Apr 24, 2017
In my last few blogs I’ve talked about the journey from the Software Defined WAN to the Self-Driving WAN. Applying artificial intelligence and machine learning to the WAN might seem futuristic, but it’s already happening with our Unity EdgeConnect SD-WAN solution. A great example is our revolutionary First-packet iQ application classification technology which we announced at the end of March.
Traditional application classification engines utilize a combination of techniques, ranging from simple look up of TCP and/or UDP port numbers, to more sophisticated Deep Packet Inspection (DPI) to glean information about a flow from its packet contents. DPI is useful when applications use ports unpredictably, or when you want to distinguish applications that are on the same port, same HTTP or HTTPS. For example, DPI might be used to extract the URL from an HTTP get request, or the server domain information from an HTTPS SSL establishment. However, both techniques require several packet exchanges between the client and server before the identifying information is transferred. This is acceptable for flow reporting or for traditional actions like QOS marking or even blocking a connection as the connection can be reset at the point the application is identified. However, SD-WAN brings a new foundational requirement to the table: granular internet breakout.
The rise of cloud applications and ever increasing internet traffic has driven IT to evaluate augmenting or replacing MPLS with internet access. One approach is to break-out all internet destined traffic locally at the branch. However, in most cases enterprises require finer grained control, understanding that not all Internet traffic is equal. A typical branch will have flows destined to SaaS applications that the business relies on, flows to popular internet sites (employees doing home-from-work instead of work-from-home), as well as other flows to unknown or potentially nefarious destinations. Ideally, IT would like the ability to apply unique policies to each class of internet traffic. For SaaS applications, the policy could be to use the highest quality, most consistent path, which could be local break-out, or transport via MPLS and a carrier provisioned direct connection to the SaaS provider. For the home-from-work traffic the best policy might be to break it out locally, but direct it via a cloud-based firewall service like Zscaler. For unknown or potentially suspicious traffic that doesn’t fit in either category above, the policy might be to backhaul it to a full security stack in the data center.
Granular internet break-out policies sound like a great idea. In fact, you might assume that all SD-WAN vendors already do this. In reality, it’s quite difficult to accomplish and for good reason. First, when you make a traffic steering decision, either to break traffic out locally from the branch, or to send it zScaler or the data center firewall, you need to make the decision on the very first packet of the flow. Once the first packet is sent along a path, you’re committed to that path because with NAT each path has a unique apparent source IP address. You can’t change your mind mid-stream. Traditional DPI techniques won’t cut it because the first packet of a typical connection is a TCP SYN that has no payload available for deep inspection.
To address this challenge and enable granular internet break-out, Silver Peak invented First-packet iQ. This new feature utilizes a multi-layered learning architecture that encompasses learning locally in the individual edge devices (by snooping on DNS and learning from DPI results), learning at the enterprise level in the orchestrator (redistributing information learned by individual appliances – a bit like fleet learning for self-driving cars), and learning in aggregate with the Silver Peak cloud intelligence service (we keep track of the first packet signatures of 10,000s of web services). At each level, we are employing sophisticated machine learning techniques.
We are embarking on the journey to a Self-Driving WAN. First-packet iQ marks an important milestone, but we aren’t going to be complacent, we have a lot more innovation to deliver as we drive toward our ultimate destination. Stay tuned.
Meanwhile, I invite you to share this blog with any of your colleagues interested in SD-WAN.