Service Programming
Contributors
Severin Dellsperger
INS Institut für Netzwerke und Sicherheit Network and Research Engineer
+41 58 257 44 76 severin.dellsperger@ost.ch
In recent years, the field of IT networks has changed fundamentally. New approaches and technologies have been introduced that have radically changed and will continue to change the future of this field. The result is modern and dynamic networks that bridge the gap between networks, applications and end users. They enable the development of applications that work closely with the underlying network, creating a network that fully meets the needs of customers. Network services such as firewall systems or intrusion detection/prevention systems have become indispensable and are firmly anchored in computer networks. These services are indispensable today, but they also have a massive disadvantage: they are consumed statically. Service programming is one of the results in future networks and solves the problem of static service consumption. It allows the network to be configured dynamically so that network services can process client traffic according to their needs. The following network services can be universally placed in the network - the service programming application finds the best services according to the traffic characteristics. Thus, networks with integrated service programming become smarter, more economical and are prepared for future requirements.
Segment Routing (SR) can combine service programming with a single encapsulation. Other solutions require new encapsulations/protocols for the same use case. This leads to a very efficient and elegant solution in terms of SR service programming. Due to the stateless approach of SR, where all instructions/segments are contained in the packet header. SR provides a completely stateless solution where no state is required on any intermediate router. This simplifies the entire routing and opens up completely new possibilities for routing traffic.
The new approaches with SR have also created completely new use cases. The most interesting one for this project is the ability to create so-called service chains. Service chaining is the targeted chaining of network services. The aim is to allow the customer to configure which network flows should be handled by which different services. SR uses the source routing paradigm instead of the destination routing paradigm, i.e. the first router decides through which path the packet should be routed. This paradigm enables the simple definition of the service chain in a so-called SR Service Policy on the SR Policy Headend Router.
We can proudly announce that we have developed the Segment Routing Service Programming application, also called SerPro. SerPro allows the customer to program so-called Steering Policies via a dedicated GUI. The customer has the ability to select SR Policy headend, endpoint and metric/algorithm information along with services that are directly deployed on the network. The application automatically calculates the most appropriate path according to the specified parameters. The customer can then deploy this policy on the network if they wish. Traffic is then routed to the destination via the defined services.
The application can react dynamically to changes in the connected network and thus always deliver the best policy matching the changed topology. Consequently, the user can always rely on the data they are working with.
Since Segment Routing is nowadays mainly used in large networks, especially in provider networks, the application must handle extremely large topologies and many users. Due to this fact, the application had to be scalable and highly available. Therefore, a cloud-native approach came to the fore. The complete application was developed cloud-native in order to deploy it natively on a Kubernetes cluster, allowing the application to scale quickly and even allowing the possibility to activate autoscaling functions.
Through the requirement to be highly available most of the core components like the messaging system and the caching system are clustered deployed. To this clustered core components the application can always rely that this components are available and therefore also all the data is everytime accessable for the user.
The application allows the client to manage the various policies from one central location. The granular authorisation structure allows the client to control who is allowed to perform which activities. The constant manual adjustment of the different policies is a thing of the past, thanks to the automatic recalculation and redistribution. With the ability to dynamically route traffic through the various services, services such as a firewall or intrusion detection/prevention system can now be better utilised and centrally deployed in the network.
All functions of the application can be controlled via the standardised application programming interface (API); a front end can display the complete topology and inform the user dynamically about updates. Due to its cloud-native structure, the application can be seamlessly integrated into a cloud environment and scales easily with the size of the network.
INS Institut für Netzwerke und Sicherheit Network and Research Engineer
+41 58 257 44 76 severin.dellsperger@ost.ch