Ronny Lam

about://tech

SDN Is the NSA's Wet Dream!

First of all, did you notice? SDN, the current hype in networking; SnowDeN, uncovering years of spying by the US Government.

While I am writing this Snowden has moved from Hong-Kong to Moscow and is now negotiating asylum in Ecuador. He is facing 30 years of jail in his own country for uncovering (preventive) monitoring of telephone and internet connections of their own citizens and foreign countries.

I realize that after this post I will be prosecuted by my psychiatrist and my medication will be more than doubled to get rid of these bad depressing thoughts.

SDN basically puts a whole network under central control and from this controller you can program flows through the network, based on exact filters. Here’s a use case from Pica8:

OpenFlow 1.2 provides the means to externally program network tap like functionality into any OpenFlow compliant physical switch. This more flexible, and SDN driven capability reduces CapEx by dynamically adjusting the TAP characteristics and therefore avoiding dedicated devices.

SDN will only work within a single trust-domain, just like BGP right now. But at the SDN World Forum last week in Barcelona we have been discussing use cases that would have to cross trust-domains. You can think of delivering Netflix, for example, with a certain amount of bandwidth and QoS all the way to the end user.

Currently there is no way to manage flows across mutually non-trusting domains, the same way it is currently impossible to deliver MPLS-VPN’s across these domains. That has either to be solved by closing trust-relationships with all your neighbors, with the question of what to do with neighbors of neighbors. Or this is to be done by trusting a trusted third party (BGP RPKI) and/or putting part of your controller under centralized control.

Now this is the NSA’s wet dream.

Thank God trust is something not every carrier/provider is giving away easily. So it is still a long time until we get there. If SDN will survive it that far it will be BGP all over again.