Virtual Networking on the Edge of Adoption
Is this the most interesting networking startup in Silicon Valley? Nicira believes it about to start a revolution in networking which will profoundly change the way your data center operates.
The California-based start-up has finally unveiled its network virtualization platform (NVP), which decouples virtual networks from their underlying physical hardware in the same way that server virtualization platforms decouple virtual machines from the physical servers on which they run.
NVP is a software-only solution that creates an abstraction layer between your servers and your existing physical network, transforming the physical network infrastructure into a pool of network capacity that you can use to create isolated virtual networks to connect workloads in a data center automatically in a matter of seconds.
Lots of looks
The company may be a start-up, but it is attracting attention both because of its technology and the big industry names it has on board: ex-Cisco people like Bruce Davie and Alan Cohen; former Juniper executives like Rob Enns; and backing from investors like Andreessen Horowitz and VMware founder Diane Greene. And let's not forget an early client list of blue chip companies including eBay, AT&T, NTT and Rackspace.
One major selling point for Nicira's system is that no changes are needed to your existing networking hardware infrastructure nor do you need to purchase any additional hardware.
"We don't require rip out and replace and we are completely hardware agnostic," said Alan Cohen, Nicira's vice president of Marketing. "All we need is networking hardware that does IP forwarding. As long as it does that we will work well with it."
Nicira can do this because unlike OpenFlow based systems that require OpenFlow-ready switches, Nicira's system uses the Open vSwitch (OVS) switch software that runs inside the Xen, KVM or ESX hypervisors. In fact, it can also be run in a virtual or physical appliance acting as a gateway to integrate a virtual network with physical servers and legacy virtual LANs (VLANs) and for connecting virtual networks to the Internet. That also means that as your organization expands, you can buy low cost Layer 3 networking hardware instead of premium Cisco or Juniper switches.
" ... from days to minutes."
The main benefit that Nicira promises is increased network agility because you can effectively "spin up" a new network when you create or move virtual machines without your network engineers needing to come in and install or configure new hardware.
"Nicira allows us to repurpose network infrastructure on-demand, and reduces the time it takes us to deliver a service from days to minutes," said J. C. Martin, one of eBay's cloud architects and early Nicira customer.
As well as making network reconfigurations faster, this should also mean you can make do with fewer network administrators as the need for staff to spend all day reconfiguring IP addresses is removed. Or move them onto projects that offer more value to the business.
"Because of this, we allow you to more fully use all of your servers. In many data centers, there are machines which are stranded or underutilized because of the inflexibility of the network," said Cohen.
Centralized command and control
The whole NVP is controlled by an NVP Controller Cluster; a highly available system that manages all the virtualized network components and connections. The Controller Cluster exposes a RESTful Web services API and defines virtual networks without actually sitting in the data path. "This is like a giant brain, or a giant air traffic control center," explained Cohen. "If the network is the plane, we don't fly the plane, but we tell the traffic where to go."
Virtual networks can easily span data centers, either all belonging to an enterprise or service provider, or in hybrid clouds with virtual networks that reach from a corporate data center into a service provider's data center, Cohen said.
One thing that all customers will be concerned about is security, and Nicira is keen to point out that since the controllers are not in the data path and never see data, even if a hacker got in to a controller that would not give them direct access to any data.
Cohen also believes that other aspects of the platform lead to better security. "If you look at a data center, the most trusted area is inside the hypervisor. So we are starting with switches in the most trusted environment." He believes that the high level of automation and repeatability in virtualized network environments leads to better security anyway.
"When a workload moves, all its security policies move with it. Humans tend to misconfigure things, so this aspect alone is going to lead to improved security," he said.
Andre Kindness, an analyst at Forrester Research, believes that a move towards network virtualization is inevitable, but he warns that a system such as Nicira's will present many problems.
"For example, how will it tie in or hook in to orchestration systems? How will apps know that the network is ready for them? Will it still need an email or a ticketing system?" he said.
He also doubts that router vendors like Juniper and Cisco will allow the market for their switches to turn into a commodity market without reacting with a competing solution, and he thinks that enterprises and service providers will be unwilling to centralize the intelligence of a network into Nicira's Controller Cluster.
"Centralizing everything is a bit like the concept of mainframes, and it turns out they don't work as well as distributed computing systems," he said. "If lots of information needs to be shared then can one monolithic system really manage it?"
Bob Laliberte, an analyst at Enterprise Strategy Group, agrees that orchestration is likely to be a particular challenge. "It's very difficult to do as there is no standard API," he said. "That's the next thing that will have to be developed."
He also wonders whether companies will want to commit to a software controller provided by a relatively unknown startup. "Lots of vendors are putting wood behind the arrow of SDN [software defined networking]. Customers are more likely to adopt it if a major vendor like Cisco stands behind it and can support it."
Like VMware, Nicira hopes it can alleviate some of these concerns but opening up its APIs so other vendors will tie into its offering. "It's called a Network Virtualization Platform," Nicira CEO Steve Mullaney said. "We're going to create a platform with APIs and we're going to be able to go partner and create an ecosystem of other partners who will be able to program in [additional services]."
In the end, it may well turn out that Nicira's platform simply paves the way for future interest in OpenFlow based solutions from the likes of Cisco or Juniper, or from companies such as NEC and Big Switch Networks.
Concludes Laliberte: "Certainly, in the enterprise environment, I think that the adoption of virtual networking is still two or three years away. What we are seeing now is [customers] are often very enthusiastic when they look at innovative technology, but then they go and place a big order for switches with Cisco."
Paul Rubens has been covering IT security for over 20 years. In that time he has written for leading UK and international publications including The Economist, The Times, Financial Times, the BBC, Computing and ServerWatch.