I entitled this blog entry philosophy, since philosophy is literally the "love of knowledge", and generally deals with what we can learn about the world about us and how best to function in this world. Indeed epistemology is concerned with the nature of knowledge and ontology deals with the nature of existence itself.
Knowledge concerning the surrounding world is often indispensable for the proper functioning of communications devices. For example, a transmitter must know the frequency on which to transmit and the modulation scheme to use. An IP host needs to know the destination address to which to send packets, and the protocol to use. But how do communications devices acquire this knowledge?
Let’s start by envisioning a network element that functions out-of-the-box without any configuration options. We can say that such a network element is “zero-touch”. For example, fiber converters, hubs and repeaters, and even simple learning bridges are essentially zero-touch. Devices can be zero-touch simply because they are very limited in functionality. Or they can be flexible and sophisticated but still zero-touch because they are capable of learning all they need to know from their environment. Paradoxically zero-touch devices are either exceedingly dumb or exceedingly intelligent.
Many devices designed to be used by unsophisticated end-users, such as televisions and cellphones, hypothetically function without being set up. But this is obviously an over-simplification of the true situation. Modern televisions have remote controls that only the tech-savvy can handle (Is the set-top box connected to HDMI-1 or 2? Which of the five supported aspect ratio options is best for HD?). Cellphone users are often stymied when they need to change time-zone or select a network. Configuring home WiFi routers is a task well beyond the capabilities of most mortals (Does my ISP use EoPPP, or L2TP or PPTP? Should my WiFi security be based on WPA or WPA2 with LEAP or PEAP? How does one set up port blocking? What exactly is an 802.11 beacon anyway?)
Early Ethernet switches were essentially zero-touch; they learned everything they needed to know by conversing with each other; when they didn’t know how to handle a frame they simply flooded it and observed the consequences. But then along came VLANs and one needed to configure which VIDs were to be admitted/emitted for each port (or to dictate “admit all”) as well as the default VLAN identifier for untagged frames. And the situation has gotten a lot worse since then. Ethernet OAM requires defining and configuring MEPs and MIPs, MEF services bring with them a complex set of bundling and bandwidth profile parameters, configuring 1X authentication can be a nightmare even for experts, and a PhD may be insufficient qualifications to correctly set up multicast. And this is before MEF’s new bandwidth sharing feature!
Routers rely on a strong standardized control plane, and should thus be much simpler to set up, right ? Ever heard of Cisco CareerCertifications? There are five levels of certification (Entry, Associate, Professional, Expert, and Architect) along with targeted certifications for in seven different subject areas (Routing and Switching, Design, Network Security, Service Provider, Storage Networking, Voice, and Wireless). All that just to configure a router…
So we have communications devices that should be zero-touch, but in practice may require extensive configuration. This configuration may be manual and local (historically via a textual “CLI” interface but more recently via a GUI), or may be network-wide via a sophisticated network management system (NMS).
Of course, if configuration is so complex, you may be wondering why manufacturers can’t simply pre-configure their network elements so that the user can just turn them on and use them. Unfortunately, this is rarely, if ever, possible, due to the dynamic environments in which network elements are required to function.
If we want things to stay as they are, things will have to change.
- Giuseppe Tomasi di Lampedusa (in The Leopard)
- Giuseppe Tomasi di Lampedusa (in The Leopard)
So we have seen zero-touch devices, and those that require basic configuration. The second step on the road towards full programmability is to enable a single device to combine the capabilities of multiple conventional devices, and then to configure it to function as any or all of these devices. For example, we could embed the functionalities of a L2 switch, a L3 router, and a L4 NAT in a single box, and then select whichever functionality needed in a particular instance. We could even opt to simultaneously activate many functionalities, provided that they are performed in the appropriate order.
This second step is precisely what an OpenFlow switch offers. A single device can match L2 header fields (SA, DA, EtherType, VLAN ID, VLAN priority), or L3 header fields (SA, DA, protocol number, DSCP, ECN), or L4 header fields (source and destination ports) and perhaps MPLS header fields (label, S-bit), and any combination thereof. However, in reality OpenFlow is more limited than just implied, in that the matching criterion is constrained to be exact match with bitmasks. A true combined L2-L4 device would be able to perform longest prefix match and port range match; but these limitations can be overcome at the expense of replicating flows.
A short digression (well, rant) is now in order. While such a combined device is advantageous in that it saves shelf space, power, and inventory carrying costs, it suffers from a major drawback. In today’s world of distinct devices, each device processes only that part of the packet for which it is intended, with the hardware limitation imposing opaqueness to the rest of the packet. Thus layering enforces intrinsic scoping which not only indicates clean design (similar to data abstraction in software) but also secures business interests. Once a single device can observe, act upon, and modify arbitrary fields, the ensuing layer violations can wreak havoc with service provision. Client layers could compel server layers to incorrectly forward packets or could hide traffic from billing systems. Lower layers could divert traffic to hostile destinations, or modify messages in transit. And such mayhem is not necessarily due to deliberate hacking, it will necessarily arise from simple errors in configuration. It is somewhat surprising that such flaunting of clean layering is proposed by academics in the name of data abstraction. Rant over.
The third step on the road to full programmability is a device consisting of lego blocks of useful functionalities. One could imagine a farm of general matchers (exact match, range match, regular expression match), a collection of rewrite modules, and a set of forwarding engines, all of which could be flexibly interconnected. Such a device can provide true DPI, as compared to the relatively shallow packet inspection of the previous step. Many network processors and some IDS systems are designed according to this philosophy.
At the far end of the spectrum sits the general purpose computer. Reminiscent of the zero-touch communications device with which we started, it too is supposed to function out-of-the-box. However, this functioning is limited (e.g., displaying a desktop). We purchase a computer entirely due to our expectation that it to be completely reprogrammed to perform any task, (well, at last if it has the required interfaces to the outside world – it can’t make coffee if it doesn’t have access to water and coffee grinds). In fact, once purchased we tend to forget about the computer (or smartphone) altogether. It becomes merely a platform for hosting applications, which are the products in which we are really interested.
The general purpose CPU is truly stronger than even the lego block model in that it can perform arbitrary calculations on arbitrary fields and make arbitrary forwarding decisions. For example, we could program a CPU to multiply the MAC source address by the IP destination address, xor the result with the last 10 bytes in the packet, take the hyperbolic sine of this, quantize to two bits, and use this result to forward to one of four output ports. Presumably this generality could also be used for something even more useful.
In the Apology, Plato tells how the Delphic Oracle declares that no-one is wiser than Socrates. Socrates, believing the oracle but knowing that he was ignorant of knowledge, goes out to discover what the oracle meant. He visits people he initially believes to possess wisdom - politicians, poets, and craftsman. After failing to uncover true wisdom in any of these, he comes to the conclusion that whatever wisdom he has derives from his knowledge that he knows nothing.
Truly a zero-touch philosophy!