Recently there has been some eloquent flaming back and forth between Cisco and HP over the VN-Tag, of course I have an opinion and figured I would vocalize it. Scott Lowe has a good piece on this as well, focused more broadly on the implications to the unified computing system.
First off, I do not think there is a lot of innovation that comes directly out of the standards bodies. However, i firmly believe that in today’s mature networking market in order for a technology to get a decent traction and following it must at least be inserted into the standards process and be on a trajectory towards being multi-vendor and open/interoperable.
Secondly, I believe that innovation should be rewarded. “To the innovator go the spoils” I say. Innovation is risky, there should be a bit of light at the end of the tunnel. I am not-so-subtly reminded of a conversation with about 20 customers I led a few months back. I was getting a lot of pressure from a university customer to stop any development on anything that was not an industry standard- the gentleman from a large manufacturing company interrupted him and said, “I don’t care what standard they support, as long as they solve business problems for me I will vote with my wallet. My CIO doesn’t care if its PAGP or LACP, he cares that the network runs.”
Lastly, and somewhat controversially, I think there are enough tagging formats out there already, and worse: most of them have no interoperability plan or architectural tie-in with each other.
VN-Tag Through Three Lenses
- VN-Tag was jointly developed by Cisco and VMWare to address a problem their customers were having: they could not bind a policy to a VM and have that policy move with the VM in a DRS or VMotion environment. They also felt that traffic could go from one VM to another, bypassing any network policy for governance or regulatory compliance and thus have a tail-end/hop-off type of attack possibility for VMs on the same physical host.
- It was submitted to the IEEE, but is not a standard yet, thus to be binary it is ‘proprietary’ although it seems the companies are not holding onto the IP specifically, they just want to execute on a time-to-market advantage. (this is no worse and the ongoing CEE vs. DCE debate (note: there both are proprietary… DCB is the IEEE standard))
- It is ‘yet another’ tagging format. If you trust that MAC addresses will not change dynamically the same problem-set could have been solved by binding network policy to the MAC address of a host.
Was VN-Tag necessary? Perhaps.
Personally, I think many of the same problems could have been solved if the MAC address was used to instantiate policy. There is a legitimate concern that the MAC address could be spoofed, but then again so could a multi-byte tag structure too unless it has signing/authentication/etc.
Is it proprietary?
Yes. Although all indications are Cisco and VMWare are working to shape an industry ‘de jure’ standard and are trying to gain a time to market advantage over merchant silicon based players. (I would argue that innovation should be rewarded so a time to market advantage in silicon is not out of the question and probably shouldn’t be demonized).
Is it well implemented?
Here is the rub of the whole thing. Implemented broadly this is a promising capability for a network to have. VM’s are, after all, the building block of many leading edge new data centers. However, VN-Tagging does not seem to be broadly embraced across the portfolio of products in the data center.
I can see no indications of shipping products or announcements of how this capability is going to be brought into the security products, application networking products, routing products, rest of the Nexus line, etc. Broadly implemented in a coordinated fashion- this would be a powerful capability. Sporadically implemented in one or two products will lead to little impact.
This will probably get flamed a bit, so am finding the nearest asbestos store