Removing State from Network Functions

by Blog

Removing State From Network Functions

In recent years, the networking industry has witnessed a significant shift towards stateless network functions. This revolutionary approach has transformed the way networks are designed, managed, and operated. In this blog post, we will explore the concept of removing state from network functions and delve into the benefits it brings to the table.

State in network functions refers to the information that needs to be stored and maintained for each connection or flow passing through the network. Traditionally, network functions such as firewalls, load balancers, and intrusion detection systems heavily relied on maintaining state. This stateful approach introduced complexities and limitations in terms of scalability, performance, and fault tolerance.

Stateless network functions, on the other hand, operate without the need for maintaining connection-specific information. Instead, they process packets or flows independently, solely based on the information present in each packet. This paradigm shift eliminates the burden of state management, enabling networks to scale more efficiently, achieve higher performance, and exhibit enhanced resiliency.

Enhanced Scalability: By removing state from network functions, networks become inherently more scalable. Stateless functions allow for easier distribution and parallel processing, empowering networks to handle increasing traffic demands without being limited by state management overhead.

Improved Performance: Stateless network functions offer improved performance compared to their stateful counterparts. Without the need to constantly maintain state information, these functions can process packets or flows more quickly, resulting in reduced latency and improved overall network performance.

Enhanced Fault Tolerance: Stateless network functions facilitate fault tolerance by enabling easy redundancy and failover mechanisms. Since there is no state to be replicated or synchronized, redundant instances can seamlessly take over in case of failures, ensuring uninterrupted network services.

Conclusion: The removal of state from network functions has revolutionized the networking landscape. Stateless network functions bring enhanced scalability, improved performance, and enhanced fault tolerance to networks, enabling them to meet the ever-increasing demands of modern applications and services. Embracing this paradigm shift paves the way for more agile, efficient, and resilient networks that can keep up with the rapid pace of digital transformation.

Matt Conran

Highlights: Removing State From Network Functions

The Role of Non-Proprietary Hardware

We have seen a significant technological evolution where network functions can run in software on non-proprietary commodity hardware, whether a grey box or white box deployment model. Taking network functions from a physical appliance and putting them into a virtual appliance is only half the battle.

The move to software provides the on-demand elastically and scale of network security components and quick recovery from failures. However, we are still hindered by one major factor – the state that each network function needs to process.

The Tights Coupling of State

We still face challenges created by the tight coupling of the state and processing for each network function, be it virtual firewalls, load balancer scaling, intrusion protection system (IPS), or even distributed firewalls closer to the workloads for dynamic workload scaling use cases. Having the state tightly coupled with the network functions limits the network functions’ agility, scalability, and failure recovery.

Compounded by this, we have seen an increase in network complexity. The rise of the public cloud and the emergence of hybrid and multi-cloud has made data center connectivity more complicated and critical than ever.



Network Functions.

Key Network Functions Discussion points:


  • Discussion on Network Functions.

  • What is state and a description.

  • Example: Stateless Network Functions.

  • The issues with having state: Scaling

  • The issues with having state: Failure.

For pre-information, you may find the following helpful:

  1. Event Stream Processing
  2. NFV Use Cases
  3. ICMPv6

 

A Key Point: Knowledge Check 

Back to basics with Network Functions

Virtualization

Virtualization (which generally indicates server virtualization when used as a standalone phrase) refers to the abstraction of the application and operating system from the hardware. Similarly, network virtualization is the abstraction of the network endpoints from the physical arrangement of the network. In other words, network virtualization permits you to group or arrange endpoints on a network independent from their physical location.

Network Virtualization refers to forming logical groupings of endpoints on a network. In this case, the endpoints are abstracted from their physical locations so that VMs (and other assets) can look, behave, and be managed as if they are all on the same physical segment of the network.

Importance of Network Functions:

Network functions are the backbone of modern communication systems, making them essential for businesses, organizations, and individuals. They provide the necessary infrastructure to connect devices, transmit data, and facilitate the exchange of information reliably and securely. Without network functions, our digital interactions, such as accessing websites, making online payments, or conducting video conferences, would be nearly impossible.

Types of Network Functions:

1. Routing: Routing functions enable forwarding data packets between different networks, ensuring that information reaches its intended destination. This process involves selecting the most efficient path for data transmission based on network congestion, bandwidth availability, and network topology.

2. Switching: Switching functions allow data packets to be forwarded within a local network, connecting devices within the same network segment. Switches efficiently direct packets to their intended destination, minimizing latency and optimizing network performance.

3. Firewalls: Firewalls act as barriers between internal and external networks, protecting against unauthorized access and potential security threats. They monitor incoming and outgoing traffic, filtering and blocking suspicious or malicious data packets.

4. Load Balancing: Load balancing distributes network traffic across multiple servers to prevent overloading and ensure optimal resource utilization. Load balancing enhances network performance, scalability, and reliability by evenly distributing workloads.

5. Network Address Translation (NAT): NAT allows multiple devices within a private network to share a single public IP address. It translates private IP addresses into public ones, enabling communication with external networks while maintaining the security and privacy of internal devices.

6. Intrusion Detection Systems (IDS): IDS monitors network traffic for any signs of intrusion or malicious activity. They analyze data packets, identify potential threats, and generate alerts or take preventive actions to safeguard the network from unauthorized access or attacks.

What is State

Before we delve into potential ways to solve this problem, mainly by introducing stateless network functions, let us first describe the different types of state. We have two: dynamic and static. The network function processes continuously update the dynamic state, which could be anything from a firewall’s connection information to the load balancer’s server mappings.

On the other hand, the static state could include something like pre-configured firewall rules or the IPS signature database. The dynamic state must persist across instance failures and be available to the network functions when scaling in or out. On the other hand, the static state is easy and can be replicated to a network instance upon boot time.

Stateless network functions

Stateless Network Functions are a new and disruptive technology that decouples the design of network functions into a stateless process component and a data store layer. An orchestration layer that can monitor the network function instances for load and failure and adjust the number of instances accordingly is also needed.

Taking or decoupling the state from a network function enables a more elastic and resilient infrastructure. So how does this work? From a 20,000 bird’s eye view, the network functions become stateless. The statefulness of the application, such as a stateful firewall, is maintained by storing the state in a separate data store. The data store provides the resilience of the state. No state is stored on the individual networking functions themselves.

Datastore example

The data store can be, for example, RAMCloud. RAMCloud is a distributed key-value storage system with high-speed storage for large-scale applications. It is designed for many servers needing low-latency access to a durable data store. RAMCloud is suitable for low-latency access as it’s based primarily on DRAM.  RAMCloud keeps all data in DRAM. As a result, the network functions can read RAMCloud objects remotely over the network in as little as 5μs.

Stateless network functions advantages.

Stateless network functions may not be helpful for all but are valid for standard network functions that can be re-designed statelessly. Stateful network functions are useful for a stateful firewall, intrusion prevention system, network address translator, and load balancer. Removing the state and placing it on a database brings many advantages to network management.

As the state is accessed via a data store, a new instance can be launched, and traffic is immediately directed to it, offering elasticity. Secondly, resilience, a new instance, can be spawned instantaneously upon failure.  Finally, as any instance can handle an individual packet, packets traversing different paths do not have asymmetric and multi-path routing issues.

Problems with having state: Failure

The majority of network designs have redundancy built-in. It sounds easy when one data center fails to let the secondary take over. When the data center interconnect (DCI) is configured correctly, everything should work upon failover, correct?

Let’s not forget about one little thing called state with a firewall in each data center design. The network address translation (NAT) in the primary data center stores the mapping for two flows, let’s call them F1 and F2. Upon failure, the second firewall in the other data center takes over, and traffic is directed to the new firewall. However, any packets from flows F1 and F2 will not enter the second firewall.

This will result in a failed lookup; existing connections will timeout, causing application failure.  Asymmetric routing causes problems. If a firewall has an established state for a client-to-server connection (SYN packet), if the return SYN-ACK passes through a different firewall, the packet will result in a failed lookup and get dropped.

Some have tried to design distributed active-active firewalls to solve layer three issues and asymmetrical traffic flow over the stateful firewalls. The solution looks perfect. Configure both wide area network (WAN) routers to advertise the same IP prefix to the outside world.

This will attract inbound traffic and pass the traffic through the nearest firewall. Nice and easy. The active-active firewalls would exchange flow information, solving the asymmetrical flow problems.? Distributed active-active firewall state across each data center is better in PowerPoint than in real life.

Problems with having the state: Scaling

The tight coupling of the state can also cause problems with the scaling of network functions. Scaling out NAT functions will have the same effect as NAT box failure. Packets from flow originating from a different firewall directed to a new instance will result in a failed lookup.

Network functions form the foundation of modern communication systems, enabling us to connect, share, and collaborate in a digitized world. By performing vital tasks such as routing, switching, firewalls, load balancing, NAT, and IDS, network functions ensure smooth and secure data flow across networks. Understanding the significance of these functions is crucial for businesses and individuals to harness the full potential of the interconnected world we live in today.

Summary: Removing State From Network Functions

In networking, the concept of state plays a crucial role in determining the behavior and functionality of network functions. However, a paradigm shift is underway as experts explore the potential of removing the state from network functions. In this blog post, we delved into the significance of this approach and how it is revolutionizing the networking landscape.

Understanding State in Network Functions

In the context of networking, state refers to the stored information that network devices maintain about ongoing communications. It includes connection status, session data, and routing information. Stateful network functions have traditionally been widely used, allowing for complex operations and enhanced control. However, they also come with certain limitations.

The Limitations of Stateful Network Functions

While stateful network functions have played a crucial role in shaping modern networks, they also introduce challenges. One notable limitation is the increased complexity and overhead introduced by state management. The need to store and update state information for each communication session can lead to scalability and performance issues, especially in large-scale networks. Additionally, stateful functions are more susceptible to failures and require synchronization mechanisms, making them less resilient.

The Emergence of Stateless Network Functions

The concept of stateless network functions provides a promising alternative to overcome the limitations of their stateful counterparts. In stateless functions, the processing of network packets is decoupled from maintaining any session-specific information. This approach simplifies the design and implementation of network functions, offering benefits such as improved scalability, reduced resource consumption, and enhanced fault tolerance.

Benefits and Use Cases

Removing state from network functions brings a multitude of benefits. Stateless functions allow easier load balancing and horizontal scaling, as they don’t rely on session affinity. They enable better resource utilization, as there is no need to maintain per-session state information. Stateless functions also enhance network resilience, as they are not dependent on maintaining a synchronized state across multiple instances.

Stateless network functions have diverse and expanding use cases. They are well-suited for cloud-native applications, microservices architectures, and distributed systems. Organizations can build more flexible and scalable networks by leveraging stateless functions, supporting dynamic workloads and rapidly evolving infrastructure requirements.

Conclusion:

Removing the state from network functions marks a significant shift in the networking landscape. Stateless functions offer improved scalability, reduced complexity, and enhanced fault tolerance. As the demand for agility and scalability grows, embracing stateless network functions becomes paramount. By harnessing this approach, organizations can build resilient, efficient, and future-ready networks.

network server room with computers for digital tv ip communications and internet

Stateless Network Functions

by Blog

Stateless Network Functions

In the ever-evolving world of networking, the concept of stateless network functions has emerged as a game-changer. This revolutionary approach to network architecture is transforming the way we design, deploy, and manage networks. In this blog post, we will delve into the intricacies of stateless network functions and explore their profound impact on the networking landscape.

Stateless network functions (SNFs) are a paradigm shift from traditional network architectures. Unlike their stateful counterparts, SNFs do not store session-specific information, making them highly scalable and agile. These functions process packets independently, without relying on the state of previous packets, enabling faster processing and reduced latency.

Enhanced Scalability: By eliminating the need to maintain session state, SNFs can handle a significantly larger number of concurrent sessions. This scalability is crucial in modern network environments where the number of connected devices and data traffic is growing exponentially.

Flexibility and Modularity: Stateless network functions promote flexibility and modularity in network design. Each function can be developed, deployed, and updated independently, allowing network operators to adapt to changing requirements quickly. This modular approach also fosters innovation and encourages the development of specialized network functions.

Improved Fault Tolerance: With SNFs, network failures and disruptions can be contained more effectively. Since stateless functions do not rely on session-specific information, failures in one function do not impact the entire network. This fault-tolerant characteristic ensures more resilient and reliable network operations.

Software-Defined Networking (SDN): Stateless network functions play a pivotal role in SDN deployments. By decoupling control and data planes, SDN architectures can leverage the agility and scalability of SNFs. This enables efficient traffic management, dynamic resource allocation, and rapid network provisioning.

Network Function Virtualization (NFV): In the realm of NFV, stateless network functions are instrumental in achieving network virtualization and service chaining. By encapsulating network functions in virtualized environments, SNFs enable on-demand scaling, improved resource utilization, and simplified network management.

Conclusion: Stateless network functions are revolutionizing network architecture by offering enhanced scalability, flexibility, and fault tolerance. With their applicability in SDN, NFV, and beyond, SNFs are driving the transformation of the networking landscape. As we embrace this paradigm shift, we can expect more agile, scalable, and efficient networks that can meet the demands of the digital age.

Matt Conran

Highlights: Stateless Network Functions

Tight State and Processing

New technology is needed, and it’s time to break the tight state and processing. This involves decoupling the existing network function design into a stateless processing component ( stateless network functions) and a data store layer. Doing this and breaking the tight coupling enables a more elastic and resilient network functions infrastructure.

Before you proceed, you may find the following posts helpful:

  1. SASE Solution
  2. Software-defined Perimeter
  3. Service Chaining
  4. ICMPv6

Back to Basics with Stateless Network Function

The Role of Networks

Let’s face it. Networks need to be both scalable and sophisticated. To be successful, you need to completely redesign the network functions, such as routing and firewall functions, along with the underlying platforms that manage and orchestrate these functions. However, to accomplish this, there is a need to create an entirely new architecture and adapt the existing technology to this new architecture.

If you look at technologies used for cloud storage, no one has ever used them for networks. Why is this? The reason is mainly down to performance requirements, such as throughput and latency in distributed systems.

Start with Architecture

One can understand that with this type of disruptive technology, there will be a lot of pushback from the industry, saying that it is just impossible. But we need to give the world something new. It deserves it. The ability to customize networks on-demand. It would help to have a logical place to start with a new architecture.

Benefits of Stateless Network Functions:

1. Enhanced Scalability: SNFs offer improved scalability by eliminating the need to store session state information. Network devices can handle a higher volume of packets and achieve better performance, making them ideal for handling large-scale deployments and high-traffic scenarios.

2. Simplified Network Management: Stateless network functions simplify network management by reducing the complexity associated with session state maintenance. This streamlined approach allows for easier configuration, troubleshooting, and monitoring, improving operational efficiency.

3. Increased Flexibility: SNFs enable more flexible network architectures, easily deployed and scaled without session state limitations. This flexibility allows organizations to rapidly adapt their networks to changing demands and deploy new services.

4. Enhanced Security: Stateless processing enhances network security by reducing potential attack vectors. Since SNFs do not rely on session state information, they minimize the risk of session hijacking or data leakage, leading to more robust and secure networks.

Applications of Stateless Network Functions:

1. Load Balancing: Stateless network functions are well-suited for load-balancing applications. They enable efficient network traffic distribution across multiple servers or resources, ensuring optimal resource utilization and improved application performance.

2. Deep Packet Inspection: SNFs can be used for deep packet inspection (DPI), a technique that analyzes the content of network packets for security or application identification purposes. The stateless nature of SNFs allows for faster and more efficient DPI, enabling real-time threat detection and network optimization.

3. Network Function Virtualization (NFV): Stateless network functions are foundational to network function virtualization (NFV) architectures. By decoupling network functions from dedicated hardware, NFV leverages SNFs to achieve greater flexibility, scalability, and cost-effectiveness in network deployments.

Stateless Network Functions: Changing the environment

Decentralized workloads, the decline of on-premise, and the increase in multi-cloud deployments have created one of the most extensive connectivity challenges for data centers. A key finding is that colocation providers, which have traditionally served as space, power, and physical network connectivity resources, should not become the hub for all traffic as workloads decentralize.

The problem is these colocation providers have not focused on connectivity that requires multi-tenancy and routing, and they usually have physical cloud connects; this has introduced growing management and operational challenges, which will only increase in large-scale deployments.

Cloud Connect is where you need to connect multiple enterprises, where these enterprises need to connect to multiple cloud providers. All of these tenants need BGP routing, firewall functions, and NAT, but to do this on a larger scale with a solution that couples the state cannot scale and be reliable.

New technologies come in waves – some appear, and others disappear.

The market needs a new type of technology, a software-defined interconnect like the Internet exchange. This came to light in 2016 when Laurent Vanbever proposed a software-defined internet exchange based on OpenFlow ( what is OpenFlow ) known as SDX; software-defined internet exchange is an SDN solution originating from the combined efforts of Princeton and UC Berkeley. It aims to address IXP pain points by deploying additional SDN controllers and OpenFlow-enabled switches. It doesn’t try to replace the entire classical IXP architecture with something new; rather, it augments existing designs with a controller.

Software-defined interconnect (SDIX)

However, a software-defined interconnect (SDIX) is a new category of offering that allows colocation providers to manage their cloud connects via software and extend their connectivity control. It should cover the cloud connection and multiple data center interconnects. In the past, the colocation providers focused on space and power. However, in today’s world, they have new responsibilities. The responsibilities now extend to new types of connectivity for customers. Customers now have new requirements.

They must move their data from one colocation facility to another to avoid latency or backup purposes. For these cases, colocation providers need a new type of platform to direct all of their different tenant’s tasks and requirements to a software-based platform.

Why is this different? The underlying technology is regarding network functions such as firewalls, routers, and load balancers; regardless of the application architecture and requirements, these network functions are physical boxes. The challenge is that traffic that flows through these boxes is tightly coupled with the box.

The physical box, virtual machine, or container performing a network function is coupled with the state. What happens with the state when you launch a new network function or redirect the traffic to a backup device? This will definitely affect the application. This might be acceptable for a single application but not for a large-scale deployment when you have millions of connections and applications running on top of network functions.

Network function virtualization (NFV) and NFV use cases didn’t help here. All it did was change the physical boxes to virtual ones. It’s like changing a physical appliance in Dublin to a cloud-based provider. Is this the future? NFV inherits the same design and features as the physical box. But what needs to be done is realizing that the problem is the state. You need to decouple the dynamic state from each network function and put them in a high-performance data store within a cluster of commodity hardware and switches—a hardware-agnostic solution with code that is not open source.

Network function stateless

Then you can make the network function stateless, so it’s physically just a thread. So if it fails, it doesn’t affect application performance as the state is collected from the data store. This is needed as an underlying design, but does it seem possible? There will be overheads from decoupling the state.

The state can be put into a cluster of servers. Some servers maintain some of the state, and some of the other servers can be the network functions. The state is not physically in another data center or location. Every type of dynamic state, such as counters, timers, and handshaking that you see in the TCP flow, all of which is state, is a challenge to decouple without breaking application performance. However, this can be done by adapting technology-distributed systems—a database to store the state needed that is designed for high-performance computing. A read for a state should be around 5 microseconds.  

An algorithm is needed to read and write the state in a way that reads multiple packets simultaneously. This enables you to overcome any latency issues and achieve better performance than traditional appliances that have the state coupled.

Stateless network functions are revolutionizing networking infrastructure by offering enhanced scalability, simplified management, increased flexibility, and improved security. SNFs are paving the way for more agile and efficient networks with their wide range of applications. As organizations embrace digital transformation, understanding and harnessing the potential of stateless network functions will be vital to building resilient and future-proof network architectures.

Summary: Stateless Network Functions

Stateless network functions (SNFs) have emerged as a groundbreaking approach to network architecture. Unlike traditional network functions, SNFs do not rely on maintaining a session state, allowing for greater scalability, flexibility, and efficiency.

Benefits of Stateless Network Functions

SNFs offer several advantages, making them a compelling choice for modern network infrastructures. Firstly, their stateless nature enables horizontal scaling, allowing networks to handle increasing traffic demands without sacrificing performance. Additionally, SNFs simplify network management by eliminating the need for complex state synchronization mechanisms.

Use Cases and Applications

The versatility of stateless network functions opens up a wide range of use cases across various industries. From load balancing and firewalling to content delivery networks and edge computing, SNFs provide a flexible and adaptable solution for network operators.

Challenges and Considerations

Although stateless network functions bring numerous benefits, they are not without challenges. Ensuring security and maintaining data integrity can be more complex in stateless architectures. Additionally, specific applications heavily relying on session state may not be suitable for SNFs.

Future Trends and Innovations

As technology evolves, so does the potential for stateless network functions. Innovations such as programmable data planes and advanced traffic steering algorithms promise to enhance the capabilities of SNFs further, enabling more efficient and intelligent network architectures.

Conclusion:

Stateless network functions represent a paradigm shift in network architecture, offering scalability, flexibility, and simplified management. While they may not fit every use case, their potential for innovation and future development is undeniable. As networks continue to evolve and demand for performance grows, embracing stateless network functions can pave the way for a more efficient and agile network infrastructure.