virtual networking How zero trust unifies network virtualization

Carrier network virtualization leads to enterprise services

Starting with MPLS VPNs and SD-WAN, new carrier network virtualization options, like 5G network slicing, are becoming virtual enterprise network services, and more will follow.

As one of the broadest and most important networking topics, network virtualization is a way of using infrastructure that was once purpose-built to support multiple users, lower costs for users and raise profits for telecommunications carriers.

Because virtualization has been around for a long time, how will its adoption continue to influence enterprise network services? Let's explore different virtualization models and how they affect enterprise needs.

Carriers use two basic virtualization models today:

  1. Network virtualization uses virtualization technology to subdivide network infrastructure to offer specialized per-user services.
  2. Feature virtualization creates service features through hosted software components rather than through dedicated appliances.

So, where are we with both models, and where are we headed?

MPLS VPNs and SD-WAN start the movement

Network virtualization has been around for decades in the form of VPNs. In the early days, VPNs were offered both at OSI Layers 2 and 3 -- the data-link layer and network layer. Now, however, nearly all VPN services are IP VPNs based on MPLS.

MPLS VPNs use MPLS tunnels to separate a given user's IP traffic from that of other users or from the public internet. They typically require business-level access technology, like Carrier Ethernet, and the use of Border Gateway Protocol (BGP) routers. That combination makes it difficult to connect small sites or locations where business services aren't readily available.

Software-defined WAN (SD-WAN) is the next-generation VPN strategy, although many organizations currently use it primarily to supplement MPLS VPNs in areas where MPLS is neither affordable nor available. SD-WAN creates an overlay network that uses IP -- usually, the internet -- as a transport resource. Because SD-WAN supports the same address space an enterprise would use for its MPLS VPN, it does the job of extending a VPN to smaller sites. Recent feature enhancements to most SD-WAN products also enable SD-WAN connections to cloud-hosted applications, extending the corporate VPN into one or more clouds as well.

SD-WAN is likely the fastest-growing new carrier service, but the majority of SD-WAN services are currently offered through MSPs rather than by the carriers themselves. Part of the reason is many smaller sites that can't be connected via MPLS VPNs are out of the carriers' prime service area, often in a different country, which makes support for those sites difficult. Some carriers also fear that promoting SD-WAN could threaten their MPLS VPN service business. Still, some carriers are doing well with SD-WAN services, and it's certain more will enter the market over time.

Emerging network virtualization services

In terms of emerging network virtualization services, the only one currently visible among carriers is 5G network slicing. 5G specifications call on the ability to partition not only IP networks, but also radio access networks into slices that could offer different levels of quality of service or security and also be private networks.

Given that a growing number of companies rely on smartphone connections to their customers, partners and employees, network slicing could support a mobile business model. Carriers believe wireless and wireline services will converge on a common core network as 5G is being deployed, however. That would make network slicing a VPN technology and potentially create new and more universal VPN services in the future.

Description of network virtualization and feature virtualization
Carriers rely on two models of virtualization: network virtualization and feature virtualization.

NFV provides feature virtualization

Feature virtualization is itself a multifaceted space. In 2012, the European Telecommunications Standards Institute launched the Network Functions Virtualization (NFV) Industry Specification Group to create a specification for hosting network service features on servers.

While NFV had a broad target of features, the majority of the work focused on replacing security customer premises equipment and other CPE with cloud-resident features. This quickly evolved into a model called universal CPE (uCPE), an open-premises device designed to be loaded by the carrier with feature software based on enterprise customer needs. Some carriers offer uCPE with additional supplementary cloud-hosted features either to supplement CPE or to act as a backup.

Because NFV requires specialized software, hardware and management tools, NFV and the uCPE strategy didn't take off as some expected. Instead, carriers adopted both proprietary and white box CPE elements. These can be grouped into the two following categories:

  1. Secure Access Service Edge (SASE)
  2. Security Service Edge (SSE)

Neither of these categories arose from formal standardization, so the terms' definitions aren't set in stone. But most people in the networking industry agree that SSE is SASE without incorporated SD-WAN features. To be broadly useful to enterprises, SSE either has to be associated with MPLS VPNs or used in conjunction with public cloud services via the internet.

Public cloud, 5G create network virtualization opportunities

The combination of public cloud growth and the evolution of mobile networks to 5G is likely to change, or even create, network virtualization opportunities. SD-WAN, SASE and SSE can run in a cloud or in edge computing without NFV, which supports cloud hosting and reduces complexity.

5G standards mandate feature hosting and could encourage edge computing deployment by carriers and public cloud providers partnering with carriers. That could provide a hosting point for new network features, especially features related to IoT.

Edge computing could be the biggest driver of service changes based on infrastructure virtualization because it supports feature hosting with lower latency than possible with public cloud services. IoT applications often require low latency because they require real-time control of real-world activity, but on-premises hosting can support many such applications. Manufacturing, industrial and warehousing IoT applications are typically supported through local control, for example.

Transportation applications and smart city applications are less amenable to local hosting because some elements are mobile, and others are static but widely distributed. Many carriers hoped to offer IoT edge hosting via carrier cloud and believed 5G feature hosting would drive initial edge deployment. Carriers are also exploring partnerships with public cloud providers to host 5G features, which means cloud providers would deploy edge facilities rather than carriers. Could carriers then use those facilities to support new service features, or would that simply enrich cloud providers?

It's safe to say the most credible options for new carrier services involve network virtualization, feature virtualization or both. It's even likely that all new future services will do so. What remains to be seen is whether carriers will move quickly to embrace new service options or whether they will try to control the cost of current services to improve their profit per bit. The latter choice would still likely increase the use of virtualization, but the pace of introducing new virtualized features would be slower and the effect on services more difficult to identify. Only time will tell which choice carriers will make.

Next Steps

5 network virtualization challenges and how to solve them

The role of network virtualization and SDN in data centers

Network virtualization benefits in the LAN, WAN and data center

How enterprise networks use WAN virtualization

How zero trust unifies network virtualization

Dig Deeper on Network infrastructure

Unified Communications
Mobile Computing
Data Center