Intent-Based Verification Leading a New Wave of Network Automation

Most successful IBN deployments focus on the network verification process. Not only is it safe, it also can easily integrate into existing networks and workflows.

Nikhil Handigol

May 21, 2019

5 Min Read
Intent-Based Verification Leading a New Wave of Network Automation
(Image: Pixabay)

Intent-Based Networking (IBN) is one of the most significant IT trends in recent years and is widely considered the “next big thing” in networking. The IBN vision comes as a natural successor to Software-Defined Networking (SDN), with the goal of automating networking operations and better aligning networks with business goals or intent.

Gartner first coined the term IBN in 2017. As defined, IBN comprises of networking software that helps to plan, design, implement and operate networks that can improve network availability and agility. In practice, it boils down to two key capabilities: 1) configuration: the ability to translate high-level policy or intent to network configuration, and (2) verification: the ability to verify that the actual behavior matches the high-level intent.

The biggest challenge in delivering an IBN solution is automated intelligence -- the ability for software to reason about network behavior and map back-and-forth between high-level intent and actual configuration. It effectively means replicating and automating years of knowledge and experience that seasoned network operators have developed from years of operating networks and diagnosing and troubleshooting issues. Additionally, there are organizational barriers to adopting IBN within existing networks and workflows. How can enterprises, whose business depends on the network, trust software to run their network?

Fortunately, there is a practical, easily deployable aspect of IBN that delivers automation benefits today: network verification.

Verifying network behavior is a key IT process to automate

So, what is network verification? Network verification is the ability to validate that the end-to-end behavior of the network, as determined by its configuration and state, matches the higher-level intent. More specifically, network verification systems can reason about every possible behavior that the network can demonstrate, given its current configuration and state. It can mathematically analyze all possible end-to-end paths in the network for all possible packets that can enter the network. This end-to-end behavior analysis can then be compared against the high-level intent. Some examples of end-to-end behavior that network verification can easily verify are:

  • Are there are least 3 redundant paths from a particular access layer router to another site through an MPLS Core?

  • Are there any single points of failure along an entire network path?

  • Have we ensured logical traffic isolation between two tenants or applications for all non-management IP protocols?

  • Is traffic coming in from the external internet properly restricted to only specific destinations and services?

  • Are only specific services running in our Amazon cloud available from various internal sites, systems and users? If so, which ones?

IBN verification systems have the capability of understanding such high-level, generalized requirements and verifying them in the context of the current network state. IBN effectively bridges the intent with the individual device configurations to reason through and automate the verification process. From an IT perspective, this can proactively identify any latent errors in the network which could eventually lead to outages, while avoiding tedious manual searches to isolate issues or perform root-cause analysis. For example, if a set of configuration changes are proposed or a new service is deployed, IBN can help verify the impact to existing policies before deploying to the live network, averting possible roll-backs and helping to accelerate change windows.

Verification is a distinctly different methodology than traditional testing environments; it is reasoning based on an analysis of the network design, configurations and current network state. It does not look at live traffic flows or test scenarios to determine network activity. Verification can thus do something traditional testing can rarely do: “prove a negative”, by confirming that something can’t happen, such as two networks being unreachable through any path. IBN verification can also identify configuration errors like MTU mismatches, forwarding loops, or IP address duplication anywhere in the network, which may not show up in any specific test, and without reviewing devices one by one.

How does network verification work in practice today?

IBN verification systems create a model of the network that can reason about all possible behaviors and use that to verify compliance with the intended policies and service descriptions. For an IBN verification system to work on an existing network, the only conditions that need to be met are: 1) Read-only access must be available to each device to pull configuration files and state information, 2) the IBN software must accurately model the behavior of each network device (switch, router, firewall and load balancer) for all possible packet flows, and 3) the IBN model must accommodate all protocols and services such as EVPN, BGP, MPLS, virtual networking, etc.

IBN in general, and verification in particular, is shifting the network IT model from a reactive approach to problems, to a proactive approach where an automated analysis of current network designs can virtually eliminate human errors and misconfigurations to avoid issues in the first place. The automation that verification enables is helping to replicate and augment the rare expertise of the critical IT engineers in diagnosing outages, documenting network requirements and verifying fixes.

A prudent approach to IBN

While we are still some ways away from enterprises being ready to let software completely take over their networks, most IBN deployments today are succeeding by focusing on the network verification process. Not only is it safe (requires read-only access to devices), it can also easily integrate into existing networks and workflows without requiring a hardware refresh. Enterprises are able to realize immediately tangible benefits, because verification accelerates change management processes, increases reliability and improves agility.

At a higher level, verification is a prudent first step to deploying IBN. Verification enables enterprises to build trust in their network, and in the processes that operate the network, allowing them to evolve from manual human-driven, to software-assisted, to ultimately software-driven network operations.

About the Author(s)

Nikhil Handigol

Nikhil Handigol is a co-founder at Forward Networks and a Computer Science PhD from Stanford. As a member of the Stanford team that pioneered SDN/OpenFlow, his research focused on using SDN principles for systematic network troubleshooting (NetSight), flexible network emulation (Mininet), and smart load-balancing (Aster*x). Previously, he worked at SDN Academy, ON.Lab, and Cisco.

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights