BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
Network virtualization startup Midokura introduced its cloud networking solution this week, along with integration into the OpenStack cloud orchestration framework.
MidoNet, the Tokyo-based company's product, is comparable to virtual network overlays from IBM, Big Switch Networks Inc. and VMware Inc.'s Nicira, but it has a broader approach to cloud networking and a different control plane architecture.
MidoNet: Network virtualization with distributed control plane
Like other virtual network overlays, Midokura's network virtualization technology sits on server hosts at the edge of a data center network and creates virtual networks on top of any physical network that provides IP connectivity. Each MidoNet agent runs on a Linux host and communicates directly with an Open vSwitch kernel on that host to establish the overlay.
While most network overlays and software defined networks rely on a central controller to direct the virtual switches on those hosts, Midokura adopted a distributed control plane. So, every MidoNet agent maintains its own control plane and works with the other agents to maintain a shared, fast network-state database.
"From the point of view of the operator, every host we run on acts as a line card in a very big, grid router," said Ben Cherian, chief strategy officer at Midokura. "Our model pushes all the network intelligence out to the edge in software."
Because the intelligence is distributed, "it scales way better than a controller-based architecture," said Ivan Pepelnjak, blogger and chief technology advisor for NIL Data Communications. "It's like comparing HP's IRF [Intelligent Resilient Framework] -- a central control plane [that] scales to 10 switches -- with Juniper's QFabric -- a central management plane [and a] distributed control plane [that] scales to 128 switches today."
The MidoNet agents use the shared network-state database to route traffic across the underlying physical IP network. Meanwhile, the tenants on this virtual network -- whether they belong to enterprises in a public cloud or application owners in a private cloud -- can create whatever network virtualization topology they need for applications and services, including provider virtual routers, tenant virtual routers and tenant virtual switches. Like other network virtualization technologies, MidoNet allows a tenant to provision and change network connections for virtual machines without having to touch the physical network. The MidoNet agents track these topology changes and alter the packets in the traffic flow to emulate them.
"When you layer these [virtual topologies] on, [MidoNet] basically says, 'OK, what transformations do we need to do to this packet to make sure it's gone through this topology.' We're doing calculations and simulations and then applying that to the packet," Cherian said.
"From the technical side, Midokura passes the 'it's possible' test, as they use the well-known software router Quagga for routing and the long standing GRE [Generic Routing Encapsulation], which has a long history in the routing world," said Steve Noble, chief analyst with Router Analysis, a network product testing startup.
Midokura claims it can achieve forwarding rates of up to 10 Gbps on its virtual network overlay, a claim that Noble would like to see tested.
Network virtualization beyond Layer 2
Unlike most other virtual network overlay vendors, Midokura tackles Layer 2 through Layer 7 networking, including network services such as firewalls and load balancing. It implements these services with its MidoNet agents.
"We provide services like virtual Layer 2 distributed switching, virtual Layer 3 distributed routing, virtual Layer 2 and Layer 3 isolation, Layer 4 services like load balancing and firewalls, NAT [Network Address Translation], access control lists, and virtual port and device monitoring," Cherian said. The product also has a RESTful northbound application programming interface and a Web-based management console.
In fact, Pepelnjak says Midokura's overlay solution appears to be the only one that has the full set of network tools -- router, firewall, load balancer -- implemented in the hypervisor kernel. "Every other overlay network solution is focused on virtual [Layer 2] segments -- VXLAN [Virtual Extensible LAN], NVGRE [Network Virtualization using Generic Routing Encapsulation], Nicira," he said.
One drawback to adding these network services could potentially be packet overprocessing, Noble said. In a typical physical network with a router-to-firewall design, some packets are not forwarded to the firewall because they are sent to a different security zone. In a virtual network overlay, all the packets will be hitting the same MidoNet agents. "I am concerned with packet overprocessing, when you have hundreds of thousands of VMs, many different security domains and needs, a one-step, massive lookup can product significant overhead," he said.
But Cherian said MidoNet's ability to run the entire network stack in its software eliminates the need for traffic to hairpin into isolated appliances for NAT or load balancing, which eliminates latency. Also, every time traffic hits the network, MidoNet defines a flow with the first packet with a lookup that takes milliseconds. All subsequent packets are then forwarded at close to line rate, he said.
Midokura has validated MidoNet on a network with 50 server hosts, and Cherian said it will very soon validate the technology for a much larger network with help from a large beta customer. In terms of packet processing on the Linux hosts, Cherian said MidoNet's CPU footprint varies with how much traffic is pushing through an individual box. "We've in the past been able to completely peg a box -- in terms of the full NIC [network interface card] -- to be able to handle 10 gigabits of throughput coming through the system and been able to do that while taking at most one core of the CPU."
Mature OpenStack integration
Midokura's product is still in its beta-testing phase with unidentified customers, and the product won't be generally available for a few months, Cherian said. The company did, however, announce OpenStack integration at the OpenStack Summit. MidoNet will integrate with the Nova network plug-in on the Essex release of OpenStack.
Eric Hanselman, research director for 451 Research, calls this the more realistic approach toward OpenStack network maturity. "Everyone on the planet has an OpenStack Quantum plug-in, but OpenStack is much more full-featured in the Nova implementation on the Essex release," Hanselmann said. "The Folsom release is the first where Quantum was officially supported. [It's the] new face of networking for OpenStack but the difficulty is that it's not as mature as some of the capabilities of Nova. A lot of people want to be on the latest and greatest with OpenStack, but there are risks associated with new software."
Let us know what you think about the story; email: Shamus McGillicuddy, News Director.