EMA  Whitepaper  - Requirements for Building On-Device Management Systems
 

EMA Whitepaper - Requirements for Building On-Device Management Systems

on

  • 658 views

Whitepaper on key requirements to build an on-device configuration management system for enterprise and carrier-class networking equipment.

Whitepaper on key requirements to build an on-device configuration management system for enterprise and carrier-class networking equipment.

http://www.tail-f.com

Statistics

Views

Total Views
658
Views on SlideShare
658
Embed Views
0

Actions

Likes
0
Downloads
19
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

EMA  Whitepaper  - Requirements for Building On-Device Management Systems EMA Whitepaper - Requirements for Building On-Device Management Systems Document Transcript

  • Building Carrier-Grade On-Device Network Management Systems An Enterprise Management Associates White Paper October 2007
  • Table of Contents Introduction..........................................................................................................................................................................................1 New.Services.Increase.Network.Complexity.................................................................................................................................1 Enterprise.and.Carrier.Requirements.are.Converging..................................................................................................................1 Network.Management.Design.Challenges......................................................................................................................................1 High.Availability...................................................................................................................................................................................1 Scalability.and.Performance...............................................................................................................................................................2 Security...................................................................................................................................................................................................2 Fine-grained.Control.and.Logging...................................................................................................................................................3 Data.Consistency.and.Integrity.........................................................................................................................................................3 Change.Automation............................................................................................................................................................................4 . Rapid.Development.............................................................................................................................................................................5 Conclusion.............................................................................................................................................................................................5
  • Building Carrier-Grade On-Device Network Management Systems Introduction every.time.they.pick.up.the.phone.whether.it.comes.over. The.key.issues.involved.in.developing.on-device.network. a.Time-Division.Multiplexing.(TDM).or.an.IP.network. management. systems. for. carrier-grade. enterprise. and. operator.networks.are.the.same.for.any.other.networked. Network Management resource,.only.with.more.complexity.and.built-in.restric- Design Challenges tions.due.to.the.limited.space.and.processing.capabilities. The. developers. of . networking. equipment. and. their. inherent.to.these.types.of .devices..The.requirements.for. network.management.systems.must.meet.or.exceed.the. on-device.network.management.systems.will.be.reviewed. expectations. of . network. operators. in. an. environment. in.the.context.of .the.business.and.technical.expectations. that.is.increasingly.complicated. of .network.operators.that.drive.these.requirements.and. their. ever. changing. network. environmental. demands.. The.number.of .network.devices.and.their.form.factors. Increasing.levels.of .complexity.and.converging.industry. are.proliferating..In.addition.to.appliances.and.Advanced. requirements.are.the.key.factors.that.are.continuing.to. Telecommunications. Computing. Architecture. (ATCA). shape.this.unique.industry.segment. compliant. chassis. products,. blade. servers. are. being. increasingly. adopted. for. networking. applications.. The. growth.in.the.number.of .network.devices.requires.mul- New Services Increase tiple devices to be configured and supported for flexible Network Complexity high.availability.frameworks. Modern.networks.have.become.increasingly.sophisticat- ed.platforms.for.delivering.data,.voice,.video,.and.wire- The. number. and. complexity. of . required. northbound. less.services..Network.management.systems.must.adapt. management.interfaces.is.also.increasing..In.addition.to. to.meet.new.challenges..The.old.paradigm.of .humans. simple.network.management.protocol.(SNMP).and.com- administering.networks.with.a.“set.and.forget”.approach. mand.line.interface.(CLI).agents,.web.and.NETCONF/ is.long.gone..Customer.expectations.for.network.perfor- Extensible. Markup. Language. (XML). interfaces. are. in- mance.have.never.been.higher..Users.want.applications. creasingly.expected.on.most.network.devices..All.these. and services available in their homes, offices, and every- management.interfaces.must.be.synchronized.to.ensure. where. between. –. without. interruption. or. limitations.. consistency..Flexible.provisioning.and.frequent.re-con- Network.operators.and.equipment.vendors.are.working. figuration is needed to support multi-service networks. hard.to.make.this.a.reality.. As. if . this. was. not. enough,. developers. of . networking. equipment.must.bring.complete.solutions.to.market.in. Competitive.and.economic.forces.are.also.affecting.the. less. time,. with. constrained. resources,. and. often. using. networking. industry.. While. the. cost. for. the. network. distributed.teams.responsible.for.modular.components. equipment. itself . has. been. squeezed. over. many. years,. of .the.overall.system. the.cost.for.deploying.new.services.and.maintaining.the. networks. has. increased. dramatically.. Service. providers. High Availability and. enterprises. are. constantly. looking. to. reduce. the. Up.until.recently,.network.management.was.not.high.on. operating.cost.of .their.networks.as.a.means.to.become. a.network.operator’s.punch.list.for.ensuring.continuous. more.competitive. availability..However,.as.networks.become.dependent.on. frequent. software. updates. and. dynamic. service. provi- Enterprise and Carrier sioning,.this.is.changing.. Requirements are Converging Building.a.highly.available.network.management.appli- Interestingly,.the.challenges.facing.CIOs.of .enterprises. cation.requires.a.powerful.software.fabric.with.capabili- often. mirror. those. of . commercial. service. providers.. ties.including.database.replication,.support.for.master- Larger.enterprise.networks.have.many.similarities.with. slave.heart.beat,.full.redundancy,.hot.failover,.multiple. service provider networks. For example, the “five-nines” levels. of . security. access. controls,. complete. analytical. expectation. for. telco. equipment. has. now. crossed. into. drill-down.functionality.and.of .course.a.full.line.of .re- the. enterprise. as. Voice. over. Internet. Protocol. (VoIP). porting.capabilities.. penetration. explodes.. Users. rightly. expect. a. dial. tone. ©2007.Enterprise.Management.Associates,.Inc..All.Rights.Reserved. Page 
  • Building Carrier-Grade On-Device Network Management Systems It.is.common.for.chassis-based.network.devices.to.have. The first problem is storing large numbers of configura- a. separate. management. card. managing. individual. line. tion.parameters..In.a.large.complex.network.the.number. cards.as.shown.in.Figure.1..This.capability.requires.an. of configuration parameters can be in the millions. This application.programming.interface.(API).to.make.it.pos- implies.the.need.for.a.large,.robust,.real-time.data.store. sible.for.the.management.cards.to.manage.resources.on. that.can.scale.linearly.without.performance.degradation.. other.hosts. The problem is much more difficult at the network de- vice.level.where.memory.and.processing.resources.are. limited.and.not.easily.expanded.without.additional.hard- ware.additions..The.best.solution.is.to.use.a.data.store. that is optimized for configuration and operational data as well as the types and database transactions specific to network.management.. The.second.issue.is.the.performance.and.scalability.of . the. transaction. engine. that. manages. the. communica- Figure 1 tion stream to end devices. To implement a configura- tion. change. in. a. large. network. implies. the. need. for. a. Dual.management.cards.should.have.the.capability.to.be. transaction.engine.that.can.scale.to.tens.of .thousands.of . configured to ensure high availability, master-slave heart operations.per.minute..The.growing.use.of .XML.data. beat, and full redundancy. All configuration changes are for configuration management requires the data stream- always. written. to. both. management. cards. and. when. ing.process.in.the.transaction.engine.be.highly.tuned.to. re-configuring the master all data is also replicated to these.performance.needs. the.slave..Upon.a.failure.of .the.master,.the.system.will. switch. over. to. the. slave. and. the. slave. will. become. ac- In. order. to. address. growing. need. for. scalable. perfor- tive.in.the.system..Some.form.of .alerting,.or.warning,. mance,. some. networking. products. are. based. on. blade. mechanism. is. necessary. to. notify. network. operations. servers.and.stackable.appliances.as.a.means.of .delivering. staff .of .the.event.and.subsequent.change.in.operational. scalable.performance..Both.these.approaches.share.the. status. of . the. device.. Additionally,. drill-down. analytics. benefit of having the capability to add capacity without is.a.necessity.for.the.network.operations.staff .enabling. disrupting.the.network.. them. to. dive. into. the. heart. of . any. network. event. and. The challenge is for the configuration management sys- ascertain.the.true.cause.and.nature.of .the.event. tem.to.operate.without.any.dependency.on.the.hardware. With.this.type.of .architecture.it.is.also.possible.to.upgrade. configuration. For example, each blade in a cluster should the.system.without.bringing.down.the.entire.service.or. be.unaware.of .the.fact.that.it.is.running.in.a.clustered. device..To.deliver.redundancy.in.a.scalable.fashion,.data. environment.. One. of . the. blades. must. be. dynamically. replication.should.be.possible.from.a.single.master.to.N. assigned. a. management. role. and. network. administra- number.of .slaves.where.N.is.not.arbitrarily.limited..Slave. tors. must. have. visibility. to. all. network. devices. as. they. units. or. redundant. devices. could. be. physically. located. are added on the fly. This later capability is sometimes anywhere.on.the.network..Control.of .the.master,.slaves,. referred.to.as.a.cluster.join. and.redundant.devices.should.be.from.a.single.console. window..The.same.console.window.will.also.be.the.cen- Security tral alert / notification display mechanism for this typeSimple. password. protection. is. not. enough. for. a. car- of .network.management.architecture. rier-grade. network. management. system.. With. a. high. incidence. of . severe. threats. and. attacks. on. information. Scalability and Performance assets,.security.has.become.a.priority.at.the.highest.levels. Carrier-grade. network. management. applications. must. inside.an.organization..In.addition.to.mitigating.threats.to. have the capability to monitor, provision, and configure mission-critical.network.systems,.network.operators.and. very.large.networks.without.impacting.service.delivery. enterprises.must.also.comply.with.a.wide.range.of .regula- ©2007.Enterprise.Management.Associates,.Inc..All.Rights.Reserved. Page 
  • Building Carrier-Grade On-Device Network Management Systems tions.that.require.them.to.implement.and.verify.the.effec- Fine-grained Control tiveness.of .security.information.management.controls. and Logging The first step in providing appropriate security is user The ability to allow identified users or user groups to authentication..A.user.must.present.credentials,.such.as. perform specific tasks is important in any large network a.password.or.a.public.key,.in.order.to.gain.access..The. and. is. the. corner. stone. of . a. role-based. system. of . ad- ability.to.support.security.solutions.based.on.protocols. ministration. To provide true fine-grained control over such. as. Remote. Authentication. Dial-In. User. Service. which.users.or.groups.can.execute.particular.actions.re- (RADIUS).and.Lightweight.Directory.Access.Protocol. quires.authorization.control.of .commands,.data.access. (LDAP).is.an.important.option.for.any.good.authentica- and.device.access. tion.system..A.remote.authentication.server.will.typically. store. both. the. users’. login. credentials. and. their. group. information.that.can.be.applied.to.authorizing.their.ac- cess.rights. The.second.step.in.the.security.model.is.for.authoriza- tion.to.be.performed..Even.though.a.set.of .credentials. are presented and confirmed as being acceptable, there’s still.the.question.of .what.actions,.tasks,.changes,.etc..are. to.be.allowed.under.the.scope.of .those.credentials..Once. a.user.is.properly.and.successfully.authenticated,.all.op- erations.performed.by.that.user.must.be.authorized.by. the.appropriate.access.control.source.inside.the.organi- zation. The internal access control source must confirm that.the.credentials.presented.are.in.fact.authorized.to. perform. the. operation. intended.. If . they. are,. then. the. Figure 2 intended.operation.is.allowed.to.be.performed..If .those. credentials.don’t.have.the.necessary.permissions.or.ac- As.illustrated.in.Figure.2,.role-based.access.control.al- cess.control.rights.to.perform.the.requested.operation,. lows.users.to.change.while.roles.remain.constant..When. then.the.request.is.denied. responsibilities.for.network.administration.are.organized. by. seniority,. geography,. or. line. of . business,. role-based. Accounting.and.auditing.is.the.third.major.leg.of .the. access control is very beneficial. traditional.AAA.(authentication,.authorization.and.ac- counting). services. needed. for. robust. security.. When. Providers.of .managed.services.also.need.such.granular. logins.fail,.access.controls.are.denied,.or.unauthorized. control.. Here. the. need. is. for. multi-tenanted. access. to. changes.are.attempted,.those.events.must.be.recorded. the.network.management.application..Individual.clients. and. reported. to. the. appropriate. authorities.. There. in. of . a. managed. security. gateway,. for. example,. must. be. lies.the.need.for.strong,.robust,.reporting.and.auditing. able.to.view.their.virtualized.security.policies.and.only. capabilities.that.can.take.on.many.forms,.i.e..compli- make. changes. to. rules. and. data. that. only. affect. their. ance.reports.(Sarbanes-Oxley,.HIPPA),.forensic.analy- organization. sis,.and.billing. Since. many. network. managements. systems. include. a. Data Consistency and Integrity It.is.highly.advantageous.to.have.a.single.view,.or.win- web. interface,. it. is. also. important. that. the. embedded. dow,.of .all.sessions.in.all.the.northbound.interfaces..As. web.server.does.not.expose.the.system.to.security.vul- a. result,. access. rules. and. audit. trails. can. be. uniformly. nerabilities.. Considerations. here. include. using. HTTPS. applied.by.the.CLI.and.web.interfaces..To.ensure.data. for. all. secure. communications. between. the. client. and. consistency,. a. carrier-grade. network. management. sys- the.server.plus.avoiding.cross-site.scripting.and.caching. tem must guarantee that configuration changes made configuration values. in.any.of .the.management.interfaces.are.either.entirely. ©2007.Enterprise.Management.Associates,.Inc..All.Rights.Reserved. Page 
  • Building Carrier-Grade On-Device Network Management Systems completed.or.aborted.and.properly.rolled.back–.thereby. et when configuration data changes. Each subscription ensuring that the integrity of the configuration, and ulti- should have a priority and the subscribers are notified in mately.the.network,.is.maintained. that.priority.order.. A Dynamic Host Configuration Protocol (DHCP) serv- er configuration change is an example of where ordered notifications are of significant value to the integrity of . the. network. as. a. whole.. If . both. the. IP. address. of . the.network.device,.as.well.as.some.additional.changes. to the DHCP server configuration are performed in a single configuration change, it is imperative that the DHCP configuration code receives the configuration change.after.the.IP.interface.manager.code.has.acted.on. the.change.and.changed.address.on.the.network.device.. Figure 3 Otherwise, there is a potential conflict in the consistency Traditionally,. network. management. applications. have. and overall integrity of the configuration of network de- used.stovepipe.architecture.as.depicted.in.Figure.3..Here. vices.versus.the.information.contained.in.any.particular. each. management. interface. talks. to. managed. objects. server or configuration source. using.its.own.software.adaptors.and.APIs..This.cumber- some.approach.not.only.strains.development.resources,. Change Automation but also risks compromising configuration integrity. Managing.operating.expenses.is.critical.to.the.success.of . Ideally,. backplane. software. should. set. up. a. transac- both.service.providers.and.IT.organizations.responsible. tion for every committed configuration change from to. enterprise. networks.. Network. administration. is. one. northbound.interfaces..It.then.should.talk.to.all.affected. of .the.many.functions.that.make.up.the.planning,.de- managed objects in a specific order, waiting for them ployment,.management,.and.maintenance.of .networks.. to.acknowledge.that.the.change.has.been.accepted.and. Network administration costs are significant both as duly. processed. and. successfully. completed.. If . any. of . direct expenses and as a by-product of configuration the.managed.objects.returns.an.error.(e.g.,.failed.to.set. errors.that.can.cause.service.outages.or.severe.perfor- a specific configuration parameter in the routing stack), mance impacts. Service disruptions carry a significant the.backplane.ensures.that.any.changes.made.up.to.that. toll.in.terms.of .organizational.productivity,.negative.PR,. point.are.completely.and.successfully.rolled.back..Figure. and. potential. customer. churn.. Until. recently. the. alter- 4 illustrates an architecture based on a single unified natives for configuration management such as manual backplane.or.transaction.engine. configuration, CLI scripting, and SNMP faced multiple limitations.. For. a. complete. discussion. of . these. issues. read.Tail-f .Systems’.whitepaper.“Next Generation Network Management with NETCONF”. The NETCONF standard for automated configuration was finalized by the Internet Engineering Task Force (IETF).in.December.of .2006.as.Requests.for.Comment. (RFC).4741-4744..This.Remote.Procedure.Call.(RPC)- based protocol uses XML data encoding for configu- ration. data. and. protocol. messages. that. are. exchanged. between.a.manager.and.an.agent.. Figure 4 NETCONF. includes. robust. features. to. ensure. that. The.use.of .a.synchronous.subscription.API.plays.a.use- configuration changes are made consistently across all ful.role.in.ensuring.data.integrity..This.allows.managed. network devices. For example, a configuration change objects to receive a notification over a subscription sock- will. only. be. committed. if . no. errors. occur.. If . errors. ©2007.Enterprise.Management.Associates,.Inc..All.Rights.Reserved. Page 
  • Building Carrier-Grade On-Device Network Management Systems do.occur.the.changes.will.be.automatically.rolled.back.. software.modules.usually.have.higher.than.average.bug. This.is.illustrated.in.Figure.5..NETCONF.frees.network. rates..In.addition,.an.uncoupled.architecture.undermines. management.applications.and.data.stores.from.the.over- the benefits of using distributed development teams by head. and. complexity. of . dealing. with. data. consistency. creating.interdependencies.at.every.stage.of .the.devel- safeguards.at.the.protocol.level. opment.process..Ideally,.developers.share.the.same.data. store.of .managed.objects.and.that.data.store.allows.indi- Equipment. vendors. and. network. operators. are. adopt- vidual developers to add or delete items in the configura- ing. NETCONF. to. facilitate. scalable. deployments. of . tion.without.impacting.other.developers..But.at.the.same. networks without the risks of disruptive configuration time,.there’s.a.need.to.monitor.and.control.items.that.are. errors..The.need.for.NETCONF.is.also.being.driven.by. changed in the configuration. the.inherent.complexity.of .networks.and.the.explosion. in. the. number. and. variety. of . network. devices.. Today. The. time. to. develop. new. network. management. func- many.services.require.network.devices.to.be.changed.in. tionality.can.also.be.accelerated.by.integrating.new.func- one.single.transaction. tions.with.existing.applications.and.data.stores..Reusing. legacy.software.modules.has.trade-offs,.but.existence.of . Rapid Development well-defined APIs provides a practical option to pursue Network. operators. are. under. pressure. to. quickly. this.approach.vs..reinventing.everything.from.scratch.. bring. innovative.services.to.their. customers.and. users.. Network.equipment.vendors.therefore.require.enabling. Conclusion technologies.to.shorten.development.time.and.minimize. Carrier-grade.networks.are.larger.and.more.complex.than. sustaining.engineering.overhead. ever.before,.and.growing.more.complex.all.the.time..The. software that monitors, configures, and controls these There. are. several. time-to-market. bottlenecks. affecting. networks.must.be.designed.for.high.performance,.con- network.management.software..Where.northbound.in- tinuous. service,. comprehensive. security,. low. cost. and. terfaces.are.not.tightly.coupled,.additions.and.changes.to. reliable operations. This is best achieved with a unified applications.and.managed.objects.are.multiplied.several. transaction. based. architecture. that. ensures. consistent. fold. as. each. management. interface. must. be. addressed. execution, fine-grained control, and rapid application independently.. development. This unified architecture will also need to The. need. for. increased. code. integration. and. testing. be flexible to absorb the constant change brought about among. management. interfaces. is. another. negative. by- in. today’s. networking. environments. due. to. changes. in. product.of .a.stovepipe.architecture..Interfaces.between. mission.scope,.mergers.and.acquisitions,.as.well.as.the. Figure 5 ©2007.Enterprise.Management.Associates,.Inc..All.Rights.Reserved. Page 
  • Building Carrier-Grade On-Device Network Management Systems constant.application.and.network.performance.improve- ments.required.to.keep.pace.with.competition. That flexibility will also need to extended to those areas where. the. applications,. or. network. devices,. interact. or. interface.with.other.platform.and.tool.architectures.al- ready. present. in. the. network. environment.. The. ability. to.interact.and.play.with.other.applications.and.devices. in.today’s.market.is.imperative..Executive.management. wants.everything.to.work.in.a.homogenous.manner.so. that.past,.present,.and.future.investments.can.be.utilized. together without significant effort or loss of capability or.service.delivery. Software.applications.and.network.devices.will.increas- ing. need. to. route. their. AAA. activities. and. operational. events.through.a.highly.reliable,.robust,.intelligent,.and. centralized.data.repository...A.centralized.data.repository. allows. for. a. consolidated. and. improved. analytic. func- tionality.to.be.provided.for.enhanced.true.cause.trouble- shooting. along. with. incorporating. a. robust. auditing. and. reporting. feature. set. to. aid. in. current. and. future. compliance.adoption..A.centralized.data.repository.also. provides. the. enterprise. or. telco. staff . with. a. complete. and.cohesive.view.into.their.network.environment.that. allows.everyone.to.see.the.same.information.at.the.same. time..Not.only.across.the.organization,.but.also.up.and. down.the.various.organizational.levels.as.well.. ©2007.Enterprise.Management.Associates,.Inc..All.Rights.Reserved. Page 
  • About Enterprise Management Associates, Inc. Enterprise Management Associates is an advisory and research firm providing market insight to solution providers and technology guidance to Fortune 1000.companies..The.EMA.team.is.composed.of .industry.respected.analysts.who.deliver.strategic.awareness.about.computing.and.communications. infrastructure..Coupling.this.team.of .experts.with.an.ever-expanding.knowledge.repository.gives.EMA.clients.an.unparalleled.advantage.against.their. competition. The firm has published hundreds of articles and books on technology management topics and is frequently requested to share their observations.at.management.forums.worldwide. This.report.in.whole.or.in.part.may.not.be.duplicated,.reproduced,.stored.in.a.retrieval.system.or.retransmitted.without.prior.written.permission.of . Enterprise.Management.Associates,.Inc..All.opinions.and.estimates.herein.constitute.our.judgement.as.of .this.date.and.are.subject.to.change.without. notice..Product.names.mentioned.herein.may.be.trademarks.and/or.registered.trademarks.of .their.respective.companies. ©2007.Enterprise.Management.Associates,.Inc..All.Rights.Reserved. Corporate Headquarters: 5777.Central.Avenue,.Suite.105. Boulder,.CO.80301. Phone:.+1.303.543.9500. Fax:.+1.303.543.7687. www.enterprisemanagement.com 1460.102207