It's no secret that communication service providers see distributed NFV as a cost-efficient alternative to expensive physical networks and existing customer premise equipment (CPE).
However, we are still at the initial stages of this transition from physical to virtual networks and carrier-grade standards have not yet been established. This is especially true for the provisioning, integration and management of emerging NFV solutions for virtual CPE (vCPE) and Mobile Edge Computing (MEC). As a result, what we are now seeing is that many service providers are currently relying on their own judgment when assessing processes ranging from initial provisioning through ongoing service management.
Based on our recent experiences with a number of large-scale proof-of-concept trials (PoCs) in the United States and other markets, we would like to offer the following observations and recommendations to service providers going through this process.
A key advantage of zero-touch provisioning or auto-provisioning of virtual network functions (VNF) for vCPE is that it saves set-up time as well as expense. A variety of methods for auto-provisioning VNFs, such as cloud-init, are available.
One user-friendly approach is to use a web service to configure and license a wide range of VNFs for security, networking, SLA, performance and other functions. Ideally, the web service should work with any proprietary or third-party management and orchestration devices to configure the VNFs.
Pre-integrated, pre-configured VNF packages enable service providers to instantly deploy VNFs without going through individual provisioning and configuration for each separate VNF. All VNFs in the package should be fully interoperable and certified, and the package should offer zero-touch deployment that includes configuration and licensing for time-saving integration, testing and patch verification.
Make sure you have a variety of packages from which to choose for each use case so you can select one that is ideal for you. Look for packages that provide router and firewall functions for small businesses that lack their own IT infrastructure and personnel; medium business packages that provide WAN operations, routers and firewall functions; Medium and enterprise packages that support SD-WAN and VPN and/or encryption, as well as WAN optimization across sites, firewall and router. Pre-configured packages should also be available for advanced security and protection functions.
To ensure service continuity, your NFV device should have a dedicated hardware module that enables reboot, recovery and re-installation of the entire NFVi in the event of critical failure, such as a non-responding compute node, failure of the operating system or vCPE storage.
Support engineering should be available on-premises. If the solution includes a dedicated hardware module that is sufficiently stable to provide high throughput and real-time response even during a critical failure, the service may be provided remotely. Without a dedicated hardware module however, root installation and always-on remote access may not be available.
In order to be SLA-compliant, the NFV service administrator must be able to detect issues quickly, accurately diagnose root causes and rapidly correct the problem.
For instance, a vCPE user with a chain of three VNFs notes that transaction response time for her business applications are slow and experience sudden freezes in network connectivity. Monitoring systems show network connectivity and WAN connectivity are live and that all VNFs are functioning well. Traffic generation tools should be available to quickly troubleshoot remotely by honing in on the problem.
The tools should first characterize performance for the entire setup, including ports and chain relevant to the VNF's performance issues, as experienced by end-users. Next, the tool should examine the vCPE just under VNF, without any virtual networks or functions. If no performance issues are detected, we recommend that, moving back from the last VNF in the chain, they check performance for each VNF until the root cause of problematic performance in identified.
Finally once the cause is found, the administrator can restart the problematic VNF and re-instantiate it. If the VNF cannot be repaired, it should be removed from the chain to prevent further problems.
To assess VNF performance, testing should be done against today's industry standards -- white boxes and hybrid solutions -- for speed, throughput and latency. The throughput tested is 1Gbps bi-directional with total of 2Gbps.
NFV and D-NFV may be at risk from new challenges and attack vectors, against which VNF and MANO do not protect. NFVi-native security in addition to vCPE hardening and standard IPS solutions are essential to combat cyber challenges. Some threats include:
- Software vulnerability to denial of service (DoS) and distributed denial of service (DDoS) attacks.
- The control and management planes that are open for remote operations and user self-service also leave overall devices and functions open, too.
- Malware that resides on the network (inside the perimeter) can easily propagate across VMs and hosts, since no mechanism is available to monitor it.
- Each of the VMs of every host represents a pinhole for attack and propagation of infectious items.
These cyber security issues were actually discussed in detail in my previous post, although they are very important and certainly worth mentioning again.
Until NFV standards are established, service providers must carefully consider, assess and choose among the many options for integrating, provisioning and managing emerging NFV solutions for virtual carrier premise equipment and Mobile Edge Computing.
The promise of a white box solution for NFV in general and for vCPE in particular is tremendous. In the long run, white boxes will certainly dominate the vCPE market.
However, in order to meet current cost-performance requirements and achieve carrier-grade service continuity with built-in SLAs, wire speed performance and a secure environment, the gray box approach will remain a viable and reliable option.
— Gal Ofel is the Head of Software Solution Product Line Management at Telco Systems. Gal is responsible for the company's SDN and Distributed NFV software products and ecosystem. Special to The New IP