Is Network Function Virtualization (NFV) ready for deployment in my network?

First let me say that NFV is not a new concept but rather an evolution of tried and proven systems, at least in its core. One of my first workstations was a SUN running Berkeley software distribution (BSD) UNIX 4.1.3 that looked something like this:

The workstation, some would refer to it as a server, would run multiple processes (daemon(s)) which included:

1)     Routing (RIP protocol or static)

2)     DNS (it was a DNS server for a top level domain for some time)

3)     FTP server (file sharing)

4)     TFTP server (for software updates)

5)     HTTP server (at the time the web was not a big deal yet so this server essentially displayed just a few pages)

I would argue that this was NFV in its infancy. In essence several network functions virtualized on a single platform. The main difference is that the virtualization layer was relatively plain UNIX instead of a purpose build product such as VMware® or KVM.  

One of the main reasons this type of solution, running daemons on a UNIX server, did not catch on was the processing and memory cost was not available (at a reasonable cost). The other was that purpose built ASIC based appliances had superior performance.

Now to should or should you not consider using NFV today…  While it needs to be clearly evaluated on a case by case basis generally I would say that, yes it should be strongly considered. In a time where processing power and memory is relatively plentiful and inexpensive there is no good reason to be purchasing multiple hardware appliances when a single generic x86 platform can do the job. Also the technology has had time to mature and the pricing has dropped to very affordable levels. From a network security standpoint VMware or KVM product are likely to be much safer as all unnecessary software (possible attack vectors) are likely removed as compared to running daemons on a generic UNIX/LINUX appliance.

Broadly speaking the sweet spot for NFV is a company with multiple small or “smaller” locations not exceeding 1 GigE connectivity to the corporate network or a small business with roughly the same internet connectivity requirements. While there are many other places for NFV such as data centers I will discuss the WAN access here.

Let’s talk about a corporation with multiple smaller locations. As a general rule the outlying/remote locations do not have an IT staff, a local subject matter expert (SME) at best, but would rely on support from corporate or a third party management company. It is not unusual for one of the outlying locations to have one or more of the following appliances:

1)     Router for WAN access

2)     Switch for connectivity to peripheral devices (POS, PC’s, local servers…)

3)     Wireless controller (to control wireless access points and the plethora of IoT devices )

4)     IP PBX (softswitch or many other names vendors use)

5)     NAT server (network address translation) to create a private address space

6)     WAN acceleration appliances

7)     SBC (session border controller aka Voice firewall)

8)     Network firewall for IP based devices

9)     VPN appliance (virtual private network) for a tunnel to corporate HQ

10)  Network security appliances such as Network intrusion devices/sensors/probes

11)  Less likely are FTP, TFTP and HTTP servers at the remote locations but still possible

12)  Appliances that store “forward deployed” software packages and patches. This is often done so the patches or updates are moved closer to the users so the software is only sent over the WAN once. 

Just managing the power distribution unit (PDU) seems like a daunting task as an accidental unplugging can potentially lead to disaster. Equally difficult is the connectivity between the appliances to assure the proper data flow. The physical connectivity is only the small part as the logical configuration and maintenance is equally demanding.

In addition to the power, cooling and configuration there is an equally daunting task to lifecycle the appliances to stay current and be able to take advantage of the latest software releases.

In a NFV environment, ideal case scenario of course, you would have all of the services (network functions) residing on a single generic x86 appliance. The appliance would have redundant solid state drives set up in a RAID configuration with multiple redundant network interfaces and redundant power supplies. All the network functions would be service chained (RFC7665) to meet the desired data flow.   By that I am referring to the logical arrangement of the devices in the way the bits flow through the fabric of the appliance. This could be a firewall on the outside with a DMZ housing some externally reachable servers with the remainder behind yet another firewall. As all appliances are virtual the flow can be changed at any time.

Some network providers offer zero touch provisioning where the x86 appliance has a 3G or 4G built in radio module so it can be remotely configured by the provider once it is connected to power. Two flavors of management are generally offered, one being self-managed the other being a full service offering.

In addition to out of band (3G/4G) configuration the cellular modem can be used as a backup for the terrestrial connection. 

While the cellular connectivity may not be as fast as terrestrial fiber it is surely nice to have if all of your point of sale terminals depend on connectivity to the corporate cloud.

Sample x86 appliance:

In an environment based on virtual network functions you have more choice in the appliances selected. No longer is a “truck roll” required to replace a network appliance but rather a push of a button. When upgrading a firewall or router from the same vendor or to a different vendor, let’s say due to a discovered vulnerability, it can be done in minutes or hours and not days or weeks.

Not all x86 appliances are created equally and care must be taken to select the correct unit to meet the requirements. Just because it is possible to run five or ten network functions on a single device does not mean it should be done since the appliance may only be designed to support two or three. Also some network functions such as IPsec and WAN optimization tend to require more resources as they are processor or memory intensive.

Looking forward to hearing some comments.