With the emergence of cloud computing, 5G, and faster broadband network access, enterprise IT teams are embracing multicloud to connect their workforce with multiple devices, services, and applications at an unprecedented rate. Multicloud requires faster and reliable connections between multiple public clouds, private clouds and on-prem resources, which means the data backhaul between these different locations and the user tend to be expensive. Software Defined Wide Area Network (SD-WAN) is a relatively new concept that takes the principles from SDN technology and apply to WAN scenario to solve the challenges of multicloud connectivity at greatly reduced price point. SD-WAN, essentially an over-the-top service provided by service providers and enterprise networking and security vendors, reduces the interconnection costs and improve business deployment flexibility. SD-WAN’s centralized management, load balancing, zero-touch deployment and many other features can provide enterprise users with self-service fast, securely isolated point-to-point, point-to-multipoint, and multipoint-to-multipoint exclusive cloud connection services to meet differentiated networking requirements.
China Mobile’s SD-WAN service offering provides enterprises with a seamless experience in connectivity and cloud services as well as other enterprise products. Every enterprise could easily subscribe, manage and monitor all the services online in an agile and flexible manner. This is detailed in the “China Mobile Elastic SD-WAN Technology White Paper” published in 2020.
Figure 1. China Mobile SD-WAN overall architecture
As the industry's top silicon IP supplier, Arm has a strong influence in the SD-WAN ecosystem. In recent years, Arm ecosystem partners built multiple SD-WAN systems that range from edge networking equipment to core routing equipment and controller equipment. China Mobile’s SD-WAN utilizes Arm based customer premise equipment (CPEs) to comprehensively integrates the SDN technology and programmable underlay network and cloud virtualization capability to quickly provide and connect enterprise products with cloud network resources.
The SD-WAN offered by China Mobile is both secure and scalable. Let’s take a closer look at what makes this offering successful.
Security is an important factor in SD-WAN service. Random Number Generators is one vital basis of network security to secure the hardware. In the network application environment with higher and higher security requirements, the hardware equipment integrating True Random Number Generator (TRNG) can achieve effective security. In network applications, random number is the source of random key security, and it is also essential in post-processing. Arm cooperated with China Mobile to successfully enhance CPE security through external random number generator on CPEs based on Arm hardware platform.
Among various random number generators, QRNG (Quantum Random Number Generator) is undoubtedly the most safe and reliable way. Compared with the traditional random source, QRNG has the advantages of being free from environmental interference and allows real-time state verification. ID Quantique (a Swiss company) provides high-performance quantum security solutions to protect data in transmission. By using quantum key distribution to upgrade existing network encryption products, IDQ ensures that the solution is "quantum secure". IDQ also develops and commercializes random number generators based on quantum physics, which are the reference of real randomness in many industries, including security, simulation and games.
Figure 2. Quantum random number generator by ID Quantique
The QRNG equipment adopts ID Quantique (IDQ) quantum random number generator quantis. The product model is legacy quantity QRNG: usb-1. The real hardware random number generator is a reliable source of quantum randomness.
Figure 3. Security enhanced elastic SD-WAN
Through QRNG (Quantum Random Number Generator) hardware, the integration of QRNG and CPE hardware is realized, which provides enhanced IPSec / SSL tunnel for applications and enhances the security function of SD-WAN CPE transmission. The transmission security enhancement scheme based on QRNG is implemented on CPE, which is a beneficial exploration of network security enhancement of CPE equipment.
Traditional SD-WAN solutions can be classified into two categories. The first category is represented by certain equipment manufacturers where the underlying link is leased, combined with the built-in routing strategy, and the appropriate line is selected. This method cannot be controlled. The leased line itself cannot essentially solve the line quality of connection problem. The other category is to sell link resources and bundle the sales of equipment manufacturers. It is impossible to realize the coordination between equipment, platforms, and backbone networks, and it is difficult to quickly realize new services and new requirements. With both categories it’s clear that SD-WAN faces the following challenges:
This directly impacts the flexibility of deployment of SD-WAN services.
SRv6 is a perfect combination of IPv6 and Segment Routing (hereinafter referred to as SR) technologies. It unifies IP forwarding and tunnel forwarding and has the flexibility and powerful programmability of IPv6. China Mobile’s SD-WAN fully integrates with SRv6. It not only has the tunneling capabilities required by SD-WAN, but also enables unified scheduling of Overlay and Underlay resources.
Figure 4. SD-WAN solution based on SRv6
By combining the end-to-end network with different segments of paths according to business requirements, and encapsulating them into an end-to-cloud network with different capabilities, it is possible to realize connection products with different business capabilities based on a single network.
CPEs are an important part of the SRv6 SD-WAN networking solution, and needs to undertake the functions of encapsulating and unpacking SRv6 messages, service identification, and path selection.
Currently, most hardware devices do not have the SRv6 packet and unpacking capabilities. Due to the limitations of traditional hardware, it does not have the ability to quickly expand and iterate quickly. Therefore, traditional hardware network devices are not qualified for the SD-WAN architecture CPE end side. Demand. Forwarding based on general-purpose CPU processors and Linux kernels is the mainstream solution for SD-WAN landing applications.
The Linux kernel has been supporting the SRv6 function since version 4.10. The recently released Linux version 5.11 has added support for the SRv6 End.DT4 and End.DT6 features. Based on this, the path selection and forwarding of traffic with different characteristics can be realized.
Figure 5. SRv6 underlay network
CPE equipment based on Arm architecture has been widely used in SD-WAN for it’s performance, power efficiency and application ecosystem readiness. One such example is the NXP LS1023 CPU with Linux kernel version 5.11 which underwent a lot of testing and research within the SRv6 experimental application scheme, combined with strategy routing, VRF and other technologies to realize the SRv6 path forwarding of different user traffic plan.
Arm and China Mobile will continue to keep close cooperation in SD-WAN related fields.
Visit the Arm Infrastructure Solutions Page