Infrastructure as a Service (IaaS) is a cloud computing business model where a data center operator provides computing, storage and network capacity resources to application or service providers on an on-demand and pay-as-you-go basis. An application provider can use those resources to deploy applications and services for their own customers. The amount of resources used varies as needed, and application providers pay only for those resources used rather than for a fixed capacity (e.g. usually the peak capacity) if they owned the actual physical resources.
Virtualization is used by IaaS providers to allocate, move and manage resources, allowing a dynamic management of the resources matching the changing demand. This is true both for the processing capacity (e.g. virtual machines) and for the network (e.g. using VLANs, VXLAN, etc.).
In conventional IaaS management systems, it is possible to create virtual machines (VMs), to allocate storage capacity and to establish basic layer 2 (L2) or layer 3 (L3) connectivity between the VMs and with the storage. For example in OpenStack, the Network service enables the creation of L2 networks and allows the VMs to be connected through virtual network interface cards (vnic) to ports on those networks. IP addresses can be assigned to the vnic. The L2 networks can then be connected to virtual routers/switches that can handle L3 forwarding between the different L2 networks or to/from the internet.
The concept of Software Defined Networking (SDN) allows applications to control how different elements in the network can be connected and manage the traffic. SDN aims to replace conventional, rigid network management by a flexible software framework for controlling the traffic flow in the network. The new framework is expected to enable deployment of new network services more rapidly than the previous network management and control could allow.
OpenFlow is an open standard protocol between the control and forwarding planes used in SDN applications. A control platform running on one or more servers in the network manages a set of OpenFlow switches with only basic forwarding capabilities. The control platform collects information from the switches and operator configuration and then computes/distributes the forwarding rules to the switches. A logically centralized controller can more easily coordinate the state among the various switching platforms and provide a flexible programmatic interface to build various new protocols and management applications. This separation significantly simplifies modifications to the network control logic (as it is centralized), enables the data and control planes to evolve and scale independently, and potentially decreases the cost of the forwarding plane elements.
OpenFlow was a precursor for SDN and is used in data centers to establish virtual network connectivity between VMs. It enables quick configuration of the network elements in the data center by the central controller. It provides isolation between the different tenants (application providers) hosted in the data center. SDN is also used by network operators to establish connectivity between different network functions as it provides a more flexible framework for managing how those functions will be composed, or chained, depending on specific needs in their network or specific customer needs. SDN is often used in data centers offering cloud services. It is used to dynamically connect VMs belonging to a given tenant while ensuring isolation between the VMs and the virtual networks.
Network function virtualization is a trend being pushed forward by large operators that aims at bringing the network functions that traditionally run on specialized physical hardware into the cloud/data center to enable quick deployment, dynamic scaling and the use of the low cost hardware available in data centers.
Operators use different middlebox services, called inline services, such as Deep Packet Inspection (DPI), Load balancing, Firewall, Intrusion Detection and Prevention (IDP), Network Address Translation (NAT), HTTP header enrichment, and others to handle subscriber traffic. Inline services can be hosted on dedicated physical hardware or in VMs. Service chaining is required if the traffic needs to go through more than one inline services. If more than one chain of services is possible, then the operator needs to configure the networking infrastructure to direct the right traffic through the right inline service path. This is typically done by configuring L2 or OpenFlow network nodes to steer traffic from one service to the other in different paths depending on packet flows (e.g. source, destination or content of the packet flow).
In line with the Network function virtualization initiative, many network functions are being ported to the virtual environment and can run as cloud appliances in VMs in the cloud. Cloud management systems often use SDN for establishing and controlling the basic L2 and L3 connectivity between VMs. However, they do not allow application provider to get full control of the created virtual networks and to use SDN to connect their VMs rather than using basic L2 and L3 connectivity to steer the traffic between the virtual nodes. In normal L2 forwarding, a switch uses the destination MAC address and VLAN to determine how to forward a packet to its next hop. In L3 forwarding, a router uses the destination IP address to determine the next hop. In a flow-based forwarding scheme, traffic can be steered/forwarded using more complex rules involving multiple fields in the packet headers, using a combination of L2, L3 or higher in the protocol stack (TCP, UDP, etc.).
Restricting the application provider's control of the virtual network connectivity to conventional methods can be limiting when a fine granularity of control of the underlying network is required (e.g. when the path traversed through the network/VMs is set “per flow” instead of “per endpoint”). This can make it difficult to implement arbitrary virtual network functions in the cloud. Service chaining is a typical example of such a function.
Therefore, it would be desirable to provide a system and method that obviate or mitigate the above described problems.