vCPE and uCPE: How much cloud do we really need?

By John Hallett
Published on: 29.12.2020

Reading time: ( words)

Categories: DPI technology and use cases, Virtual networks, Cloud visibility

#network visibility, #SD-WAN, #vCPE, #uCPE

The growing emphasis on network intelligence and, in consequence, tools like DPI is due to the fact that network architecture – covering the plethora of appliances, codes, aggregation sites, edge networks, data centers and the network core – continues to evolve rapidly in response to the accelerating growth in IP traffic across companies and the internet. While traffic intelligence is traditionally deployed to feed network functions such as routing, traffic policing, NGFW, IDS/IPS and SD-WAN, the terabytes of data traversing increasingly complex networks today call for deeper intelligence – one that can help network operators and customers decide on the network architecture that best fits their current needs.

Customer Premises Equipment (CPE) is perhaps one of the best examples to illustrate how tools such as DPI are key to network architecture development. CPE, over the last decade, has undergone massive transformation following the virtualization wave, which saw generic commercial off-the-shelf servers taking the place of proprietary ASICS appliances used to deliver functions such as routing, tethering, IPS and firewalls. Virtualization has seen the same functions now commissioned as Virtualized Network Functions (VNFs) on virtual machines on the Network Functions Virtualization Infrastructure (NFVi), giving rise to the virtualized CPE (vCPE).

As with any other virtualization initiative, the move to vCPE saw network operators and customers alike viewing cost savings, flexibility and simplicity as its key benefits. They can now do away with all the proprietary hardware, avoid vendor lock-in, free-up rack space and cut down on on-site maintenance, making way for reduced clutter, faster deployments and ultimately, a more responsive and scalable CPE. With vCPE, the bulk of CPE functionalities can now be moved to any point along the traffic pathway. This means that CPE VNFs such as the IP VPN, SIP, firewall, session manager, IPS and WAN optimizer can reside anywhere from the network edge to the network core and even in the customer’s own data center, hundreds of miles away from the user.

vCPE: So where exactly do we put the machines?

While CPE virtualization offers scalability in terms of traffic processing, it became apparent over time that its real benefit hinged on the distribution of the CPE functions along the traffic pathway. Different traffic types and applications required different routing and different performance and security policies. The ‘where’, ‘how’ and ‘when’ of these policies made the distribution of vCPE functions a critical part of the overall network architecture.

This is where a deep understanding of the traffic, which is the key benefit of deep packet inspection, becomes an integral part of the CPE architecture. Based on its extensive library of traffic signatures, our own DPI engine R&S®PACE 2 is able to detect, classify, and even block IP packets as they cross traffic checkpoints. DPI deciphers the type of application right down to their attributes. For example, if a user on the network is using a messenger app, DPI can point to the IP packets where video content is being shared and when a voice call is being made on that app. DPI can also help identify malware, ransomware and other cyber threats moving through the network, either to or from the user end. With the ability to recognize an extensive number of protocols and extract metadata, it is possible to detect non-compliant protocols and traffic types that could indicate the presence of malicious activity.

How does DPI data help in the development of CPE architecture?

Traffic analytics provided by DPI enables network equipment and software vendors and network operators to decide, primarily, which network functions are to leave the premises, and which to remain on the CP end. Across most typical vCPE deployments, Layer 3 network functions such as VRF, tethering, NGFW and VPN are moved to the cloud while traffic forwarding by Layer 2 NID and other functions such as traffic filtering and policing, QoS mapping, VLAN and Ethernet management, and service activation, are retained on-premises.

With DPI-driven analytics, it is easy to see how low-latency applications such as cloud gaming or remote surgery suffer when traffic reducing functions are moved deeper into the network as traffic has to navigate further before it is accorded any form of prioritization or processing. Take the trombone effect for instance, where cloud traffic makes an unnecessary detour to the enterprise data center, or double encryption, where traffic is sealed and unsealed twice for interim processing at the data center or network core. DPI identifies the impact of tromboning and double encryption on each traffic type and thus establishes the efficacy of the current vCPE architecture, allowing networking solution providers to reduce traffic delays and enhance the performance of latency-sensitive applications by moving the CPE functionalities either closer to or further away from the user. In the case of tromboning, for example, instead of routing all traffic through expensive MPLS routes, security and other stacks can be moved closer to the user at the network edge.

Centralized, localized or hybrid

The real-time insights provided by DPI enable network equipment and software vendors and network operators to deploy vCPE in models that best fit their traffic needs, balancing costs, performance and security. The centralized vCPE model requires only the Layer 2 NID at the CP-end while all other functions are delivered from the cloud. The localized vCPE model, on the other hand, has all these functions installed on-premises on the NFVi. The hybrid model separates the VNFs into different families and moves them to either on-premises or the cloud based on the traffic type and the SLA. Ironically, the analytics provided by DPI itself help to decide where DPI is deployed within the network as a key network function – either at the edge, core or on the CP.

From virtual to universal

The evolution of CPE has given rise to the Universal CPE (uCPE). The uCPE is essentially an advancement to vCPE, with the entire stack lock, stock and barrel - now shifted back to the premises, thanks to the rise in the adoption of cloud and SaaS applications. The widespread deployment of SD-WAN requires offloading decisions at the user end, and this requires network intelligence to reside on customer premises. With SD-WAN packaged as another VNF, bringing back the VNFs to the on-premises NFVi, made more sense for enterprises with increasing workloads in the cloud.

DPI enters the uCPE scene at three points. Firstly, to decide if uCPE or a virtualized SD-WAN is at all necessary. Secondly, to power the virtualized SD-WAN, in classifying the applications and IP traffic in real time for intelligent routing decisions. Thirdly, to support other VNFs on the uCPE with real-time traffic filtering for performance and security.

In a nutshell, fast-evolving networks require deeper insight into the traffic they transport so that technologies such as virtualization and the cloud can be deployed in models that are aligned to the traffic and business outcomes. In the case of vCPE/uCPE, the real-time, granular reporting provided by deep packet inspection enables enhanced visibility and an accurate understanding of the traffic patterns and security vulnerabilities from the customer’s doorstep all the way to the depths of the cloud, for network architectures that are highly optimized and always high-performing.