SUBSCRIBE NOW
IN THIS ISSUE
PIPELINE RESOURCES

How NFV Can Enable 'Pay-as-you-Protect' Network Protection

ORDER REPRINTS DOWNLOAD COMMENT DISCUSS SHARE


A Security Pod is where the attack mitigation takes place and this structure is repeated throughout the network, with each of the CSP’s datacenters housing a Security Pod.

Building the Ecosystem

The general parameters of the challenge were:

  • To concentrate the security functions into the existing/established datacenters and to dynamically re-route/forward any inbound and outbound traffic identified for DDoS mitigation through either the closest or most available datacenter using routing-based multi-homed services that leverage the routing infrastructure for service availability
  • To be built upon a fully standard NFV architecture, to run on COTS hardware, to be available on-demand, to be repurposed on-demand for multiple simultaneous functions that may co-exist (beyond DDoS security), and to be capable of self-provisioning from the infrastructure up to service through a MANO stack; these requirements go well beyond simply having compute nodes available

Network Elements

Description

VNF

DDoS detection and scrubbing solution to mitigate DDoS attacks.

Traffic Steering Function (TSF)

Intelligently steer only the DDoS traffic to the available VNFs. The Traffic Steering Function is dynamically provisioned to meet the bandwidth and packet forwarding rate requirements imposed by a sudden DDoS attack on the network.

COTS Hardware

Rack scale infrastructure, based on hyperscale principles, provides compute, storage, networking, power and cooling, and open management in a pre-integrated rack. Management is provided at the rack level and is based on the Distributed Management Task Force (DMTF) Redfish specification – industry standard open management APIs that ensure interoperability with heterogeneous systems.

MANO

Provides the auto-scaling framework that allows the VNFs to scale as required by the attack load.

Figure 1 (on the next page) shows the network topology used in this demonstration, overlayed on a simplified version of the CSP’s network:

  • A Security Pod is where the attack mitigation takes place and this structure is repeated throughout the network, with each of the CSP’s datacenters housing a Security Pod
  • This implementation relies on Anycast to route traffic to the Security Pods. With this approach, once traffic is identified as needing to go to a Security Pod, routers send the traffic to the least-cost destination pod
  • Anycast also automatically accounts for datacenter availability
  • Because we rely on Anycast, each Security Pod has the same network address (i.e., *lo:0)
  • The different network Areas (e.g., Area0, Area1, etc.) represent OSPF (Open Shortest Path First) logical roles


FEATURED SPONSOR:

Latest Updates





Subscribe to our YouTube Channel