 128T Slice. Each 128T
Control defines a single instance of a 128T Router.
Capabilities include:
2. IP control plane and routing stacks (OSPF, IS-IS,
BGP)
3. Services control plane via STEP (Services and Tenancy
Exchange Protocol)
4. Federating with other 128T Routers
5. Analytics engine and database
6. Traffic and topology visualization
7. Scalability up to thousands of 128T Slices
8. High availability clustering
10. RESTful and Netconf northbound APIs
128T Slice
The 128T Slice is a Software Line Card Engine is an analog of a
physical line card of a chassis- based IP router. 128T Slice
software performs high-speed packet forwarding, classification, and
security functions. It operates with its own integrated control
plane for complex packet handling decisions, without the need to
consult a remote controller.
Capabilities include:
11. Distributed IP routing and packet forwarding
12. Each SLICE maintains a complete copy of the distributed
routing information base (RIB) combined with services policy to
form a services information based (SIB)
13. State-ful session detection, classification, routing,
and traffic management
14. Application specific routing and QoS treatment
128 T Networking platform 9
15. Dynamic multipath traffic steering
16. Integrated session-based load balancing
17. Integrated ACLs, DDoS protection, and session-based
traffic shaping/admission control
VERSATILE DISTRIBUTED ROUTER ARCHITECTURE
The 128T Networking Platform software was designed from the start
with broad scalability and architectural versatility in mind. The
entire system may be deployed as a single 128T Router instance
running on one system platform or as a single virtual machine. For
large-scale distributed environments such as a datacenter or high
capacity edge routing, a highly avail- able 128T Controller and
many 128T Slices are deployed.
MULTIPLE SOFTWARE DEPLOYMENT MODELS
Multiple server environments are supported. These include bare
metal, Linux – KNI, and virtual machines. As a networking platform
for cloud environments, the 128T solution will integrate with most
industry leading hypervisor and orchestration solutions including
KVM/OpenStack and VMWare EXSi /VCloud Director.
Figure 2: 128T Networking Platform distributed architecture
models
128 T Networking platform 10
The 128T router supports various deployment models to enable
flexibility and deployment agility. In its simplest form the 128T
router can be deployed on any Intel DPDK enabled platform. CentOS
is the preferred OS. We also support Red Hat and Fedora. The 128T
system also supports Kernel Network Interface (KNI). In this
scenario packets to and from the Guest VMs will be forwarded to the
128T system by the kernel through Vhost-net or KNI interface. The
128T router supports both Direct Path IO and SR-IOV to provide
direct access to the NIC. DPIO has a one to one mapping between the
physical and virtual NIC ports. With SR-IOV it is possible to have
8 VFs per NIC port. Finally, 128T also supports para-virtualized
drivers. This provides optimized Rx/Tx queue handling through
shared memory queues. The 128T system can thus be deployed on any
Intel based COTS platform whether physical or virtual. It can also
work with OpenStack and vCloud Director for deployment in private
clouds. It can also be hosted in public clouds like AWS, Azure, or
Google Cloud Platform for providing routing and other integrated
functions.
RESILIENCY ARCHITECTURE
The 128T resiliency solution provides virtually zero downtime by
maintaining sessions though redundant clusters in a single or
multi-site environment. It provides unprecedented elasticity
through an N+M redundancy model, high reliability through fast
failover by continuous flow state synchronization between
appliances and innovative multi-site failover, and unlimited scale
through hardware agnostic redundancy.
The solution operates in Active/Active clustering mode. Multiple
routers are grouped together as clusters, with multiple Active
units processing traffic and sharing the network load. Each cluster
node contains a minimum of two units acting as a State-ful HA pair.
Active/Active clustering provides State-ful failover in addition to
load sharing. The customer may choose to pass all traffic through
one of the routers in the cluster. In this case the remaining
routers in the cluster will not be processing traffic but they are
all in Active mode with ability to process traffic if
required.
128 T Networking platform 11
The 128T solution operates in N+M redundancy mode where any number
of routers participate in a cluster and they can act as backups of
one or multiple routers in the cluster. Interfaces on different
routers can be configured as redundancy groups. These redundancy
groups are collection of resources that need to failover between
the routers. An interface in a redundancy group is chosen as the
primary and another as the secondary. This is done via a leader
election or based on user defined priorities. Primary interfaces
are used to route traffic through the cluster. In case of failure
the traffic from the primary interface is switched to the secondary
interface in the redundancy group via Gratuitous Address Resolution
Protocol (GARP) or other routing protocol exchange.
A fabric link between the routers is used to route traffic between
them in case of failure. In the diagram these are shown as directly
connected links but they do not have to be. Also the diagram shows
two routers in a cluster for ease of understanding however there
can be multiple routers in the cluster.
The management link between the routers is used to exchange routing
and flow information between the routers. This is shown as a
separate directly connected link between the routers in the diagram
however it can share any link. All information between the routers
are shared using highly efficient in-memory data- bases to minimize
bandwidth usage and to enable instantaneous information
exchange.
All processes in a 128T router are self-resilient. They can
regenerate themselves independently in case of process failures or
exceptions. Unless there is a dependency that requires other
processes to restart or the de- vice to switchover, the process
will rebuild itself and establish communications to the existing
processes. If a process failure requires another process to be
restarted due to a dependency, then that process is restarted
automatically. In-built self- checking mechanisms managed with
software diagnostics ensure the integrity of the entire
system.
The distributed nature of the 128T system and complete independence
from the underlying hardware ensures that there is no limit of the
number of routers that are part of a cluster. There is also no
restriction on the number of interfaces that can be part of a
redundancy group. This ensures that the solution is abundantly
elastic. It can scale from a 1+1 configuration in a branch office
to a fully distributed cluster in a large data center with N+M
redundancy. This ensures a scale out architecture that can span
numerous use cases and any possible scenarios.
Synchronizing Flow State
Resiliency Solution Note
SOLUTION NOTE
2 2
The 128T resiliency solution ensures that the failover and
switchover mechanisms are session-aware and completely
secure.
128T RESILIENCY SOLUTION
The solution operates in Active/Active clustering mode. Multiple
routers are grouped together as clusters, with multiple Active
units processing traffic and sharing the network load. Each cluster
node contains a minimum of two units acting as a Stateful HA pair.
Active/Active clustering provides Stateful failover in addi- tion
to load sharing. The customer may choose to pass all traffic
through one of the routers in the cluster. In this case the
remaining routers in the cluster will not be processing traffic but
they are all in Active mode with ability to process traffic if
required.
The 128T solution operates in N+M redundancy mode where any number
of routers participate in a cluster and they can act as backups of
one or multiple routers in the cluster. Interfaces on different
routers can be configured as redundancy groups. These redundancy
groups are collection of resources that need to failo- ver between
the routers. An interface in a redundancy group is chosen as the
primary and another as the secondary. This is done via a leader
election or based on user defined priorities. Primary interfaces
are used to route traffic through the cluster. In case of failure
the traffic from the primary interface is switched to the secondary
interface in the redundancy group via Gratuitous Address Resolution
Protocol (GARP) or other routing protocol exchange.
A fabric link between the routers is used to route traf- fic
between them in case of failure. In the diagram these are shown as
directly connected links but they do not have to be. Also the
diagram shows two routers in a cluster for ease of understanding
however there can be multiple routers in the cluster.
The management link between the routers is used to exchange routing
and flow information between the routers. This is shown as a
separate directly connected link between the routers in the diagram
however it can share any link. All information between the routers
are shared using highly efficient in-memory data- bases to minimize
bandwidth usage and to enable instantaneous information
exchange.
All processes in a 128T router are self-resilient. They can
regenerate themselves independently in case of pro- cess failures
or exceptions. Unless there is a dependency that requires other
processes to restart or the de- vice to switchover, the process
will rebuild itself and establish communications to the existing
processes. If a process failure requires another process to be
restarted due to a dependency, then that process is restarted
automatically. In-built self-checking mechanisms managed with
software diagnostics ensure the integrity of the entire
system.
The distributed nature of the 128T system and complete independence
from the underlying hardware en- sures that there is no limit of
the number of routers that are part of a cluster. There is also no
restriction on
Figure 11: Redundancy
128 T Networking platform 12
The 128T system syncs TCP and UDP flow state information between
routers to ensure that no flows are lost and applications are not
disrupted due to network outages. To ensure that no bogus or random
packets cause the system to attempt to sync state, the 128T system
only syncs state for established sessions. The 128T system also
syncs all routing information to forward packets as traditional
routers do in case of failure.
TCP Flow
The 128T router creates an established flow record in its local
in-memory database when a TCP flow is established. This is done
when the 128T router receives a SYN-ACK packet in response to a SYN
packet that it has forwarded recently. Once this record is created
for that particular flow, it is synced with routers in the cluster
so that interfaces in redundancy groups can take over traffic
forwarding in case of failure. This state information is maintained
as long as the flow is active. The record is removed when the TCP
session ends or when an inactivity timer expires. All information
related to the flow like policy, security, and quality of service
rules are observed by all routers in the cluster to ensure complete
reliability and security.
In the figure only two routers are depicted for ease of
understanding. The 128T system can work with many routers in a
cluster.
UDP Flow
The 128T router creates an established flow record in its local
in-memory database when a UDP flow is established. This is done
when the 128T router has forwarded a preset number of packets
related to that UDP flow. Once this record is created for that
particular flow, it is synced with routers in the cluster so that
interfaces in redundancy groups can take over traffic forwarding in
case of failure. This state information is maintained as long as
the flow is active. The record is removed when the UDP session ends
or when an inactivity timer expires. All information related to the
flow like policy, security, and quality of service rules are
observed by all routers in the cluster to ensure complete
reliability and security.
Failure Scenarios
128 T Networking platform 13
The 128T resiliency solution can enable zero downtime failure
protection for all types of planned and un- planned network
outages. It ensures that the end user application is oblivious to
any network outage. The solution can provide high availability
protection and switchover in case of process, interface, component,
device, and cluster failovers. These may be caused by power
outages, human errors, or other factors.
In case of normal operation all traffic is forwarded through the
primary interfaces of the redundancy groups. These may be on a
single router or may be spread across the router resulting in
different flows to go through either router.
In case of a single primary interface failure, traffic will be
routed through the fabric link to the secondary interface on the
other router. This fabric link does not have to be a dedicated
directly connected link. In case of process, device, component, or
dual interface failures that completely disables the router passing
traffic then the traffic switches over completely to the other
router. By intelligently identifying and syncing established flows,
the 128T system is able to guarantee that end user applications do
not see any interruption due to network failure.
In-service Software Upgrades i
The 128T resiliency solution enables the ability to support
in-service software upgrades. This reduces down- time due to
planned upgrades. The 128T system provides information to switch
traffic to different routers in a cluster. Any router within the
cluster can be isolated to prevent traffic forwarding through it
while other routers in the cluster continue to forward all the
traffic. This isolated router can then be upgraded. The up- graded
router can then continue to participate in the cluster. Traffic can
be switched back to this router or it can remain dormant in the
cluster while fully Active to process traffic if required.
SERVICE CENTRIC DATA MODEL
SOLUTION NOTE
4 4
MULTI-SITE FAILURES
The distributed nature of the 128T system allows it to easily
extend to multi-site failure scenarios. Router clusters in multiple
sites can be configured as a col- lection. A router or router
cluster configured as the Prime acts as a master store of flow
information across the collection. In case of failure traffic can
be rerouted via a secondary disaster recovery site. The secondary
site can either query the master store on the Prime for information
or the Prime can send the master store information to sites in the
collection.
Another option is for the secondary site to send traf- fic directly
to the Prime. The Prime already knows the flow information from its
master store. It for- wards traffic based on this information to
the desti- nation. This ensures that traffic flow is not
interrupted while querying the master store and waiting for the
information as is the case for many multi-site failover solutions
today. If the flow information does not exist on the Prime, then
the primary site had never seen this flow and it is just
dropped.
On receiving packets back from the destination, the Prime forwards
this to the secondary site from which it had received the packets.
Once the secondary site gets these packets from the flow, it
creates an appropri- ate record for this flow. The Prime can also
respond back to the secondary site with the flow information if it
does not receive any return packets. The secondary site can now
forward packets for this flow directly to the destination without
forwarding it to the Prime.
FAILURE SCENARIOS
128 T Networking platform 14
Services are placed at the heart of the Secure Vector Routing
design and the 128T data model is the language for describing the
services, tenancy and associated policies. The 128T data model has
local elements (e.g. router specific) and global elements. The 128T
global data model is automatically shared across and between
networks using a new services and tenancy control plane protocol
(STEPi). The data model is expressed in YANG and exposed via
northbound REST and Netconf APIs to deliver full suite of
application and orchestration integration services.
Authority
The topmost configuration container in the 128T data model is
called the authority. Conceptually, the authority represents the
complete set of all 128T routers managed under a single
organizational entity. The global data within the authority
container includes service- layer and policy-layer configuration
that applies to all of the 128T routers within this organizational
entity. (In this document, the term “authority” and “organizational
entity” are synonymous, unless specifically referring to the 128T
router’s configuration object container.)
Router
Within the authority is the router object, which describes a single
instance of a 128T router deployed within a network. (Note well
that a 128T router itself consists of several distinct components
which may be deployed co-resident such as a branch router or fully
distributed across a software-defined datacenter) The configuration
work done within the context of a router is referred to as local
data (as opposed to the global data within the authority). Said
another way: objects configured at the authority level of the
hierarchy apply to all routers, and objects configured at the
router level of the hierarchy apply only to that specific
router.
Included in the local data of the router hierarchy are the software
components that comprise that router (referred to as nodes, which
can be any of Controls, Slices, and/or Combos), router- specific
routing attributes – including both “classic” routing protocols
such as BGP, as well as 128T-specific “service routes”, defined in
the section on Configuring the Service Layer later in this
document. Localized policies, primarily focused on the traffic
distribution and traffic engineering behaviors of an individual
router, are also part of this local data within the router
hierarchy.
128 T Networking platform 15
Global Services, Tenancy and Policy
Service configuration, which represents the cornerstone of the 128T
router’s worldview, is part of the set of global data within an
authority. The 128T global service centric data model is shared
across all 128T routers in an authority and is comprised of three
simple configuration elements, namely services (including service
agents), tenants and policies.
Services and Service Routes/Agents
Services represent specific applications that a network delivers;
e.g., web services, database services, or voice/video services.
Using a top-down approach, the 128T data model asks that
administrators define the services that their network will deliver,
the requirements that the service demands (in terms of latency,
packet loss, jitter, etc.), and the network topology – and the 128T
router will deliver traffic to the service using the optimal paths
through the network. Because they are global data in an authority,
all services defined within an authority are part of the dataset
for each 128T router that is also a member of that authority.
Services are location independent and most often have multiple
instantiations across a network or datacenter. Service agents
(Service Routes) define specific physical instances of a
service.
Tenants
Services are said to reside within tenants, a term used to
represent a segmented partition within a L2/L3 network. Unlike
other networking paradigms, where segmentation is done using
overlay networking techniques (such as VLANs, VxLANs, etc.), the
128T router uses a novel tenancy model to place traffic sources and
routes to their services (also referred to as service routes) into
logical partitions within the underlay network itself. Tenancy is
hierarchical and there are no practical limits to the number of
levels of the hierarchy. A rich set of hierarchical access control
policies built into the tenancy model ensures that network traffic
flows along prescribed paths, and only from eligible sources.
Tenants, like the services that they contain, are
Figure 3: 128T Networking Platform Global Service Centric Data
Model
128 T Networking platform 16
also part of the global data within an authority. A tenant defined
within a 128T authority is said to “stretch” across all 128T
routers that are members of that authority, and tenant information
is shared between 128T router instances (in fact, it is shared both
intra-router and inter-router).
Policies
A set of global policies rounds out the data model; complementing
the router-specific policies, the global policies describe the
treatment of traffic that flows between 128T routers. This includes
information on how packets are classified into their various types
(e.g., how to differentiate between web traffic, voice traffic,
proprietary application traffic, etc.) and the requirements that
those traffic varieties have from a networking perspective.
Policies fall in three categories:
SERVICE POLICIES
Service policies define all of the expected “per session”
attributes. This includes a QoS service class that defines routing
priorities, DSCP and minimal acceptable quality thresholds. Rate
constraints policies for service agents and load balancing policies
are used for link and agent load balancing. Service Policies apply
to both tenants and services.
ACCESS POLICIES
Access policies define access control lists, specifying who and
what applications can access a given service or tenant. Access
policies apply to services and tenants by association with
services.
SECURITY POLICIES
Security policies are used to describe the encryption and
authentication requirements for a specific service. If a security
policy is applied to a tenant, all traffic in that tenant’s network
will use the prescribed encryption mechanism. If a security policy
is applied to a service, then this will override any configured
policy on a given tenant. This behavior allows for fine-grained
control of what types of encryption should be applied at the tenant
or service.
ROUTING WITH WORDS; QSNS AND STEP
This service centric data model provides a foundation for a new
type of routing and policy management that uses the services
language of the data model rather than traditional IP address
prefixes and distance vectors.
Qualified Service Names (QSNs)
A Qualified Service Name (QSN) provides a mechanism to address a
resource or service using a name instead of an IP address. To hide
the complexity of dealing with IP addresses, 128 Technology
replaces the routing logic with words in the form of named services
and tenancy hierarchy. Services or service routes are defined using
a hierarchical uniform resource identifier (URI) known as Qualified
Service Name (QSN).
128 T Networking platform 17
Qualified Service Name is a 128 Technology concept for an
addressable Service resource and associated tenancy using URI
Generic Syntax defined by RFC 3986. The QSN has two components, the
hierarchical tenant descriptor and the services descriptor. The
hierarchical tenant descriptor defines the multi-level tenancy for
a service. The services descriptor defines the service itself (and
its service group).
STEP (Services and Tenancy Exchange Protocol) Overview i
Service and Tenancy Exchange Protocol (STEP) is a routing protocol
developed by 128 Technology which enables dynamic exchange of
services, tenancy, and policy between 128T routers to create
dynamic service and policy federations. STEP uses QSN’s to
propagate a global view of services, topology, tenancy, and
policies. It complements IGPs and BGP facilitating network
stretching and slicing end-to-end along with distributed access
control and Quality of Service (QoS). STEP provides a mechanism for
128T Routers to discover and share services with other 128T
Routers.
STEP and QSNs enable the ability to stretch a network end-to-end as
one routing scheme can be used for any combination of private
networks, public networks, IPv4 addressing models, and IPv6
addressing models. Services and policy become location independent
as they are no longer tied to physical IP addresses. Workload
elasticity becomes native. Underlying network complexity is
completely abstracted away enabling a much simpler and agile
network for services.
SECURE VECTOR ROUTING
The 128 Technology Networking solution introduces a breakthrough
session-based, service centric and security-infused networking
paradigm called Secure Vector Routing. Secure Vector Routing is
fully compatible and interoperable with existing data and control
plane architectures. Secure Vector Routing replaces and augments
complex out-of-band routing protocols, tunnel-based network
overlays and cumbersome provisioning systems with centralized
control, simple intelligent service routes and in-band (data plane)
signaling.
Secure Vector Routing advances the existing art of routing without
introducing point solutions into an existing network. It works
seamlessly with existing protocols and architectures while
enhancing their capabilities.
Figure 4: Qualified Service Name (QSN) Structure
128 T Networking platform 18
Secure Vector Routing leverages learning from mobile networking to
ensure path symmetry and guarantee that segmentation rules remain
intact while devices are in motion. Location independent routing
ensures integrated load balancing and workload/device mobility. As
devices and workloads move or new devices appear, established
access control and segmentation rules are automatically
instantiated.
The Secure Vector Routing architecture is comprised of three
components:
• Session Aware Data Plane
Through these components, Secure Vector Routing brings inherent
directionality, security, hyper-segmentation, and dynamic traffic
steering capabilities.
SESSION-AWARE DATA PLANE
128T Routers, deployed at network edges, transform a state-less L2
fabric or L3 network data plane into a fully session aware data
plane through session-based signaling and waypoint routing. In
place of multiple state-ful overlays, end-to-end route vectors are
created that are:
• Deterministic – Session traffic steered in segments
between waypoints while double- NAT ensures path and flow
symmetry.
• Secure – Each route vector carries ACL and firewall rules
controlling access and directionality of session initiation. Every
session is authenticated at each hop. Payload encryption is defined
per-tenant and applied per-session.
• Dynamic – Paths are established dynamically, by session
based on application policies and network state. Statically
provisioned state-ful tunnels are replaced with a model based on
ephemeral session state that is relinquished upon session
termination. Link and endpoint session load balancing is
native.
• Multi-tenant – Hierarchical multi-tenancy and secure
segmentation is supported end- to-end across network and NAT
boundaries.
Figure 5: Secure Vector Routing Architecture
128 T Networking platform 19
Session awareness
Secure Vector Routing utilizes deep protocol analysis to recognize
IP packets as IP sessions. Each IP session has a distinct start and
end point. Sessions have directionality as they are initiated from
a start point to an end point. Sessions consist of two flows, one
in the forward direction and one in the reverse direction. After a
session is established, subsequent packets in the session transit
through two unidirectional flows that are instantiated.
In traditional switching and routing infrastructures, forward and
reverse flows may take asymmetric paths through the network.
Traditional routers utilize a stateless per-packet “hot potato”
forwarding approach with no notion of session. With the 128T
solution, all packets associated with a session are routed along
the same path. The packets from the response associated with the
same session are routed along the same reverse path. This
symmetrical flow or bi-flow enables packets to be intelligently
routed, sessions to be controlled, traffic to be proactively
analyzed, and prevents unauthorized flows from using the specific
path.
The bi-flow enables conversations to be treated as individual
sessions bringing true application and service context to the
network.
Session based signaling – metadata
Secure Vector Routing introduces an in-band session based
signaling. To establish a bi-flow, the ingress 128T Slice adds a
metadata to the first packet of each session. This metadata is
understood only by 128T Slices. The metadata is only included when
the 128T Slice knows that there is another 128T Slice downstream.
This metadata is used to signal information about a session. All
subsequent packets for the same session follow the same path.
Reserve metadata is included in the first packet on the reverse
path for the same session. The metadata is only included once in
each direction within the first packet sent between the two 128T
Slices
IP packets may be dropped or lost so the metadata is sent on each
packet until a response packet is received. For TCP sessions, this
is the SYN/ACK. For UDP sessions, the metadata may be transmitted
several times before a response packet is received.
The metadata includes original source IP address and port, original
destination address and port, desired QSN, desired IP address (if
local to the 128T platform), desired Class of Service, and other
policy and control information. The reverse metadata includes
utilization metrics and possible service class modification
information.
The 128T Slice receiving the first packet uses deep packet
inspection to retrieve the metadata to become session aware.
Packets with the same forward equivalence can be separated into
individual sessions and managed as sessions. This enables context
aware multi-path routing. The 128T Slice remembers this information
and associates it with the TCP or UDP session. Fast path routing is
enabled once the first packet has forged a path in the
network.
This context awareness per conversation or session enables 128T
routers to guarantee application awareness and granular quality of
experience.
128 T Networking platform 20
Waypoints
The 128T solution uses waypoints to define start and end points of
a path that may go through one of more routers that provide
connectivity between the two points. Waypoint addresses may be
considered similar to “in-care-of” addresses in Mobile IP or
Segment ID’s in IPv6 Segment Routing. Waypoint addresses are IP
addresses and ports configured on 128T Slice that are used to steer
and anchor sessions across network paths. All traffic between 128T
Slice are steered through waypoint addresses. The ports used as
part of the waypoint addresses are dynamically assigned by the 128T
Slices.
Inter-Slice Bidirectional Forwarding Detection (BFD) is used to
test connectivity and path attributes between the waypoints.
Packet Processing
When the first packet corresponding to a new session arrives at a
128T Slice, it determines the appropriate route corresponding to
the session. If a route is found:
1. The 128T Slice translates the source address of the packet to
its own IP address. The destination address of the packet is
translated to the waypoint address of the destination 128T
SLICE.
2. The 128T Slice adds metadata to the packet. This metadata
includes the original source and the destination address of the
packet along with other policy and control parameters.
3. The metadata is then signed and optionally encrypted based on
policy.
4. The payload is then optionally encrypted depending on the policy
associated with the flow.
The packet is then forwarded to the waypoint address of the next
128T Slice in the vector.
The intermediate 128T Slice receiving a new session verifies
signature data for authenticity and authorization. This process
repeats until it arrives at the final destination 128T Slice on the
service route. If an intermediate 128T Slice is unable to verify
the authenticity of the packets or is not authorized to forward the
packets, then the packets are dropped ensuring that unauthorized
flows do not traverse the network. At the last hop 128T Slice, once
authenticated and authorized, the original packet contents are re-
stored and it is forwarded to the final destination.
Secure Vector Routing Whitepaper
5 5
configured on 128T SLICES that are used to steer and anchor
sessions across network paths. All traffic between SLICES are
steered through waypoint addresses. The ports used as part of the
waypoint addresses are dynamically assigned by the 128T
SLICES.
Inter-SLICE Bidirectional Forwarding Detection (BFD) is used to
test connectivity and path attributes between the waypoints.
PACKET PROCESSING
When the first packet corresponding to a new session arrives at a
128T SLICE, it determines the appropriate
route corresponding to the session. If a route is found:
1. The 128T SLICE translates the source address of the packet to
its own IP address. The destination
address of the packet is translated to the waypoint address of the
destination 128T SLICE.
2. The 128T SLICE adds metadata to the packet. This metadata
includes the original source and the
destination address of the packet along with other policy and
control parameters.
3. The metadata is then signed and optionally encrypted based on
policy.
4. The payload is then optionally encrypted depending on the policy
associated with the flow.
The packet is then forwarded to the waypoint address of the next
128T SLICE in the vector.
The intermediate 128T SLICE receiving a new
session verifies signature data for authenticity and authorization.
This process repeats until it arrives at the final destination 128T
SLICE on the
service route. If an intermediate 128T SLICE is unable to verify
the authenticity of the packets or is not authorized to forward the
packets, then
the packets are dropped ensuring that unau- thorized flows do not
traverse the network. At the last hop 128T SLICE, once
authenticated and
authorized, the original packet contents are re- stored and it is
forwarded to the final destina- tion.
The first packet serves to establish an end-to-end path across the
network via waypoints of intermediate 128T SLICES. It also
instantiates a single transient end-to-end session from ingress to
egress 128T SLICE. Sub-
sequent packets that are part of the flows belonging to the already
established session and are sent along the path associated with the
session. Inter-128T Slice traffic is completely secured by Secure
Vector Routing. These packets traverse the network on a per-session
basis without any form of tunnel overhead.
POLICIES
Security policies are used to describe encryption and
authentication requirements for a specific service.
They allow a client request to pass through in one direction only
if there is specific policy. Fine grained and
Figure 6: Waypoint Addresses
128 T Networking platform 21
The first packet serves to establish an end-to-end path across the
network via waypoints of intermediate 128T Slice. It also
instantiates a single transient end-to-end session from ingress to
egress 128T Slice. Subsequent packets that are part of the flows
belonging to the already established session and are sent along the
path associated with the session. Inter-128T Slice traffic is
completely secured by Secure Vector Routing. These packets traverse
the network on a per-session basis without any form of tunnel
overhead.
SERVICES CONTROL PLANE I
The session-ware data plane makes dynamic routing decisions based
on fully distributed knowledge of services topology and policies.
Multi-tenant service and policy based federations are created
across and between networks using STEPi (Services and Tenancy
Exchange Protocol) that operates in conjunction with the existing
IP control plane. Services and related policies are configured at
their local 128T router and propagated to other 128T routers within
the authority or selectively to other authorities. Service policies
and IP routing tables are combined in a fully distributed Services
Information Base (SIB).
Benefits include:
• Virtual network stretching across the fragmented
infrastructure including data center, wide-area network, Internet
and the branch.
• Automation of interconnect between different service
providers, cloud providers and enterprises.
Figure 7:
128 T Networking platform 22
STEP is a unilateral routing protocol. This is similar to current
BGP or OSPF/IS-IS routing models where all router adjacencies are
defined or declared. So a STEP Link starts at one 128T Platform,
and terminates on another. Unlike BGP, all routing with STEP is
defined and controlled on a 128T Platform to 128T Platform basis,
and not on an amorphous Authority (ASN) level3.
There are two major differences between STEP and current IP routing
protocols
18. First, STEP is ALWAYS between two parties, and there is
never any aggregation or repackaging of any routes. This actually
will make sense as one begins to understand that STEP is not a
replacement for the current routing protocols, but rather an
extension of capabilities to provide new kinds of secure routing
that were not possible before.
19. Second, STEP supports a separation between Service
relationships and Transit relationships. The current routing
protocols only deal with Transit (and are 100% based on IP
Addresses that are routable), while STEP has two types of bilateral
relationships. One for obtaining access to a Service (often in a
private network), and a second for obtaining access to a next hop
transit network (public or private).
Actual Routing Destinations are actually defined within 128T
Platforms. These destinations are actually Service Instances or
Transit Routes. These physical instances of a service or route are
called Service Agents. Service Agents define all of the properties
of a specific route instance.
The STEP protocol unilaterally advertises and shares QSN’s when
there are 1 or more instances of a service agent to bilateral
peers. The QSN’s offering 128T Platform is recorded and associated
with the QSN. The advertisement is withdrawn when the number of
instances transitions from one or more, to zero. Separately for
adjacent transit networks, the STEP protocol updates the routing
table with the waypoints of other 128T Platforms (by name). When no
local routes satisfy a request, these remote routes will be used.
The 128T Platform (by name) will be used as the target of the
route.
STEP Operating Basics
STEP 1: DECLARE ADJACENCY
All 128T Platforms within a single authority are automatically
declared adjacent. In fact, all global data objects are shared
utilizing database techniques and/or extensions to YANG/NETCONF
(128T Control+ architecture). Tenants and services are global. Also
global within an authority are service classes and session types.
This ensures that QoS treatments will be uniform. Importantly, the
public addresses of the remote 128T Platform will be exchanged
during this process as well.
STEP 2: MESH-UP PROCESS The mesh-up process is the key step in
turning logical adjacency into physical adjacency. This step is
completely automated. The two principle components of the mesh-up
process are first
128 T Networking platform 23
the exchange of adjacent waypoint addresses and second the
connectivity test for paths between waypoints.
Most often, as with hybrid-WAN and datacenter interconnect
environments, two 128T Platforms could be interconnected through
multiple paths on multiple technologies. MPLS, Ethernet Pseudo
wires, Broadband, Direct Internet Access and public Internet could
all be used for interconnecting 128T Platforms. Each
interconnection type carries its unique characteristics with
respect to performance, quality, availability and cost. The mesh-up
process establishes baseline link connectivity and observed quality
measurements used make policy based routing and load balancing
decisions.
The Mesh Up begins shortly after adjacency is established. The Mesh
Up is automated, and it begins with an exchange of externally
facing waypoint addresses allocated for networking.
Each 128T Platform’s 128T Control looks up all externally facing
waypoints that are to be considered “candidates” for connectivity.
These waypoints candidates are sent through the STEP protocol from
each side to the other.
The next step in Meshing Up is to assess the IP Addresses received
from the other 128T Platform for reachability.
1. Any Private (RFC1918) Address is assumed reachable
2. Public addresses are processed through the OSPF/BGP/IS-IS
Routing table to determine how many AS Hops away the IP Address is,
or what the cost or distance is. These numbers are used to
prioritize these routes.
3. Starting with Private Addresses first, a connectivity
check is performed with BFD.
4. The BFD message has the proper authentication cookies
such that it can’t be faked by an attacker. If a SLICE on the
proper 128T Platform receives this BFD message, it responds. The
response includes information about the interface (size, Class of
Service, quality attributes, etc.). Once a response is received,
the IP Address is kept as a candidate.
5. Public addresses are likewise tested with a connectivity
check. If there is a response, the information is also
recorded.
Figure 8: Example Datacenter-Branch mesh-up connectivity
checks
128 T Networking platform 24
6. Non-Working addresses are kept, but recorded as
non-working or out of service (OOS)
The Mesh Up is performed by both sides, with each SLICE having an
external interface each looking for and testing connectivity with
the addresses shared. As soon as there is at least ONE working
address, then the 128T Platform to 128T Platform connection is
declared operational.
Once operational, BFD is used to test connectivity. If an interface
becomes non-working, then it is added to the non-working addresses
list. When there are no remaining working interfaces, the 128T
Platform-to-128T Platform connection is disabled and an alarm
notification is generated. BFD is performed on all previously
working links to test for links coming back into service. For
addresses that never worked, there is a very infrequent re-testing
utilizing BFD. Addresses that begin to work will be added to the
connection. Any change in externally available Waypoints will
generate an update to all existing Mesh-Ups.
Upon completion of the mesh-up process, each 128T Router in an
authority will have established a full topology of 128T Routers in
the authority and have performed multi-patch connectivity and
quality checks for all inter-authority links.
STEP 4: SERVICE EXCHANGE
Upon the completion of the mesh-up process, each 128T Router will
share it’s locally configured services with other members of the
authority. In the example below, services and tenants hosted by the
datacenter are first configured on the distributed 128T Router in
the datacenter. The service routes, defined as QSNs, and related
policies are then propagated to every branch 128T Router in the
authority. All service related QoS, security and access control
policies are also propagated automatically. When services are
exchanged with other authorities, as with a peering scenario or
private-public cloud interconnect, inter-authority filters are used
to control what may be advertised and received.
Figure 9: Example Datacenter-Branch mesh-up services exchange
128 T Networking platform 25
SERVICE CENTRIC ABSTRACTION, AUTOMATION, AND ANALYTICS
The Secure Vector Routing architecture employs multi-tenanted
policy provisioning, control and analytics which abstract complex
network technologies to simple service-centric and business
constructs. This abstraction, based on 128T’s data model, is not
merely a translation of underlying complexity but is inherent
throughout the 128 Technology architecture and interfaces. Network
requirements are described in application terms. Session based
analytics provide application insights in a services context.
RESTful and Netconf APIs provide a full suite of integration
capabilities with applications, orchestration and DevOps.
Benefits include:
DevOps Ready
128 Technology supports frameworks of commercial DevOps tools to
automate a variety of management tasks across an authority. With
this approach, users can easily automate custom processes for their
network.
128 Technology leverages several commercial DevOps tools to
automate a variety of management tasks, enabling zero-touch
operations. We employ DevOps management from a central location
with secure connectivity to all Control and Slice instances in the
authority. Customers can use DevOps stand-alone to automate common
tasks on 128T Routers, or they can incorporate DevOps automation of
128T instances into a multi-vendor framework. Our DevOps Network
Development Kit (NDK) provides examples of automation of a number
of key
Figure 10: Service Centric Abstraction, Automation and
Analytics
128 T Networking platform 26
tasks including zero-touch installation, authority-wide software
upgrade, and zero-touch provisioning for branch offices. We support
several well-known DevOps platforms including Puppet, Chef,
SaltStack, and Ansible.
128 T Networking platform 27
ONE PLATFORM– BROAD SET OF USE CASES
128 Technology has created a fundamentally new approach to
networking – one that delivers improved security, programmability,
and agility across networks. The 128T Networking Platform solves
problems for enterprises, service providers and cloud companies
alike. 128T Networking Platform addresses a broad spectrum routing
applications from the branch, across the wide area network to the
datacenter and the edge. What’s more, the platform can be deployed
to either augment or replace existing network routing solutions,
simplifying adoption and speeding time to value. Here are a few
examples use cases of our software-based network platform.
NEXT GENERATION WAN
Tomorrow’s wide area networks (WANs) will need to deliver much more
than just automated and optimized transport connectivity between
sites. Next Generation WANs will need to empower distributed
cloud-driven applications that are consumed by a changing array of
users. The 128T Networking Platform goes beyond traditional
Software Defined WAN (SD-WAN) offerings by solving the underlying
network challenges that are the real culprits of complexity and
cost. 128 Technology's session-based solution offers end-to-end
fine-grained segmentation, security, and access control without the
overhead, cost and scaling challenges of overlays.
Solution Highlights
SESSION CENTRIC IP ROUTING creates symmetrical bi-flows that enable
packets to be intelligently routed, sessions to be controlled, and
traffic to be proactively analyzed. The solution can monitor
network and session performance to proactively route traffic along
paths that meet the SLA requirements for the application.
HIGHLY PROGRAMMABLE solution enables to stretch and slice networks
end-to-end as a single routing scheme can be used for any
combination of private and public networks. It also enables dynamic
workload elasticity. Location in-dependent routing ensures
integrated load
128 T Networking platform 28
balancing and workload/device mobility. The 128 solution operates
as a distributed virtual router sharing tenancy and service
information inherently.
PRIVATE-PUBLIC-PRIVATE INTERNETWORKING offers end-to-end virtual
networking without tunnels and overlays. This eliminates complex
stitching operations and removes the need for masking convolution
with orchestration.
HYPER-SEGMENTATION goes beyond any existing segmentation techniques
to deliver uniform and scalable traffic isolation, hierarchical
multi-tenancy and network slicing end-to- end, from the datacenter
server to the branch. Overlay-based segmentation maintains
unnecessary complexity while saddling networks with scaling and
quality challenges.
ZERO TRUST SECURITY ensures each flow is encrypted and
authenticated based on associated security policies which enables
enterprises to offer secure micro-segmented connections or
individualized VPNs to different lines of businesses within a large
enterprise.
DYNAMIC SESSION AND APPLICATION AWARENESS provides load balancing
and traffic steering based on the session policies and status of
the network.
Key Capabilities
• Dynamic Traffic Steering
• Branch Virtual Networks
• Dynamic Enterprise VPNs
• Private-Public-Private Internetworking
Emerging cloud applications place unprecedented demands on the WAN.
Enterprises cannot rely on Band-Aid solutions that mask network
issues by introducing automation alone. This may provide some
savings in terms of ease of deployment and choosing lower cost
paths. However, they cannot meet the needs of future networks. It
is imperative for networks to become application aware, remove
overlays, and provide infused security to provide unparalleled
experiences and savings in the WAN. The 128 Technology solution
provides a NG- WAN solution that goes above and beyond traditional
SD-WAN offerings by solving underlying network issues and
delivering unparalleled experiences.
SOFTWARE-DEFINED DATACENTER
128 T Networking platform 29
Cloud companies, enterprises and service providers are rapidly
modernizing their data center architectures and operations to
deliver infrastructure resources as easily provisioned, highly
flexible services. In doing so, data center networks will need to
accommodate new types of traffic patterns, enable dynamic workload
mobility, and respond to rapidly evolving security threats. The
128T Networking Platform distributes application intelligence, fine
grained segmentation, security, load balancing and control
throughout the data center, without the unnecessary overhead of
overlay techniques.
Today’s enterprises and service providers can achieve the agility
and efficiency benefits of hyper-scale datacenters such as those
developed by Google and Facebook. The software- defined data
center, in which all elements of the infrastructure (networking,
storage, compute and security) are virtualized along with
abstraction and automation concepts, has widely been touted as the
solution for hyper-scale.
Software-defined networking has been seen as essential to the
software-defined datacenter’s network virtualization and there are
a number of SDN “network virtualization overlay (NVO)” vendors who
market products to enable virtual network overlays, designed to
abstract networking from the physical networks on which they
ride.
The challenge with existing network virtualization overlays lies in
their reliance on overlays themselves. These state-ful and largely
tunnel-based overlays carry with them significant networking
overhead, fragmentation issues, scaling challenges and operational
costs while rendering useless most security and monitoring systems.
Furthermore, most NVO solutions still largely depend on complex
service chaining architectures to insert advanced (and session
state-ful) network functions such as firewalls and load balancers,
each of which proliferate
continuous capex and opex spend. Many agree time is ripe for
functional consolidation.
The 128T Networking Platform delivers a much simpler more scalable
solution for software- defined datacenter using new session-based,
secure and service-centric networking model, Secure Vector
Routing.
Solution Highlights
HYPER-SEGMENTATION goes beyond any existing segmentation techniques
to deliver uniform and scalable traffic isolation, hierarchical
multi-tenancy and network slicing end-to- end, from the datacenter
server to the branch and across multiple datacenters. Overlay-based
segmentation maintains unnecessary complexity while saddling
networks with scaling and quality challenges.
SESSION CENTRIC IP ROUTING creates symmetrical bi-flows that enable
packets to be intelligently routed, sessions to be controlled, and
traffic to be proactively analyzed. The solution can monitor
network and session performance to proactively route traffic along
paths that meet the SLA requirements for the application.
Session-based load balancing is native to every 128T Router
node.
ZERO TRUST SECURITY ensures each flow is encrypted and
authenticated based on associated security policies which enables
enterprises to offer secure hyper-segmented connections or
individualized VPNs to different lines of businesses within a large
enterprise. Session state-ful firewall capabilities are native to
every 128T Router, mitigating the need for expensive perimeter
security solutions.
HIGHLY PROGRAMMABLE solution enables to stretch and slice networks
end-to-end as a single routing scheme can be used for any
combination of private and public networks. It also enables dynamic
workload elasticity. Location in-dependent routing ensures
integrated load balancing and workload/device mobility. The 128
solution operates as a distributed virtual router sharing tenancy
and service information inherently.
PRIVATE-PUBLIC-PRIVATE INTERNETWORKING offers end-to-end virtual
networking without tunnels and overlays. This eliminates complex
stitching operations and removes the need for masking convolution
with orchestration.
DYNAMIC SESSION AND APPLICATION AWARENESS provides load balancing
and traffic steering based on the session policies and status of
the network.
NFV – ETSI FRAMEWORK FOR TELCO CLOUD
With Network Functions Virtualization (NFV), network operators are
reducing their dependence on single-purpose appliances by taking
functions that were previously built into hardware and implementing
them in software that runs on industry-standard servers, network,
and storage platforms. Beyond reducing network operators’
dependency on dedicated hardware, leveraging NFV (and SDN) enables
more programmability in the network and greatly reduces the
complexity and time-to-market associated with introducing new
services. While NFV is about network equipment virtualization, SDN
is about network virtualization. SDN calls for the separation of
the control plane from the data plane, making the latter simple and
fast, dealing mostly with the media access control and Internet
Protocol layers.
128 T Networking platform 31
The NFV architecture comprises major components – including
virtualized network functions (VNFs), NFV management and
orchestration (MANO), and NFV Infrastructure (NFVI) – that work
with traditional network components like OSS/BSS. The 128
Technology delivers carrier-grace solutions for VNFs, VNFI virtual
networking.
NFVI Virtual Networking – Software-defined Datacenter
The 128T Router NFV Infrastructure (NFVI) is a key component of the
NFV architecture that defines the hardware and software components
on which virtual networks are built. A key component of the NFVI is
the Virtual Network component. The 128T Networking Platform
provides a fully distributed virtual routing solution that
transforms any datacenter fabric into a single logical router, with
128T Slices deployed on NFVI servers taking the place of Open
vSwitch and 128T Control providing centralized control plane,
policy management and analytics. The 128T Conductor provides
centralized management, automation and visibility and integrates
with higher level Network and Service Orchestration functions
through REST and Netconf APIs.
Virtual CE and PE
The 128T Router is also packaged as a VNFs delivering CE Router and
PE Router capabilities. As a CE or PE, each VNF combines the 128T
Control and 128T Slice functionality in a single virtual machine.
The 128T Conductor provides 128 Technology VNF specific management
and orchestration, integrating with higher level MANO functions
through REST and Netconf APIs.
VIRTUAL EDGE
Service providers and enterprises are looking to simplify that way
WAN connectivity and applications are architected, provisioned and
managed. WAN architectures are moving from dedicated private
connectivity models based on dedicated circuits and MPLS to
distribute hybrid-connectivity solutions that leverage multiple
heterogeneous connectivity solutions including public internet,
broadband, and LTE. These requirements have given rise to a new set
of SDN based solutions called SD-WAN.
128 T Networking platform 32
Meanwhile enterprise and service provider network managers are
tired of complicated edge networks that require multiple
purpose-built appliances, specialized knowledge and complicated
configurations. Service providers seek a simpler way to deploy
managed services to their customers. The network edge is
traditionally the land of specialized equipment – including
routers, firewalls, WAN optimization and VPN. The industry is
trying to change that, replacing specialized appliances with
commodity hardware and software based solutions. Some of these
specialized network functions can be pulled out and executed in
software based VNFs in the enterprise/service provider
cloud/datacenter (vCPE) or on customer premise equipment but
managed by the cloud. A simpler, software-defined virtual edge is
emerging.
The goal of the virtualized edge is to simplify the customer edge
while pushing more functionality into software that can be
provisioned and automated from the cloud. This together with
virtualizing hybrid WAN connectivity promises huge capex and opex
savings for enterprises and service providers alike.
128 Technology’s Next-Generation WAN solution beyond most SD-WAN
offerings bringing together SD-WAN hybrid-WAN networking and
virtual CPE in a new Secure Vector Routing architecture.
The 128 Technology’s Virtual Edge solution has three key
components:
Virtual Edge-CPE
The 128T Router is deployed at the enterprise branch or datacenter
WAN edge on bare metal CPE. As a NG-WAN edge, the 128T Router
delivers all the benefits of the NG-WAN offering previously
discussed in this paper, while enabling dynamic service insertion
of VNFs either co- located on the edge or in the cloud.
Virtual CE and PE Router
The 128T Router also packaged as a VNFs delivering Customer Edge
(CE) router functionality. As a CE, each VNF combines the 128T
Control and 128T Slice functionality in a single virtual
128 T Networking platform 33
machine. The 128T Conductor provides 128 Technology VNF specific
management and orchestration, integrating with higher level MANO
functions through REST and Netconf APIs.
NFVI Virtual Networking
The 128T Networking Platform provides a fully distributed virtual
routing solution that transforms any datacenter fabric into a
single logical router, with 128T Slices deployed on NFVI servers
taking the place of Open vSwitch and 128T Control providing
centralized control plane, policy management and analytics. The
128T Conductor provides centralized management, automation and
visibility and integrates with higher level Network and Service
Orchestration functions through REST and Netconf APIs.
DATACENTER INTERCONNECT
The exploding requirements for cloud services, streaming video, and
nonstop “anywhere, anytime” access – all with little or no downtime
– is creating a dramatic shift in where data centers are built and
how they are interconnected. Existing purpose-built data center
interconnect (DCI) approaches help eliminate bottlenecks, enable
data and workload mobility, and maintain uptime – but include
enormous complexity and cost. The 128T Networking Platform provides
dynamic and secure DCI capabilities without relying on overlays or
domain stretching, while providing a scalable, flexible
connectivity platform.
NETWORK AS A SERVICE
In order to stay competitive, cloud and service providers need to
rapidly develop and deliver new revenue-generating services to
customers faster than ever. Yet, provisioning and configuring
reliable and secure network access can be cumbersome, slow, and
expensive for providers and customers alike. The 128T Networking
Platform provides the ability to spin up new services and establish
network connectivity faster, cheaper, and with more confidence. The
solution offers full network quality-of-service (QoS) control,
end-to-end zero trust security and real-time visibility and
analytics into how each service is performing.
i