The challenges of creating and enforcing policies across the WAN

Why enforcing consistent policies across the WAN remains elusive.

"If you serve too many masters, you'll soon suffer." – Homer

Until recently, networks were strictly built based on how the underlying transmission topologies were laid out. Some mechanisms, such as Traffic Engineering, were used to influence path selection between service nodes, but this information was commonly available to every node along the path. In other words, every networking device from source to destination needed to be programmed to permit or deny traffic flowing between two endpoints and make completely autonomous decisions. From a policy standpoint, the network was tasked with controlling traffic flows between users and services based on IP sources and destinations. Business users accessed their services from centralized data centers, which hosted all applications.

The legacy protocols used by traditional networks are all designed to address the narrow scope of providing connectivity across relatively fixed topologies. They are typically based on pair-wise adjacencies, with each router having local autonomy, as shown in figure 1 below. Providing connectivity across a network topology is a fundamental requirement, but does little to support higher-level needs, such as enforcing business-related policies.

As a result, fixed network topologies based on narrow and mission-specific protocols pose significant challenges for network administrators being asked to manage connectivity and control from a business-layer perspective. Primarily because they impose a large administrative burden.

That's because they involve a large number of enforcement points, each with a significant number of static data polices that must be constructed and applied using techniques known to be error-prone and time-consuming. For certain tools, policies must be applied in the forwarding plane for all traffic, resulting in performance penalties at crucial portions in the network. Also, policy constructs that are hard to verify upfront can potentially cause undesired effects downstream.

figure 01 khalidraza nww

Figure 1: Traditional Autonomous Decision Network Infrastructure

In contrast, new software defined networking (SDN) approaches are enabling organizations to move away from traditional pair-wise adjacencies. This model uses centralized controllers to host and manage all adjacencies being established with nodes in the network. It provides flexibility in the creation and enforcement of policies. Since each device peers only with controllers for connectivity and control plane policies for passing data traffic between service nodes, these can be dynamically adjusted based on overall visibility into network conditions. As shown in figure 2, each router advertises its local information to the controller. This allows data flows to be easily manipulated by the central controller using policies enforced at every local router.

nww thechallengesofservingtoomanymasters figure 02

Figure 2: Controller-based Centralized Enforcement Network Infrastructure

In this architecture, there is now no pairwise adjacency between R1 and R4, only a pure data plane path. Therefore, the central controller can easily control and modify traffic flows. For example, it can designate that either all the prefixes from R1 are advertised to R4 via R3, or that certain prefixes are advertised to R4 via R3, while certain are advertised directly from R1, where R3 could be a point of application for a firewall policy. This dramatically reduces the volume of data plane policies that would need to be implemented for each pairwise adjacency at each router, using traditional networking protocols.

With the advent of cloud-based services, there is a serious and rapidly increasing need for dynamic policy-driven networking. Most enterprise IT organizations find themselves under pressure to provide SaaS-based services to users located across remote offices. In this context, not all users are created equal. For example, in the same branch there could be employees from different lines of business that need to access services in the cloud. Depending on policy, a retail-banking user may take a local exit to access a cloud-based application such as Office 365, but this may not be permitted for investment banking users belonging to the same branch network.

figure 03 khalidraza nww 2015 11 10

Figure 3: Service Constructs per Vertical

Eliminating the pair-wise control plane for services and replacing it with a centralized control plane helps significantly reduce the network operations overhead and removes the dependency on every component, thus making the network efficient, simple, and easy to operate.

Copyright © 2015 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022