IP networking for the 5G era: Automation and Security
This second blog in the series about IP networking for the 5G era focuses on integrated IP network support capabilities to automate and secure network operations. IP networks provide the load-bearing foundation for your future 5G success and must be purpose-built to carry you through its entire deployment cycle.
To rapidly build 5G coverage, you need tools and capabilities that give you agility and speed. For instance, zero-touch commissioning of thousands of cell site routers, or dynamic provisioning of highly reliable and secure IP transport services with deterministic, low latency to interconnect 5G RAN and Core network functions. As your 5G infrastructure grows the progressive streamlining and automation of operational processes will help you manage its increasing complexity and optimize economies of scale. Ultimately your success relies on an IP network you can trust. 5G introduces significant security risks and the IP network must be an integral part of your end-to-end security solution.
Automate 5G with model-driven IP interfaces
The operational scale and dynamics of the 5G era will place a tremendous stress on the network management and control plane. Conventional management protocols and interfaces such as SNMP and CLI are too cumbersome and brittle to support the orders-of-magnitude-higher transaction rates of machine-based programming and batch processing. And the network visibility that can be obtained through periodic CLI scraping and polling of performance counters and alarms through SNMP is too limited to support real-time decisions, for instance when the network is under attack and time is of the essence.
Modern IT technologies and model-driven interfacing approaches pioneered by webscalers like Google and Facebook offer a flexible, scalable and reliable approach to make the IP network machine-programmable and support real-time visibility and control automation (figure 1).
Figure 1. IP network automation using machine-programmable interfaces
- Model-driven networking APIs based on MD-CLI, NETCONF, Google Remote Procedure Calls (gRPC) and Google Network Management Interface (gNMI) with YANG and OpenConfig information models are essential for transactional machine-based process automation
- Streaming, model-driven telemetry with publish-subscribe push models enable real-time data analytics and dramatically speed up response times for corrective actions compared with conventional monitoring approaches that periodically query or poll network status.
Open, model-driven interfaces backed by a high-performance management and control plane architecture are pre-requisites for automating multi-vendor IP transport networks in the 5G era. The Operating System and underlying management and control hardware must be designed and dimensioned to meet the stringent reliability and deterministic performance requirements of machine programmability.
Nokia’s Service Routing Operating System (SR OS) is a highly efficient, robust and versatile operating system that leverages symmetric multi-processing (SMP) and high-performance multi-core processors to optimize these performance needs. SR OS has been deployed on over 1M routers, powering IP networks for more than 750 communications service providers worldwide.
Secure 5G with integral IP network protection
Ultimately, your success and reputation depend on your ability to protect your infrastructure, your data — and your customers. 5G introduces significant security risks that must be addressed end-to-end. The IP network must be part of the solution with built-in capabilities to protect network systems, services, users and user data against security threats. Nokia Service Routers are designed to address these security issues:
- Design and test practices to harden operating software and eliminate security vulnerabilities
- Secure data transport with MACsec and IPsec encryption to prevent eavesdropping
- Secure management of control plane interfaces of IP routers and gateways to prevent hijacking and protect system integrity and user data privacy.
Open interfaces, open source software, commonly available IT solution components and the addition of billons of unverified devices will dramatically increase the attack surface for volumetric DDoS attacks and other security threats. Built-in security capabilities must also enable IP edge routers at the network perimeter to act as a first line of defense to mitigate volumetric DDoS attacks on network systems, services and connected end users (figure 2).
Figure 2. Securing the IP network perimeter against volumetric DDoS attacks
The IP edge routers at the network perimeter also must be able to act as a first line of defense to mitigate volumetric DDoS attacks on network systems, services and connected end users:
- Support for granular flow counters, packet sampling and streaming telemetry to enable DDoS analytics to monitor traffic flows and quickly and accurately detect and analyze DDoS attacks
- Scalable and enhanced access control lists with payload pattern-matching capabilities to surgically filter malicious traffic before it can slow down or disrupt mission-critical services
- Programmable, model-driven interfaces such as NETCONF/YANG, gRPC and BGP FlowSpec to allow rapid configuration of access control policies to shut down large scale botnet attacks.
Nokia’s Service Routers equipped with FP4 silicon offer a cost-effective and scalable solution that can surgically filter volumetric DDoS traffic in-line on any interface port while maintaining deterministic forwarding performance. Each FP4-based forwarding complex can dynamically manage up to 256,000 access control filter entries to effectively mitigate direct flooding attacks from even the largest IoT botnets. The FP4 processor can collect granular, real-time telemetry data and packet samples, which is critical for agile detection and mitigation of DDoS attacks.
Nokia’s network-based DDoS security solution uses the Nokia Deepfield Network Firewall to detect DDoS attacks and orchestrate mitigation. FP4-based Service Routers feed the Network Firewall with highly granular, streaming telemetry data on DDoS attacks in progress and payload samples of suspicious packets. This data allows Network Firewall to determine the DDoS attack vectors, identify their packet signatures and deploy surgical DDoS countermeasures by programming the appropriate FP4 packet filters on Service Routers in real-time.
Making the IP network part of the solution offers highly scalable, in-line DDoS mitigation. And by leveraging existing hardware investments you can save up to 85 percent on network costs compared to traditional off-line solutions based on redirecting traffic to a scrubbing center.
The 5G technology cycle will easily last a decade and many moving parts must come together to build a 5G network that fits your needs today and tomorrow. To win in 5G you need to rely on an IP network you can trust. You need a reliable and cost-efficient IP network that can deliver the on-demand service experience that your customers want with the economics you need to be competitive. By making the right investments in your IP network now, you are set for a head start and a strong race.
- Application note: Model-driven programmability
- Application note: Volumetric DDoS mitigation
- e-book: IP networking for 5G
- Application note: IP networking for 5G
Share your thoughts on this topic by joining the Twitter discussion with @nokia using #5G #IP #Automation #Security