Foreword
 
　　iPhones and App Store, as well as other emerging smartphones, have resulted in an explosive increase in mobile Internet traffic. The cloud computing model originated by Google and Amazon has also had a huge impact on the traditional usage of computing, storage, and network resources. The growth of new business, like mobile Internet, and change of business model, like cloud computing, are driving the underlying physical device architecture to change to meet the requirement of services. The network operating system (OS), the core of network devices that transmit services and ensure a good user experience, must definitely be changed to support these new trends and demands.

　　The network OS requires in-depth changes in the architecture, but not simple modification or upgrading by adding new protocols or features. A next-generation network OS is required.

　　What can the next-generation OS do to meet these challenges? Huawei VRP V8 is such a next-generation network OS. It is developed based on Huawei's 15 years of experience in developing network OSs. Huawei has gained more than 500 patents in this field.

　　1  Origination and Development
 

　　IP technology originated from U.S. military research and applications in the 1960s. A military IP network must be highly fault tolerant. If any part of the network fails during a war, the rest of the network must be able to support normal communication.

　　As a result of its openness and simplicity, IP technology was quickly put into civil use, and IP networks became the infrastructure of communications networks. Today, IP networks support various multimedia applications, such as voice, data, video, e-commerce, and online gaming. People are now more dependent on the IP-based worldwide Internet, and this is changing people's lives. The basic elements required elements to build the Internet are routers and switches, and they are called IP network devices.

　　During the last 20 years, innovations in IP technology, expanding scale of IP networks, and wide use of IP network devices have promoted the development and improvement of network OSs. The development of Network OSs has progressed through three generations.

　　1.1  First Generation: Single-Process IP Device OS
 

　　The early IP devices used first-generation IP device OSs. They were single-process OSs and provided low reliability due to hardware limitations. Such OSs could hardly ensure real-time service provisioning, provided small service capacities, and were not easy to maintain. The first-generation network OSs were designed with closed-coupling modules and single-process architecture. Therefore, they were difficult to modify and expand. Any modification or expansion to such an OS required a large amount of labor and must be verified by tests. In addition, a single bug in the system was easy to cause the system to restart and services to interrupt because the single-process architecture could not isolate faults well.

　　1.2  Second Generation: Multi-Process IP Device OS
 

　　The second-generation IP device OSs had multiple processes and partial distributed architecture to improve reliability and real-time process capability. These OSs used a data sharing model. Although the second-generation IP device OSs made many improvements compared with the first-generation OSs, they had their own problems. Because multiple processes in an OS share data while ensuring real-time service provisioning, exclusive operations are often performed in the OS. This can easily cause deadlocks in the OS. In addition, the second-generation IP device OSs cannot provide carrier-grade reliability or non-stop routing service. These problems are critical in data centers and cloud networks. Customers expect long-term stable operating of IP network devices and want to minimize or even eliminate the impact of network upgrades to network services. The second-generation IP device OSs cannot meet these requirements.

　　1.3  Third Generation: Virtualized IP Device OS
 

　　The third-generation IP device OSs use a multi-process, distributed, virtualized architecture. They have the following characteristics:

　　1)    Adapt to development from single-core CPUs to multi-core CPUs. Multi-core CPUs have higher computing capabilities than single-core CPUs. To make full use of the computing capabilities of multi-core CPUs for increasing real-time services, OSs must support fine-grained multi-process mechanisms.

　　2)    Adopt a completely modular design. OS modules are isolated from each other so that failure of a single module does not affect other modules, improving system reliability.

　　3)    Provide uninterrupted services without assistance from other devices.

　　4)    Provide excellent O&M capabilities to reduce maintenance costs.

　　Huawei VRP V8 is an outstanding representative of third-generation IP device OSs. It provides high performance, virtualization technologies, abundant features, and carrier-grade reliability, meeting the requirements of data centers and cloud networks.

　　2  Highlights of Huawei Next-Generation Network OS
 

　　2.1  Future-oriented High Performance and Scalability
 

　　As enterprises increasingly deploy services and large networks, especially super-large data center networks, IP network devices face great challenges to their service processing capabilities and performance. Although the second-generation OSs support multiple processes and allow protocols to run independently, they do not support distributed operating of a single protocol. Therefore, the OSs cannot fully use computing capabilities of multi-core CPUs to improve system performance and capacity.

　　Huawei next-generation OS VRP V8 uses a fine-grained, fully distributed architecture. It can use multiple instances to process protocols and services that require high performance and large capacity. This multi-instance distributed processing mode fully uses available CPU resources to maximize system processing capabilities, improving system performance and capacity. VRP V8 uses flexible distributed processing policies to process different protocols. For example, it processes BGP based on peers, LDP based on sessions, L2VPN based on instances, and TE based on port group. These flexible distributed processing policies enable VRP V8 to process different protocols and services concurrently at a high efficiency.

Figure 1. Development of OSs

　　The fine-grained fully distributed architecture makes Huawei VRP V8 the best choice for building a highly scalable, high-performance, and highly reliable network.

　　2.2  Real-Time Response Architecture
 

　　VRP V8 can respond to the change of network, as well as changes of user requirements, providing better user experience.

　　A network usually carries multiple real-time services, such as voice and video, which require short convergence time. Services and applications in data centers are sensitive to convergence time and latency; therefore, fast service convergence and low latency are the major requirements of data centers and cloud networks. VRP V8 uses fast detection technologies such as Bidirectional Forwarding Detection (BFD) to ensure millisecond-level convergence, greatly reducing service interruption time. When the network uses Fast Rerouting (FRR), services are not affected during convergence.

　　2.3  Flexible Virtualization Technologies
 

　　The third-generation OSs introduced virtualization technologies that can virtualize network resources based on service scenarios and requirements. Network virtualization technologies are classified into two types:

　　l  N:1 virtualization technologies, such as stacking and cluster technologies, virtualize multiple physical resources into one logical resource.

　　l  1:N virtualization technologies virtualize one physical resource into multiple logical resources.

　　N:1 Virtualization
 

　　Many-to-one virtualization combines multiple physical devices into one logical device to reduce the number of logical devices on a network and simplify the network topology. In addition, this type of virtualization improves scalability of network devices and protects customer investment. Typical N:1 virtualization technologies include Huawei Cluster Switch System (CSS) and Cisco Virtual Switching System (VSS).

　　1:N Virtualization
 

　　1:N virtualization divides a physical network facility into multiple isolated networks to reduce the number of physical devices on a network and improve device use efficiency. Huawei VRP V8 provides the Virtual System (VS) feature, which can virtualize a single physical device into multiple virtual systems. Each VS can be configured, managed, and maintained as an independent device. The VSs on a physical device are isolated from one another and can process services independently. In a data center, VSs on a physical device can carry different services or serve different user groups to improve network reliability and security. The VS technology also improves the efficiency of network devices and reduces network construction costs. As user groups are isolated and managed separately, user management becomes easier.

Figure 2. Hauwei CloudEngine series switches

　　2.4  Highly Reliable NSX Architecture
 

　　On an enterprise IT network or cloud network, network reliability is critical. Once services are interrupted because of software/hardware failures, software upgrades, or problem fixing, the network may face considerable losses. A traditional method to improve device reliability is to add redundant hardware components, whereas most problems that affect reliability occur in the software system. Improving software system reliability becomes a major issue.

　　Huawei next-generation OS takes the following measures to improve software reliability:

　　1)   Uses a modular design to isolate faults in software modules so that failure of one module does not affect operating of other modules.

　　2)   Provides nonstop routing (NSR) technology to quickly trigger an active/standby switchover once a software/hardware failure occurs. Neighboring devices are unaware of the switchover, so routing services is not interrupted.

　　3)   Provides in-service software upgrade (ISSU) technology to ensure uninterrupted service provisioning during a software upgrade.

　　4)   Supports nonstop patching (NSP) technology to prevent service interruption due to bug fixing.

　　5)   Provides nonstop managing (NSM) technology to ensure that network problems can be quickly reported to the network management system during active/standby switchovers.

　　The NSX technologies used in VRP V8 guarantee service continuity and network robustness.

　　2.5  Unbreakable Security Architecture
 

　　Security of network devices is important to carrier networks and enterprise networks, and it is the prerequisite for data security.

　　Huawei VRP V8 uses High Level Access (HLA), multi-layer filtering, and security logs to enhance device security. With this security architecture, VRP V8 can quickly detect security risks and isolate faults to safeguard the network.

　　HLA Technology
 

　　High level access (HLA) technology provides a high level of password security. When a device is powered on for the first time, a user can only log in to the device locally and must change the password immediately after login. The password strength must comply with the security specification defined in the system. In addition, the password storage process is irreversible so that no one can decipher the encrypted password.

　　Multi-Layer Filtering Technology
 

　　Denial-of-service (DoS) attack is the major threat to the security of network devices. Attackers initiate these attacks by sending a large number of invalid packets to occupy CPU resources. When a device is undergoing a DoS attack, it cannot process services for authorized users. Port scanning is another type of commonly occurring attack. Attackers scan to detect open ports on network devices and then use the open ports to establish many connections with network devices, exhausting system resources on the devices.

　　Huawei VRP V8 uses unique multi-layer filtering technology to defend against DoS and port scanning attacks.

　　l  Layer 1: The forwarding plane identifies and drops attack packets so that these attack packets do not reach the CPU.

　　l  Layer 2: The forwarding plane restricts the rate of packets sent to the CPU. Even when a high-traffic attack occurs, the CPU is not too busy because traffic has been filtered before being sent to the CPU.

　　l  Layer 3: The system maintains a session table, which records all 5-tuple information required for establishing sessions. The system checks packets against the session table before sending them to the CPU, drops packets that do not match the session table.

　　l  Layer 4: All protocol ports are disabled on a device by default. Therefore, the system rejects all illegal connection requests.

　　This multi-layer filtering technology guarantees device security.

　　Security Logs
 
　　VRP V8 maintains security logs to record information about blacklist/whitelist, user login, and other operations performed in the system. System administrators can use the security logs to obtain IP addresses that attackers use to log in the system, all the content that attackers input when they attempted to log in, and all the operations that attackers performed after login. System administrators can then easily identify attackers. Only system administrators with the highest level can view and delete security logs.

　　2.6  Simple and Efficient O&M
 

　　VRP V8 provides the following functions to facilitate network O&M.

　　1)   Alarm correlation function to identify root causes of network faults

　　Alarms can help users discover and solve network problems in a timely manner. However, helpful alarm messages usually hide in thousands of useless alarm messages generated every day. It takes a great deal of time and effort for network administrators to filter these alarm messages. VRP V8 provides the alarm correlation function to free administrators from this trouble. The alarm correlation function filters, combines, and converts alarm messages to integrate multiple alarm messages into one message with more detailed information. Administrators can easily find root causes of network faults based on the integrated alarm messages.

　　2)   Configuration rollback function to correct configuration errors quickly

　　VRP V8 provides the configuration rollback mechanism to minimize impact of incorrect configuration and improve system security and maintainability. An operator can set time labels before performing operations that may affect system operating. Each label records a time and the system status at that time. When incorrect configuration causes a system failure, the operator can select any labeled time to restore the system to the status at that time. This makes it easy to correct the configuration.

　　3)   Excellent trial run technology

　　Trial run technology reduces risks of configuration errors. Before applying any configuration that has great impact on system operating or may put the system at risk, an operator can submit the configuration for trail run. If the trial run verifies that the configuration is valid and has no negative effect on network services, the operator can confirm the configuration and make the configuration effective. Otherwise, the operator can cancel the trial run. Then the configuration for trial run is deleted, and the system rolls back to the previous configuration. The trial run technology helps verify service provisioning capabilities without affecting current network services, and minimizes the impact of service provisioning failures.

　　3  Summary
 

　　Huawei next-generation network OS VRP V8 improves system performance, scalability, reliability, virtualization capability, and maintainability. It is a good choice for cloud networks because it significantly improves network performance and capacity, enhances flexibility and scalability of network architecture, guarantees stable network operating, and simplifies network O&M. The innovations in VRP V8 can help customers reduce investment in network construction and network maintenance costs, maximizing return on investment.