Software-Defined Networks can shape data packet routes to address border-control regulation and data-privacy fears, claims Dan Pitt, Executive Director, Open Networking Foundation
What is the best way to protect data? Concentrate it? Or spread it about?
If you write your memoirs and lock them in a safe for future generations, then the house could burn down and they are gone forever. But if you publish and sell them, your memoirs could survive a world war.
The Internet was designed to survive a world war by maximizing redundancy – data was not restricted to specific routes but would find its way to the destination by whatever routes were available. This thinking lives on in cloud computing, with redundancy and data backups spread across multiple regions simultaneously to defend against data loss or localized hang-ups.
The problem is that data protection can mean protecting data from loss – in which case the more copies spread about the better – or it can mean keeping data private – in which case the fewer copies the better. IT grew up in closed physical networks linking initially unreliable hardware, so the legacy priority is for redundancy, and remote back ups, and this is reflected in the way the Cloud is developing. Legislators, however, have to reconcile the benefits of free information flow with the values of privacy and individual liberty.
Data sovereignty and border control
“Trans-border data flow” is the legal term for data being stored, transmitted, or processed outside a nation’s borders. The controversial USA PATRIOT Act of 2001 gave US law enforcement agencies powers to intercept data way beyond what is acceptable in some other countries. Indonesia has strict “data sovereignty” laws that require personal information to be kept inside the country’s physical borders. The privacy value of personal data can vary between legislations: sexual orientation or religious beliefs may not be sensitive issues in one country, but could lead to persecution or even imprisonment in another.
There are several approaches to addressing this problem. Strong encryption and ways to hide the identity of data in the Cloud may provide enough protection to satisfy the individual, but they may not comply with data sovereignty legislation – bearing in mind the possibility of other national governments applying their full weight to crack sensitive data. Another method is a hybrid cloud approach, so that critical data is housed and processed on-site while less sensitive data is managed and processed on the cloud architecture.
But knowing where data is being stored is not the whole story. Personal data may be keyed into a PC with some confidence when you know it is being transmitted to a trusted Cloud service, but how does it get there? As mentioned above, the Internet was designed for maximum redundancy and flexibility, so that packets are given a destination, but no restriction on how they reach that destination. The routing is not entirely arbitrary – IP will favour an efficient pathway but heavy traffic, router outages, and line breaks can all impact the actual route taken.
So, even if the start and end point are in the same country, you cannot be certain that the data might not cross and re-cross national borders somewhere along the way. In practical business terms this might not seem an issue, but in terms of legislative compliance it could prove serious.
How could this problem be resolved without a massive rebuild of the global network infrastructure to ensure that every point where data lines cross national borders? Software-Defined Networks could be the answer.
Software-Defined Networks (SDN)
Software-defined networking allows network operators to program a network’s control plane from a central interface, using ordinary programming methods. Instead of having to go into the physical network and reconfigure boxes, general instructions can be sent out across the entire network, or subsections of the network, using the OpenFlow protocol. These instructions are introduced by software written to the aforementioned API, making the network into “a software-defined network”.
Whereas in a normal router or switch the fast packet forwarding (data path) and the high-level routing decisions (control path) happen in the same device, with OpenFlow-enabled switches these two functions are separated: the data path still resides on the switch, while the high-level routing decisions are moved to a separate controller. OpenFlow switch and controller communicate via the OpenFlow protocol, an industry standard under the auspices of the Open Networking Foundation.
OpenFlow-enabled switches and controllers are already available from multiple vendors, with vendors worldwide increasingly recognizing and supporting the standard. Incorporating these switches into a network makes it easy to adjust routing and switching protocols and optimize performance, and also to provide a way to address specific issues such as high security networking and border control.
On an OpenFlow-enabled network, packets containing personal data that should not cross national borders could be identified and instructions given for them to be routed only via national lines. More detailed routing protocols could increase the number of qualifiers and provide more detailed instructions on permitted and forbidden data pathways. Whatever the need, it can be programmed and updated from a consistent wide view, to keep abreast of regulations as well as public concerns about privacy.
SDN, as a concept, includes more than the OpenFlow protocol. It embraces programmable interfaces, virtualization, and orchestration – with companies offering proprietary SDN solutions – but the significance of OpenFlow is that it is a vendor-agnostic standard. As more OpenFlow switches are installed regardless of manufacturer, the ability to program the network will spread across the network. Add one at a time to an existing network to gradually make it more a more programmable.
OpenFlow is the way forward, even though there is much work to be done to fully exploit the benefits of SDN. Software-based policies can govern everything from border control to energy saving. The existence of a separate data plane makes it possible to program the network from a central console, but initially this is still a relatively piecemeal process, like writing a computer program in machine language. But OpenFlow as a standard lays the foundation for a new network software discipline, working towards a high-level language that will make networks as readily programmable as a PC – allowing fundamental changes such as border controls to be selectively broadcast right across the network with just a few keystrokes or automated routines.
The opportunity for carriers
Border control could be a significant market differentiator for Cloud or network services. Organisations severely restricted by privacy legislation cannot enjoy the full benefits of free-flowing data and the efficiencies of the Cloud because of the need to comply, and prove compliance, with the demands of data sovereignty. A service provider that can offer guarantees that data will never stray across certain boundaries, or enter forbidden zones, would find a ready market.
The opportunity is open-ended: what other services could benefit from an ability to shape the logical network structure and routes across it? Low latency is a hot issue in financial circles: although the most critical ultra-low-latency demands can only be met by providing dedicated contention-free channels, there is an equal need to multicast time-sensitive data such as prices to multiple customers, where the critical issue is not so much how quickly it gets there as making sure every customer gets it at exactly the same Instant.
SDN is widely recognized as the future of networking – IDC predict it to be worth £1.3 billion by 2016 – but it is a future that starts right now, with industry-standard OpenFlow-enabled switches available from all the top vendors. As it spreads, it increasingly allows the network provider to reshape their network as a logical structure and to seek new ways to increase efficiency, offer better quality of service, and rapidly explore new service opportunities.
More information about SDN and OpenFlow can be obtained from the Open Networking Foundation (ONF), a non-profit industry forum dedicated to accelerating the delivery and use of SDN technologies and standards. For further details visit the ONF website at: http://www.opennetworking.org.