If psychologist Abraham Maslow was around to apply his hierarchy to the current era of digital business and omni-connected lifestyles, networks would surely form the base of the pyramid. Networks are the ultimate foundation for much of what we now take for granted.
Unlike the physiological needs for things like air, water, and food that underpin Maslow's psychological model, networks follow a steep curve of technological advancement that's created enormous complexity.
Much like a genome map, the complexity of modern cloud or data center networks is such that no individual can fully comprehend all the details. Such exploding complexity not only creates added work and expense for IT organizations but as we've seen all too often leads to mistakes and misconfigurations that cause expensive and embarrassing downtime or security breaches.
The knee-jerk solution to complex problems is automation. If humans can't be trusted to operate as error-free actors, then take decisions out of their hands and substitute a tested, repeatable programmatic process. However, with the most important layers now virtualized, networks have become dynamic structures that respond to changes in usage, applications and security policies.
Consequently, network automation must be less mechanical and more adaptive, with configurations and policies described in a high-level language, not arcane CLI commands using low-level constructs like addresses, range masks, and port numbers. Furthermore, automating legacy network processes merely speeds up an already flawed, arcane process.
Compared to computer programming, network configuration is still in the era of assembler language, when what's needed are high-level declarative languages that can model intended outcomes without detailing the underlying control procedures. Such is the goal of intent-based networking.
Thanks to Cisco’s PR blitz last summer, “intent based” has joined the pantheon of IT buzzwords, spawning a raft of ‘intent-washing’ announcements. PR fluff notwithstanding, the concept represents a legitimate paradigm shift in network management that will become a reality to more organizations in the coming years. Companies like Apstra, Intentionet, Veriflow and eventually Cisco are/will deliver products that simplify network topology and security configuration, improve traffic visibility and analysis and dynamically adapt to virtual network changes.
Intent-based networking 101
Like any new concept, intent-based networking (IBN) lacks a broadly-accepted canonical definition, hence the propensity for companies to intent-wash minor updates to existing products to exploit the buzz.
A common misconception is that IBN is just another name for SDN-based workflow automation, aka orchestration. However, as Apstra’s CTO Sasha Ratkovic points out, workflow execution is only half of the problem since it relies upon a prior definition of the network's desired end stateIn IBN, state modeling using higher-level abstractions to describe the intended outcome, the “what”, is the fundamental innovation differentiating it from prior network automation schemes that focus on the "how". As Ratkovic puts it,
At a high level, Intent defines the ‘what’ not the ‘how’. A key observation is that intent is dynamic, and a fundamental requirement of an IBN system is that it should be capable of ensuring that intent’s expectations are met in the presence of change. And changes can come from either the operator (business rule change) or the infrastructure (operational status change). In order to enforce that intent expectations are met, the IBN [system] has to be the single source of truth … that one can programmatically reason about in the presence of change.
IBN is designed to automate the entire network lifecycle from design and implementation to deployment and validation. What Ratkovic terms a single source of truth manifests itself in something like a graph database of network objects and connections with an extensible schema that can reflect changing business rules and infrastructure capabilities and that can dynamically respond to changing network conditions that are captured via telemetry.
An IBN system also uses network telemetry to feed analytic models that summarize the state of network operations, identify trends and anomalies and validate that operations conform with the intended state.
- Translation and Validation, namely the ability to translate high-level business policies into a network design and configuration.
- Automated Implementation by programmatically implementing the intended design and configuration on existing network infrastructure.
- Awareness of Network State via the ability to ingest and aggregate network telemetry that is used to update the implementation to maintain compliance with the intended state and operating conditions, which prompts the fourth criteria:
- Assurance and Dynamic Optimization/Remediation to automatically adjust network behaviors, such as taking corrective action to block malicious traffic or modify traffic priorities to maintain compliance with the intended model.
Startups like Apstra leading the way
It’s easy to think that such abstract properties are merely the rarefied dreams of academics. However, IBN is already being put into practice using software from a handful of startups. Apstra arguably was first to market with its AOS intent-based operating system that works with the hardware device OS from multiple supported vendors to implement the full intent-based lifecycle. (see image at top of post) According to Apstra’s CEO and co-founder Mansour Karam, intent descriptions can include things like various types of network connections, bandwidth limitations and security groups with policy descriptions that can get quite granular.
AOS, which first shipped in July of 2016, includes the following key features:
- A vendor- and technology-neutral design language and software with templates that reflect network design and configuration best practices.
- Support for physical and virtual networks using the VXLAN standard.
- Continuous monitoring and validation of network state and device configurations, covering both physical and virtual elements.
- Dashboards and visualizations that summarize overall network status and sub-categories like particular equipment racks and services.
- A graph query language to facilitate state definition and reporting. For example, a single command can show the conditions on all server-facing interfaces or all the network trunks linking leaf nodes with the network spine.
Apstra's recent AOS 2.1 update improves its analytics capabilities with what Karam calls a big data pipeline that can turn raw data into reports and alerts. The release also adds query and configuration features while augmenting its list of supported devices.
- Network segmentation and vulnerability detection
- Continuous monitoring and topology mapping of changing network conditions
- End-to-end service monitoring
- Network incident analysis and troubleshooting
Little information is available about Intentionet, however it is pursuing the same intent-based approach to network management. The best publicly available summary of its technology strategy is a keynote address to Future:net 2017 by its co-founder and CEO, Ratul Mahajan.
As evidenced by released products from Apstra, Forward and Veriflow, all of which have been under development for several years, IBN isn't a new concept.
Still, it took Cisco to raise awreness and mainstream the idea when its CEO made IBN the focus of the company's strategy last summer. So far, Cisco has more blog posts than product announcements, although its latest iteration of ACI, particularly the APIC (application policy infrastructure controller 3.0) move in the direction of intent-based automation.
While Cisco is behind the IBN startups, it is not to be underestimated since CEO Robbins made clear that IBN is the foundation of the company’s strategic shift towards software. Until Cisco follows through with significant product releases we can’t be sure, but Cisco appears ahead of its biggest competitors in moving network management to higher levels of abstraction.
Expect others to follow in the coming year or two, perhaps via an acquisition of one the startups mentioned or others still working in stealth.
IBN is a reaction to extreme complexity and data overload and exemplifies the spread of system modeling with programmatic implementation to infrastructure design and deployment. When paired with sophisticated statistical and ML analysis of aggregated device data IBN should significantly reduce admin overhead while improving network reliability, security and availability.
Still, caution is required since IBN technology is still quite immature and the market very fluid, thus organizations should be in no hurry to adopt anything. Nevertheless, IBN should be on every IT organization's radar and is worth investing time to understand its capabilities, assess pilot test opportunities and a develop a timeline for eventual deployment.