软件定义安全:SDN/NFV新型网络的安全揭秘
上QQ阅读APP看书,第一时间看更新

1.3 产业界相关进展

虽然SDN的概念是学术界首先提出的,但其目的是为了解决实际网络的很多问题,所以它一开始就受到了产业界的关注;而NFV本身就是随着虚拟化的发展伴生的技术,特别是其通过软件进行功能编排的特性,受到了长期被硬件设备困扰的运营商的青睐。

1.3.1 SDN/NFV的市场趋势

虽然SDN和NFV在学术界已经有不少研究成果,但考虑到其对现有网络的颠覆性创新,多数客户表现出谨慎乐观的态度。

在SDN市场,一些网络厂商意欲挑战传统厂商,改变市场格局,或白牌交换机厂商想借助大型客户构建非厂商锁定(Vender Lock-in)的网络架构,都推出了基于OpenFlow的SDN网络设备或整体解决方案;而传统网络厂商,如Cisco(思科)、Juniper(瞻博网络)公司都在自己传统的网络产品基础上,通过开放南向接口,交付了相应的SDN方案,如前者的AChttp://www.cisco.com/web/solutions/trends/sdn/index.html。和后者的Juniper Networks Contraihttp://www.juniper.net/us/en/dm/sdn/。

在NFV市场,HP公司瞄准运营商市场,推出了HP NFV系统,集成了HP的软件和硬件,目的在于打造一个即插即用的产品,帮助运营商从概念验证阶段迅速向部署阶段过渡。华为公司在SDN和NFV的基础上,提出了CloudEdge解决方案。该方案提供虚拟化EPC(演进型分组核心网)、虚拟化MSE(多业务引擎)和虚拟化网元管理功能,支持不同厂商的虚拟化设备管理。此方案在中国移动已有演示验证。出于其开放的架构和灵活的功能编排,越来越多的运营商开始对厂商的NFV方案做验证测试。

总体而言,产业界对SDN和NFV已经有部分产品和方案,但更多的还是在概念验证(Proof of Concept, PoC)环节,其成熟度和稳定性还有待大规模场景的案例验证。

有意思的是,Gartner公司在“Hype Cycle for Networking and Communications, 2014”报https://www.gartner.com/doc/2804820/。中将SDN放在高期望的峰值(Peak of Inflated Expectations)的起点,而将NFV放在过高期望的峰值的终点。换句话说,Gartner公司认为SDN将要迎来公众的过量关注,并会出现一些成功案例;而NFV将要结束这一过程,去更广泛地验证自身价值,收获成功经验,或总结失败教训。

著名咨询公司IDC预测全球SDN市场到2018年将达到80亿美元的规https://www.idc.com/getdoc.jsp?containerId=prUS25052314。;SDxCentral公司预测到2020年SDN、NFV等下一代网络创新技术所带来的市场价值将高达1050亿美https://www.sdxcentral.com/reports/sdn-nfv-market-size-forecast-report-2015/。。Infonetics公司的数据表明2014年SDN市场为7.81亿美元,预测到2019年将达到130美http://www.infonetics.com/pr/2015/2H14-Data-Center-SDN-Market-Highlights.asp。;在运营商领域,2013年SDN/NFV市场为5亿美元,到2018年将达到110亿美http://www.infonetics.com/pr/2014/Carrier-SDN-NFV-Market-Highlights.asp。

虽然各分析机构都有各自的模型和数据支撑,但它们的结论是一致的:虽然这两个技术尚未成熟,但在业界已得到广泛关注,有广阔的市场前景,并可能在3~5年内落地。

1.3.2 新兴SDN实现的进展

正如1.3.1节所述,目前SDN硬件技术有若干流派:以白牌网络设备制造商和大型互联网企业为主的革命派及以传统厂商为主的改良派。

白牌网络设备制造商通常会交付一个通用化设计的硬件交换机,并可预装操作系统(如Linux),硬件设备上交互的控制协议是标准南向协议,如OpenFlow。白牌交换机的售价较传统设备往往很低廉,随着SDN应用的发展,很可能对Cisco公司等传统巨头带来挑战。

此外,一些互联网巨头在部署大型网络应用时,为避免厂商锁定的困扰,开始使用白牌交换机和开放网络架构。例如,Facebook公司主导的开放计算项目OCP,目标之一是制定标准、开源的硬件交换机,以降低采购费用。在1.2.1节提到的Google公司的数据中心互联项目B4中,对交换机做了定制开发,使其支持OpenFlow,在此基础上实现了全局业务感知的流量调度,可将网络利用率提高到接近100%。

在软件架构方面,ONF不断推动以OpenFlow为代表的SDN架构的标准化和产业化。目前,原则上数据平面和控制平面相分离,架构上采用应用-控制器-网络设备的3层结构,基本已成为业界的共识。

在控制器方面,目前存在两大开源控制器项目:OpenDaylighhttp://www.opendaylight.org。和ONOhttp://onosproject.org/。。前者由Cisco、IBM等公司主导开发,面向运营商网络和虚拟化网络;后者主要由非营利性组织ON.LAB主导,主要面向运营商网络。作为SDN和NFV不断融合的发展趋势,这两个项目都有用于集成网络虚拟化的子模块或相关项目(OpenDaylight的OpenDove, ON.LAB的OpenVirteX)。值得一提的是,国内厂商H3C和华为都是OpenDaylight的成员,华为公司还是ONOS的成员。

1.3.3 传统厂商的SDN进展

无论是硬件厂商还是软件厂商,都期望通过以OpenFlow为代表的SDN技术为数据中心和云计算系统的底层网络带来变革。而与之相对的传统厂商,面临着尴尬的境地:一方面,正是封闭、复杂的产品和方案为自身带来了巨大的商业利益;另一方面,正是其封闭和复杂,已经成为很多客户建设敏捷网络的拦路石,如果不在开放网络的潮流中有所作为,则可能很快失去市场领先者的地位。因而,Cisco和Juniper公司都提出了各自的SDN方案。两者的思想非常相似,均利用现有的网络设备,使用自有的控制协议,如XMPP、OpFlex等,来实现自动化的设备控制和网络运维。

人们常说,“条条道路通罗马。”只要实现了网络运维自动化就是SDN。尽管SDN控制器有不同实现,但只要解决方案提供统一的北向接口,SDN应用在应用层做业务编排时就可不关心具体使用的是哪个控制器,同样能完成相应的工作。但在实践中,常常会遇到不同厂商的SDN控制器的北向接口大不相同。例如,一个重定向流量的操作,有的厂商的SDN控制器直接给出了可用的API,而很多开源和商业控制器中没有该API,需要由开发者自行封装,底层依次调用拓扑获取-路由决策-流量牵引的一系列操作;而如传统ACI则更复杂,需要开发者熟悉EPG (End Point Group)、Contract等概念,通过编程的方式实现VLAN配置或路由指向来实现该操作。这些差异无疑提高了SDN开发者的学习曲线和SDN应用适配的难度。

本章参考文献

[1] Cisco Global Cloud Index: Forecast and Methodology, 2013-2018[EB/OL]. http://www.cisco.com/c/en/us/solutions/collateral/service-provider/global-cloud-index-gci/Cloud_Index_White_Paper.html.

[2] Greenberg A, Hjalmtysson G, Maltz D A, et al. A Clean Slate 4D Approach to Network Control and Management[J]. ACM SIGCOMM Computer Communication Review. 2005, 35(5): 41-54.

[3] Casado M, Freedman M J, Pettit J, et al. Ethane: Taking Control of the Enterprise[J]. ACM SIGCOMM Computer Communication Review. 2007, 1-12.

[4] Mckeown N, Anderson T, Balakrishnan H, et al. OpenFlow: Enabling Innovation in Campus Networks[J]. ACM SIGCOMM Computer Communication Review. 2008, 38(2): 69-74.

[5] Open Networking Foundation. Software-Defined Networking: The New Norm for Networks[EB/OL]. http://wenku.baidu.com/view/74cbdf1ac281e53a5802ffa7.html 2012.

[6] Koponen T, Amidon K, Balland P, et al. Network Virtualization in Multi-tenant Datacenters[C]. Proc. of the 11th USENIX Conference on Networked Systems Design and Implementation. 2014.

[7] Jain S, Kumar A, Mandal S, et al. B4: Experience with a Globally-Deployed Software Defined WAN[J]. ACM SIGCOMM Computer Communication Review, 2013, 43(4): 3-14.

[8] Sherry J, Hasan S, Scott C, et al. Making Middleboxes Someone Else's Problem:Network Processing as a Cloud Service[J]. ACM SIGCOMM Computer Communication Review,2012, 42(4): 13-24.

[9] NFV White Paper[EB/OL]. https://portal.etsi.org/nfv/nfv_white_paper.pdf.

[10] Domain 2.0 White Paper - AT&T[EB/OL]. https://www.att.com/Common/about_us/pdf/AT&T%20Domain%202.0%20Vision%20White%20Paper.pdf.

[11] Jarraya Y, Madi T, Debbabi M. A Survey and a Layered Taxonomy of Software-Defined Networking[J]. IEEE Communications Surveys & Tutorials, 2014, 16(4): 1955-1980.

[12] Nunes B A A, Mendonca M, Nguyen X-N, et al. A Survey of Software-Defined Networking: Past, Present, and Future of Programmable Networks[J]. IEEE Communications Surveys & Tutorials, 2014, 16(3): 1617-1634.

[13] DragonFlow[EB/OL]. https://wiki.openstack.org/wiki/Dragonflow.

[14] Bosshart P, Daly D, Gibb G, et al. P4: Programming Protocol-Independent Packet Processors[J]. ACM SIGCOMM Computer Communication Review, 2014, 44(3): 87-95.

[15] Song H. Protocol-Oblivious Forwarding: Unleash the Power of SDN through a Future-Proof Forwarding Plane[C]. ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking.2013.

[16] Curtis R A, Mogul C J, Tourrilhes J, et al. DevoFlow: Scaling Flow Management for High-Performance Networks[J]. ACM SIGCOMM Computer Communication Review, 2011, 41(4): 254-265.

[17] Reitblatt M, Foster N, Rexford J, et al. Abstractions for Network Update[C]. Proc. ACM SIGCOMM Conference on Applications, Technologies, Architectures, and Protocols for Computer Communication. 2012.

[18] Katta N P, Rexford J, Walker D. Incremental Consistent Updates[C]. ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. 2013.

[19] Gude N, Koponen T, Pettit J, et al. NOX: Towards an Operating System for Networks[J]. ACM SIGCOMM Computer Communication Review, 2008, 38(3):105-110.

[20] Tootoonchian A, Gorbunov S, Ganjali Y, et al. On Controller Performance in Software-Defined Networks[C]. ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. 2012: 10-15.

[21] Koponen T, Casado M, Gude N, et al. Onix: A Distributed Control Platform for Large-scale Production Networks[C]. Proc. of the 9th USENIX Conference on Operating Systems Design and Implementation. 2010.

[22] Yeganeh S H, Ganjali Y. Kandoo: A Framework for Efficient and Scalable Offloading of Control Applications[C]. ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. 2012.

[23] Berde P, Gerola M, Hart J, et al. ONOS: Towards an Open, Distributed SDN OS[C]. ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. 2014.

[24] Foster N, Harrison R, Freedman M J, et al. Frenetic: A Network Programming Language[C]. Proc. of ACM ICFP. 2011.

[25] Hinrichs T L, Gude N S, Casado M, et al. Practical Declarative Network Management[C]. Proc. of ACM WREN. 2009.

[26] Voellmy A, Kim H, Feamster N. Procera: A Language for High-Level Reactive Network Control[C]. ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. 2012.

[27] Nayak A, Reimers A, Feamster N, et al. Resonance: Dynamic Access Control for Enterprise Networks[C]. Proc. of the ACM WREN. 2009.

[28] Joseph D A, Tavakoli A, Stoica I. A Policy-aware Switching Layer for Data Centers[C]. Proc. of the ACM SIGCOMM Conference. 2008.

[29] Qazi Z A, Tu C-C, Chiang L, et al. SIMPLE-fying Middlebox Policy Enforcement Using SDN[J]. ACM SIGCOMM Computer Communication Review,2013, 43(4): 27-38.

[30] VMware NSX Overview [EB/OL]. http://www.vmware.com/products/nsx.html.

[31] Hong C-Y, Kandula S, Mahajan R, et al. Achieving High Utilization with Software-Driven WAN[J]. ACM SIGCOMM Computer Communication Review, 2013, 43(4): 15-26.

[32] Bansal M, Mehlman J, Katti S, et al. OpenRadio: A Programmable Wireless Dataplane[C]. ACM SIGCOMM Workshop on Hot Topics in Software Defined Networking. 2012.

[33] Yiakoumis Y, Bansal M, Covington A, et al. BeHop: A Testbed for Dense WiFi Networks[J]. ACM SIGMOBILE Mobile Computing and Communications Review, 2015, 18(3): 71-80.

[34] Sekar V, Egi N, Ratnasamy S, et al. Design and Implementation of a Consolidated Middlebox Architecture[C]. Proceedings of the 9th USENIX Conference on Networked Systems Design and Implementation. 2012.

[35] Qi Y, He F, Wang X, et al. OpenGate: Towards an Open Network Services Gateway[J]. Computer Communications, 2011, 34(2): 200-208.

[36] Dobrescu M, Egi N, Argyraki K, et al. RouteBricks: Exploiting Parallelism to Scale Software Routers[C]. Proceedings of the ACM SIGOPS 22nd Symposium on Operating Systems Principles. 2009: 15-28.

[37] Anderson J W, Braud R, Kapoor R, et al. xOMB: Extensible Open Middleboxes with Commodity Servers[C]. Proceedings of the 8th ACM/IEEE Symposium on Architectures for Networking and Communications Systems. 2012.

[38] Wang K, Qi Y, Yang B, et al. LiveSec: Towards Effective Security Management in Large-Scale Production Networks[C]. Proceedings of the 2012 32nd International Conference on Distributed Computing Systems Workshops. 2012.

[39] Greenhalgh A, Huici F, Hoerdt M, et al. Flow Processing and the Rise of Commodity Network Hardware[J]. ACM SIGCOMM Computer Communication Review,2009, 39(2): 20-26.

[40] Shin S, Porras P, Yegneswaran V, et al. FRESCO: Modular Composable Security Services for Software-Defined Networks[C]. Proceedings of the 20th Annual Network and Distributed System Security Symposium. 2013.

[41] Gember A, Prabhu P, Ghadiyali Z, et al. Toward Software-Defined Middlebox Networking[C]. Proceedings of the 11th ACM Workshop on Hot Topics in Networks. 2012.

[42] Gember A, Krishnamurthy A, John S S, et al. Stratos: A Network-Aware Orchestration Layer for Middleboxes in the Cloud [EB/OL]. http://c.360webcache.com/c?m=934db8e97013819c7d9f1427724dbf8a&q=Stratos%3A+A+Network-Aware+Orchestration+Layer+for+Middleboxes+in+the+Cloud&u=https%3A%2F%2Fwww.researchgate.net%2Fpublication%2F236589517_Stratos_A_Network-Aware_Orchestration_Layer_for_Middleboxes_in_the_Cloud.

[43] Gember A, Viswanathan R, Prakash C, et al. OpenNF: Enabling Innovation in Network Function Control[J]. ACM SIGCOMM Computer Communication Review, 2014, 44(4): 163-174.

[44] Bremler-Barr A, Harchol Y, Hay D, et al. Deep Packet Inspection as a Service[C]. Proceedings of the 10th ACM International on Conference on Emerging Networking Experiments and Technologies. 2014: 271-282.

[45] Gouda M G, Liu X-Y A. Firewall Design: Consistency, Completeness, and Compactness[C]. Proceedings of the 24th International Conference on Distributed Computing Systems, 2004: 320-327.

[46] Al-Shaer E S, Hamed H H. Modeling and Management of Firewall Policies[J]. IEEE Trans. on Netw. and Serv. Manag, 2004, 1(1): 2-10.

[47] Yu M, Rexford J, Freedman M J, et al. Scalable Flow-Based Networking with DIFANE[J]. ACM SIGCOMM Computer Communication Review,2010, 40(4):351-362.

[48] Moshref M, Yu M, Sharma A, et al. Scalable Rule Management for Data Centers[C]. Proceedings of the 10th USENIX Conference on Networked Systems Design and Implementation. 2013.

[49] Kanizo Y, Hay D, Keslassy I. Palette: Distributing Tables in Software-Defined Networks[C]. Proceedings of the 32th IEEE International Conference on Computer Communications. 2013.

[50] Kang N, Liu Z, Rexford J, et al. Optimizing the "One Big Switch" Abstraction in Software-Defined Networks[C]. Proceedings of the 9th ACM Conference on Emerging Networking Experiments and Technologies. 2013.