tag:blogger.com,1999:blog-4480896497345124234.post6491155578807450187..comments2023-09-16T17:11:00.826+02:00Comments on Out of Nillo's mind: IP Networks & Operating Systems - Virtualization is a means to an end, not the goalNillohttp://www.blogger.com/profile/17721867360338634399noreply@blogger.comBlogger4125tag:blogger.com,1999:blog-4480896497345124234.post-79370047735869189382014-04-07T20:46:42.712+02:002014-04-07T20:46:42.712+02:00Thanks for reading and for taking the time to comm...Thanks for reading and for taking the time to comment Carl. I think it all depends on specific functions and requirements. I certainly do not think that pushing out all network functions to a software stack is necessarily more cost effective. Again, imho, what can be done on a network that you have to pay for anyways should be done there. Just like what can be done on an OS+CPU should be done there, not relying on an extra software layer. On the firewall function specifically, I do not dispute the interest in putting that function into a software stack and using an scale out model. There's a lot of work being done to enable proper redirection for service insertion that works for bare metal, virtual and container approach. Where and how you do that is a matter of implementation, again with merits on every approach. Nillohttps://www.blogger.com/profile/17721867360338634399noreply@blogger.comtag:blogger.com,1999:blog-4480896497345124234.post-57930678809805527492014-04-07T17:22:27.174+02:002014-04-07T17:22:27.174+02:00I too agree with your point that we have the techn...I too agree with your point that we have the technology in the network stack and that with the right tools and protocols we have the same abilities, but I agree with Brad that it makes more sense to push all of this work down to a distributed cluster of resources that enables us to scale out larger, and at the same time have a very good handle on the costs as its just more compute resources.<br /><br />My take on the value of SDN is that it will enable us to deploy Network Services much faster and at the same time reduce the huge initial capital outlays we make by enabling us to truly pay as we grow just like we do with compute. We will finally also be able to accurately measure and bill for the Network resources you use as well without trying to slice up the Network devices into chunks that vary depending on what features you turn on and use.Carl Fugatehttps://www.blogger.com/profile/01551765914159978482noreply@blogger.comtag:blogger.com,1999:blog-4480896497345124234.post-54180202893807642122014-04-06T19:27:05.939+02:002014-04-06T19:27:05.939+02:00Thanks for your comment Brad. I actually think tha...Thanks for your comment Brad. I actually think that the example you call out further probes my point. First let me clarify that I am not a security expert at all, but many of my security colleagues tell me that the word "firewall" is heavily abused in the industry. Most people today aren't talking about firewall anymore, and they seem to be talking more about NGFW instead. But in either case, FW or NGFW it refers to doing a whole lot more than packet filtering (be it statefull or stateless). <br /><br />As for your question, there are actually some vendors claiming 1Tbps firewalls in hardware (and for a couple of years already). And again, a "firewall" today integrates IPS-IGS, CGN, etc … (albeit when you add it all together that 1Tbps probably is more of a marketing figure …). <br /><br />But you bring the point of putting 100 servers to perform the function comparing to an appliance. But you can also put 10 appliances and you keep your 100 servers performing compute for applications. See? the scale-out works at all levels, not just at the hypervisor level. On a single node level, hardware is orders of magnitude above and because you can also scale out, the math remains. <br /><br />Putting the firewall at the host level isn't anything new either. It is a design choice. As you distribute more and more firewall features the solution is further complicated to code. Also, how much code and sophistication you want to put at the hypervisor level? The more you put, the less the hypervisor will be stable. There are also operational concerns … if your firewall code runs on 1,000 nodes, updating, patching, etc. has to be done … well … on a 1,000 nodes. You also have to consider that the cores and bandwidth you use for that firewall isn't free (even less if you have to pay virtualisation licenses to run it, although that depends on the virtualisation vendor).<br /><br />"To describe software networking as just putting what was once in hardware into a VM is an obsolete point of reference."<br /><br />How is this obsolete point of reference? conceptually, how is it different to do a packet lookup to perform a L3/4 decision different? <br /><br />In any case, the point I am making is that it doesn't matter. What matters is what applications need in terms of isolation, policy and connectivity. That is what matters. Regardless of where those applications live, be it a bare metal server, a container or a VM. Then, if your physical network provides for what you need, it makes little sense to spend CPU cycles doing any networking at the host level. Nillohttps://www.blogger.com/profile/17721867360338634399noreply@blogger.comtag:blogger.com,1999:blog-4480896497345124234.post-56848958043205013602014-04-06T16:42:00.892+02:002014-04-06T16:42:00.892+02:00Hi Juan,
I really liked the post. You bring up so...Hi Juan,<br />I really liked the post. You bring up some good points, a couple of which I'd disagree with however. For instance, when you consider that (in the software approach) a network function (e.g. Firewall) is simultaneously distributed across many edge x86 hypervisor CPUs in parallel, I have argued that approach actually has orders of magnitude better performance than the classic hardware based model where the function is anchored to a single hardware box. Some simple math to support that; if you have 100 hypervisors each with 10GE, you have a 1 Terabit Firewall. Show me a 1 Terabit Firewall in hardware, I don't know that one exists.<br /><br />Software based networking is much different now than it was 5 years ago, largely because of the convergence of virtualization and distributed systems. To describe software networking as just putting what was once in hardware into a VM is an obsolete point of reference.<br /><br />Cheers,<br />Brad<br /><br />Brad Hedlundhttps://www.blogger.com/profile/08007096785565644904noreply@blogger.com