Page | 1

White Paper

The Service-Aware Data Center Using DPI and Layer 7 Intelligence to Create a Service-Aware Data Center

May 2014

Page | 2

Contents

Overview: The Challenges for Data Center Operators ............................................................................ 3

The Opportunity: Leverage DPI to Create a Service-Aware Data Center .............................................. 3

The Next Step in Virtualization: Service-Aware Network Virtualization ................................................ 4

Creating Layer 7 Intelligence with a DPI Module Integrated with vSwitch ............................................ 4

The principle .............................................................................................................................................. 5

The benefits ............................................................................................................................................... 5

Creating Layer 7 Intelligence with a Service Classifier .............................................................................. 5

Historical Architecture: DPI in Network Appliances ................................................................................ 6

Vision of the Future: DPI and Layer 7 Intelligence Embedded in Server Infrastructure ...................... 6

Use Cases..................................................................................................................................................... 7

Example of Use Case: SLA Monitoring....................................................................................................... 8

The challenge......................................................................................................................................... 8

The solution ........................................................................................................................................... 8

The benefits ........................................................................................................................................... 8

Example of Use Case: Optimization of L4-7 Service Chaining ................................................................... 8

The challenge......................................................................................................................................... 8

The solution ........................................................................................................................................... 8

The benefits ........................................................................................................................................... 8

Example of Use Case: WAN Optimization & QoS ...................................................................................... 9

The challenge......................................................................................................................................... 9

The solution ........................................................................................................................................... 9

The benefits ........................................................................................................................................... 9

Conclusion ................................................................................................................................................... 9

Page | 3

Overview: The Challenges for Data Center Operators Data center operators are under pressure to optimize operating expenses (Opex) such as electricity consumption and personnel costs. They are also looking for ways to minimize capital expenditure (Capex) in the form of number of physical servers and need to optimize capacity planning to predict and adjust investments. In addition, the ROI for networking appliances is difficult to evaluate, since part of the equipment has to be replaced or upgraded as traffic grows. Lastly, data center operators must comply with customer Service Level Agreements (SLAs) related to bandwidth, application response time, or protecting their customers’ servers against cyber-attacks (e.g. DDoS). This paper describes how virtualization combined with Deep Packet Inspection (DPI) can help address these challenges.

The Opportunity: Leverage DPI to Create a Service-Aware Data Center There is a strong industry trend toward virtualizing data centers according to the principles of the Software-Defined Data Center (SDDC): virtualized compute, virtualized storage, and virtualized networking, all using hardware from different vendors and controlled with end-to-end orchestration and automation software. The Holy Grail is to reach a situation where “any services can run on any server”. DPI is a technology which extracts detailed traffic information in real-time in the form of Application Identification (App ID) and associated metadata for each application protocol. DPI has been widely used as information middleware inside next generation firewalls, WAN optimization equipment, etc., and is now becoming a key technology to optimize IT infrastructure. Thanks to DPI, network functions and applications can improve “service-awareness”: they get better understand the nature of traffic flows in real-time and can be programmed to act and react in an optimal manner to optimize, secure and monetize network traffic. By moving DPI from point products to the server-based, horizontal infrastructure in a data center, the technology has the potential to become a shared resource which can be used by all network devices and applications: technically, the DPI software resides in the hypervisor and is integrated with the vSwitch and provides real-time, detailed understanding of traffic up to OSI layer 7, creating full service-awareness up to the application level. As we will illustrate later in a couple of use cases, the benefits include reduced Opex & Capex, optimized capacity planning, easier to comply with SLAs. This combination of SDDC and DPI creates the “Service-Aware Data Center”.

SDDC + DPI = Service-Aware Data Center

Page | 4

The Next Step in Virtualization: Service-Aware Network Virtualization Server virtualization was introduced nearly 15 years ago, and was followed by storage virtualization a few years later. Network virtualization is more recent trend, where the next logical step is to augment this visibility up to layer 7 by embedding DPI software in the hypervisor, thereby creating “Service-Aware Network Virtualization”. As an example, this service-awareness can solve network resource conflicts; without service-awareness, it is difficult to differentiate between YouTube and business-critical SAP traffic and these services may therefore get the same network resources and priority. With service-awareness, SAP can be assigned more network resources (or higher priority) than YouTube.

The Next Step in Virtualization: Service-Aware Network Virtualization

Creating Layer 7 Intelligence with a DPI Module Integrated with vSwitch Layer 7 intelligence is created by DPI software which first decodes the traffic and then feeds the results in the form of application information and metadata to different functions for consumption. As a first step, the DPI software uses a combination of techniques to analyze and classify network traffic:

- Regular expression (regex) matching - Binary decoding - Behavioral flow recognition - Statistical flow recognition

In a second step, the DPI software conveys service information to other functions: - Through a software API (classic approach) - Or acts as a service classifier, enriching traffic (new)

An interesting option is to implement DPI as a software module, integrated with the vSwitch inside a hypervisor.

Page | 5

The principle A DPI software module is integrated with the virtual switch to provide detailed, real-time traffic intelligence. The module classifies flows up to layer 7 and extracts additional information in the form of metadata. This application & protocol information is conveyed either in-band (e.g. using packet tagging) or feeding the information to another function.

The benefits Shared, real-time traffic intelligence up to layer 7, and consistent DPI analysis for use across the network.

Creating Layer 7 Intelligence with a Service Classifier Today, DPI typically takes the form of software libraries, which application developers use to embed L7 intelligence into their products. The DPI software feeds service information to each product through APIs, without interfering with the traffic flow. When implemented in a hypervisor, a DPI module acts as a service classifier conveying application & protocol information to functions hosted in the hypervisor. In a new approach, DPI software at the ingress could enrich traffic with L7 intelligence, for use across a local or distributed cloud infrastructure. In this case, service information is placed within the traffic, using principles such as those discussed in the IETF working group on Service Function Chaining (SFC). The DPI module acts a service classifier for all functions and products (e.g. switches and hosts) able to read service information embedded in the traffic. See figure below for an example.

Creating Layer 7 Intelligence with Service Classifiers (Source: Huawei)

Page | 6

Historical Architecture: DPI in Network Appliances Historically, different DPI engines have been embedded in different network appliances such as service routers, load balancers, firewalls, and other WAN optimization equipment. DPI uses significant compute resources, leading to higher total Opex and Capex. In addition, DPI formats are inconsistent, which means that the same traffic may be treated differently by different devices in the network or require more complex network management. Scalability is expensive and time-consuming, since each network appliance has to be upgraded separately and physically. Other downsides include step-function upgrades, suboptimal capacity planning, and forced overprovisioning of resources.

Historical architecture with DPI integrated in network appliances

Vision of the Future: DPI and Layer 7 Intelligence Embedded in Server

Infrastructure As data centers evolve, more networking functions will gradually be virtualized and some functions may even be consolidated in order to optimize the overall architecture. In the ultimate stage, all the intelligence could be embedded in the server infrastructure, where vSwitches augmented with DPI could act as service classifiers, and tag packets with information used by different functions in the network: routers, switches, load balancers, application delivery controllers, firewalls, IPS, applications. This way of leveraging DPI as a shared resource reduces Opex and Capex, since it requires less total compute resources. In addition, the service-awareness embedded at the server infrastructure level facilitates capacity planning and optimizes resources. Lastly, the standardized, consistent DPI format means that a certain type of traffic is always treated the same way across the network, increasing overall efficiency and facilitating system management.

Page | 7

At a macro level, vendors and data center architects are increasingly designing solutions based on components linked by APIs. Therefore, it makes sense to implement DPI software in new form factors, such as modules integrated with vSwitches.

Service-Aware Architecture with DPI and Layer 7 Intelligence in Server Infrastructure

Use Cases At this early stage of market development, use cases are still being defined. So far, discussions confirm that there is need for significantly improved traffic intelligence in virtual environments: both to increase information resolution from layer 4 up to layer 7, and also to regain the traffic understanding which degrades when moving from a physical to a virtualized architecture. Initial use cases therefore evolve around traffic monitoring, optimization and security. The success and timing of each use case will become clear over time, based on regular discussions with suppliers and service providers. An initial, practical way to inject L7 intelligence into data center traffic is to use the existing Type Of Service (TOS) byte which contains the DiffServ Code Point (DSCP). The Qosmos SAM DPI module classifies traffic and feeds the results to the vSwitch, which assigns a DSCP value per Class of Service (voice, video, P2P, ERP, etc.). Existing network elements such as routers can then be programmed to use these DSCP values to enforce Quality of Service (QoS) rules per type of traffic. This means that routers and switches can immediately be augmented with layer 7 intelligence, without any upgrades and by using existing management systems (orchestrator and controller are optional at this stage). As the market evolves, we foresee additional, more sophisticated use cases as described below.

Page | 8

Example of Use Case: SLA Monitoring

The challenge Ensure Service Level Agreements (SLAs) for data center and cloud service customers. SLAs could be related to bandwidth, application response time, security, etc.

The solution A DPI module integrated with the virtual switch is used to monitor traffic between VMs, and between VMs and physical network. The vSwitch uses information from the DPI module to apply traffic steering or other actions based on classified flows.

The benefits Data center operators get new network trouble-shooting capabilities, including detailed traffic visibility for VM-to-VM communication. It becomes easier to comply with SLAs thanks to proactive actions based on layer 7 intelligence from the DPI module.

Example of Use Case: Optimization of L4-7 Service Chaining

The challenge Today, typically all the traffic goes through all services and the provisioning of policies and rules is manual / inflexible. There is a requirement to optimize the number and sequence (chain) of service functions needed to process network traffic.

The solution Qosmos Service Aware Module (SAM) generates App ID & metadata to enable service classification. The vSwitch combines information from the SAM with policies & rules to dynamically steer traffic to only the relevant L4-7 services, in the right sequence.

The benefits The sequence and number of services can be optimized dynamically. In addition, a centralized management benefits from consistent traffic information in a single format. Overall processing cost is reduced thanks to consolidation of DPI technology onto SAM at the hypervisor level.

Page | 9

Example of Use Case: WAN Optimization & QoS

The challenge Optimizing network traffic between data centers in different locations typically requires WAN optimization systems at the edge, which may be costly and difficult to scale.

The solution Complement WAN optimization systems with DPI modules integrated with vSwitches residing in the servers. The DPI modules act as service classifiers using packet tagging to convey App ID and metadata, used by routers and switches in the network.

The benefits Lower Capex and Opex by replacing some WAN optimization systems with lower cost DPI integrated with vSwitch. Facilitated capacity planning: easier to manage and to scale equipment, easier to comply with customer SLAs.

Conclusion Future data centers can become completely service-aware, by adding layer 7 intelligence directly in the server infrastructure. This real-time, application-level intelligence is created by DPI software integrated with virtual switches residing in hypervisors, deployed at strategic points in the data center, feeding analytics systems, and networking functions with layer 7 information. For data center operators, the service-aware data center brings a number of benefits in the form of reduced Opex & Capex, enhanced capacity planning, and easier compliance with customer SLAs.

###

www.qosmos.com Twitter | LinkedIn | YouTube

© 2014 Qosmos. All rights reserved.