1. Field of the Invention
The present invention is directed to a system for implementing a multifunction network service apparatus.
2. Description of the Related Art
The worldwide system of computer networks known as the Internet has provided business and individuals with a new mechanism for supplying goods and services, and conducting commerce. As the number and type of network services used on the Internet have grown, so has the strain that providing such services places on businesses. As the number, complexity and interaction of inter-networked services has risen, the associated costs of building and maintaining a network infrastructure to support those services have grown as well. Many enterprises have thus turned outsourced vendors, sometimes called managed service providers or data centers, to provide these services in lieu of building and maintaining the infrastructure themselves. Customers of such managed service providers are often called subscribers.
The managed service provider can operate in many different ways. Typically it can provide secure facilities where the infrastructure service equipment is located, and manage equipment for the subscriber. The scope of management and services is defined by an agreement with the subscriber calling for the managed service provider to solely or jointly manage the equipment with the subscriber. This is sometimes referred to as “co-location”. In other cases, the managed service provider can lease the physical space from another provider (called a hosting provider) and provide just the management of the infrastructure equipment on behalf of its subscribers.
A data center is a specialized facility that houses Web sites and provides data serving and other services for subscribers. The data center may contain a network operations center (NOC), which is a restricted access area containing automated systems that constantly monitor server activity, Web traffic, and network performance. A data center in its most simple form may consist of a single facility that hosts all of the infrastructure equipment. However, a more sophisticated data center is normally an organization spread throughout the world with subscriber support equipment located in various physical hosting facilities.
Data centers allow enterprises to provide a number of different types of services, including e-commerce services to customers; extranets and secure Virtual Private Networks (VPNs) to employees and customers; firewall protection and Network Address Translation (NAT) services, Web caching and load balancing services, as well as many others. These services can all be provided at an off-site facility in the data center without requiring the enterprise to maintain the facility itself.
A typical data center facility will house physical hardware in a number of equipment racks, generally known as “cages”, which hold networking equipment and servers which are operated by the data center on behalf of the subscriber. Generally, the subscriber maintains the content and control over the servers, while contracting with the data center to provide services such as maintenance and service configuration. It should be well understood that there are myriad ways in which subscribers can arrange their relationships with data centers.
The equipment that provides the infrastructure services for a set of subscribers can take several forms. Depending on the complexity and variety of services required, the equipment generally includes one or more single function devices dedicated to the subscriber. Generally, because the devices are designed with the co-location model in mind—customers leasing rack space and pieces of equipment as needed—service devices generally include the ability to provide only one or a few services via the device. Typical multi-function devices that do combine services combine those that are closely related, such as NAT and firewall services. A data center facility generally has a number of devices to manage, and in many case the devices multiply as redundant devices may be used for fail over security to provide fault-tolerance or for load balancing.
Normally, services such as NAT, Firewall and VPN are provided by specialized computers or special function appliances at the subscribers site. In offloading the services to a data center, the data center will use specialized appliances or servers coupled to the subscribers Web servers in the cages to implement special functions for the subscribers. These appliances can include service provision devices and the subscriber's application servers as well as other specialized equipment for implementing the subscriber's service structure. The cages may thus include network appliances dedicated to one or more of the following tasks: routing, firewall, network address translation, Secure Sockets Layer (SSL) acceleration, virtual private networking, public key infrastructure (PKI), load balancing, Web caching, or the like. As a result, the management of all subscribers within the data center becomes very complex and expensive with many different management interfaces for all of the subscribers and subscriber devices. Administering the equipment in each cage is generally accomplished via an administrative access interface coupled to each single function device.
An example of one prior art architecture used in a data center is shown in FIG. 1. In this example, a plurality of individual service appliances 24, each providing a different type of IP service, are coupled to a network 20 (in this case it is the Internet) and a local LAN 21, which is a high speed local network secure within the data center. The local LAN may couple each of the appliances to each other, as well as various subscriber servers 25. Each of the individual appliances 24 performs only some limited form of processing which is specific to the service function it is designed to provide. In addition, this type of architecture is difficult to manage since each device 24 has its own configuration interface 26. All service set-up parameters must be made within each device. Indeed, each appliance may be provided by a different manufacturer and hence have its own configuration paradigm.
In general, each of these appliances 24 works on network data packets carried in the network using TCP/IP protocol. The data is routed between appliances using the full TCP/IP stack, requiring that each appliance process the entire stack in order to apply the service that the appliance is designed to provide. This results in a large degree of processing overhead just in dealing with the transmission aspects of the data. To combat these problems, some network equipment manufacturers have built multi-service devices capable of providing additional IP level services in one physical package. Typically, however, these devices couple network coupled “line cards” designed to provide the particular value added service to the network with some form of central processor, with the combination being generally organized into multi-service routing device. The compute elements on the line cards have limited or specialized processing capability, and all services set-up and advanced processing must go through the central processing card. Such service set-up is sometimes called “slow path” processing, referring to that occurs infrequently or is complex, such as exception packet handling, while more routine functions are performed by the appliances themselves.
An example of this type of system is shown in FIG. 2. In the system shown in FIG. 2, a central processor 30 controls and performs all service implementation functions, with some routing via other appliances coupled to the fabric. In this architecture, the service processing is limited to the speed and throughput of the processor.
An important drawback to the systems of the prior art such as those shown in FIG. 1 and FIG. 2 is that processing of application services requires each line card to perform the full IP stack functions. That is, each card must perform IP processing and routing to perform the network service on the data carried by the IP packet. Any packet entering the line card must be processed through the IP, TCP and HTTP level, the data processed, and the packet re-configured with proper TCP and IP information before being forwarded on.
A second important drawback of these systems is that they perform processing on only one flow of packets at a time. That is, the central processor of the embodiment of FIG. 2 is a bottleneck for system performance.