New Technology :: A New Net

n 2003 Martìn Casado found himself with no small challenge on his hands: he needed to reinvent the technology that underpins the Internet. It had been developed decades earlier and was proving unsuited to an era of cyberwarfare.


Casado, then a researcher at Lawrence Livermore National Laboratory, had been approached by a U.S. intelligence agency with a thorny problem. Computer networking technology allowed intelligence agents and other government workers worldwide to stay connected to one another at all times. Field agents could instantly share data seized in a raid with experts anywhere in the world. But the fact that so many computer networks were enmeshed also aided enemy hackers.
Once they gained entry to one system, they could hop across networks to search for other treasures. The agency (Casado won't say which one) told him it wanted to keep its large network but reserve the ability to temporarily close off parts of it for crucial transmissions, creating a data equivalent of the dedicated telephone hotline that used to link the White House and the Kremlin.

Casado ultimately realized that he couldn't help. Partly because the Internet was created with unreliable equipment, its creators had wanted to make sure that it would work even if some parts malfunctioned. Thus, the networking hardware all operated independently and without central control. That's good if you want information to keep flowing in dire circumstances, but it's not so good if you want the option of isolating a specific communication channel within that network so as to keep secrets secret. For Casado to do what the intelligence agency wanted, each piece of hardware in a network would have to be reconfigured in a slow and manual process. "We hacked something together which in the end didn't give us the properties they wanted," he says.

That humbling experience has shaped his life since. Haunted by the problem, he soon left Livermore and entered grad school at Stanford University to search for an answer. He presented one in his 2007 PhD thesis, which proposed a radical new way for computer networks to operate. Now he's cofounded a company called Nicira, which is poised to use that idea to make the Internet more powerful than ever before. Nicira's technology won't just help intelligence agencies keep secrets. It should also improve the security, lower the price, and increase the power of any technology that uses the Internet, unlocking innovation that is too expensive or technically impossible to achieve today. Along the way, Nicira (the name is pronounced "Nis-ee-ra" and means "vigilant" in Sanskrit) could very well upend some of the world's largest technology companies.



OVERDUE INNOVATION

Casado is 35 and has near-black hair with the faintest flecks of gray. He can appear intense, even nervous, but he is eloquent, with a friendly, didactic manner that shows evidence of five years teaching Stanford undergrads. He also has the steely determination required to run 100 miles in less than two days, something he has done more than four times as a devotee of the grueling sport known as ultrarunning.

His determination has surely helped during years spent arguing that one of the most successful and ubiquitous technologies of all time needs to be rethought. Stanford researchers have reshaped computing before—both Google and early work on the Internet itself came out of their labs—but Casado and his PhD supervisor, Nick McKeown (also a close friend), found their ideas initially unappreciated and even derided by other computer scientists. "When we first published, they thought we were nutty," Casado recalls. "We submitted a paper and were literally made fun of in the reviewers' comments. They said, 'This will never work.'"

The crux of that supposedly unworkable idea was to take away the stubborn independence of the network hardware. All those routers and switches would take orders from one central piece of software; a single command could then reconfigure every piece of a network.

Casado's PhD thesis showed that it was possible. By writing software that could reprogram routers and switches, he was able to turn computer networks into the secure channels that he had been asked for back in 2003. A different intelligence agency put up the money for further trials of the technology, and in 2007 Casado, McKeown, and Berkeley professor Scott Shenker founded Nicira. Rich entrepreneurs and three of Silicon Valley's most prestigious venture capital funds soon put in money of their own.
That enabled Casado and his engineers to push the technology a crucial step further. To avoid having to install their special software on network hardware, they used a trick known in computer science as virtualization, which creates a software replica of a piece of hardware—but the software does the job more intelligently. In Nicira's case, software running on server computers could simulate programmable routers and switches. The physical devices themselves could fade in importance entirely. After four years of quiet hard work, Nicira has just launched that software as its first product. It should trigger a new wave of Internet innovation in everything from mobile apps to online banking security.

That potential is not obvious to a casual observer. The product is clunkily named Network Virtualization Platform. It's aimed at the operators of data centers, the computer-stuffed warehouses that run Internet services and websites. Casado freely admits that it is hard to impress a layperson with his technology: "People do struggle to understand it," he says.

But Nicira, which has received $50 million in funding and filed nearly 50 patents, is taking on a problem that limits what the Internet can offer all of us.

The problem is this: cloud computing, even though it now might be a household term, hasn't lived up to its hype—and as things now stand, it can't. It was supposed to turn computing power into a cheap utility, like electricity after the advent of power stations and a national grid. A relatively small number of companies would offer computing resources by running software in vast, efficient data centers and piping the results over the Internet to anyone, anywhere. That would push down the price of services that rely on computing and allow them to become more sophisticated.

Yet today, even with seemingly cost-effective cloud services available from the likes of Amazon, most companies still choose to operate their own computing resources—whether for corporate e-mail or financial trading—as if they were homeowners relying on generators for electricity. One reason they resist cloud computing, Casado says, is that network architecture is too decentralized to reconfigure easily, which leaves the cloud insecure and unreliable. Cloud computing providers tend to run entire data centers on one shared network. If, for example, Coke and Pepsi both entrusted their computer systems to one of today's public cloud services, they might share a network connection, even though their data stores would be carefully kept separate. That could pose a security risk: a hacker who accessed one company's data could see the other's. It would also mean that a busy day for Coke would cause Pepsi's data transfers to slow down.

All of that changes when Nicira's software is installed on the servers in a data center. The software blocks the applications or programs running on the servers from interacting with the surrounding network hardware. A virtual network then takes over to do what a computer network needs to do: it provides a set of connections for the applications to route data through. Nicira's virtual network doesn't really exist, but it's indistinguishable from one made up of physical routers and switches.

To describe the power this gives to cloud administrators, Casado uses a Hollywood reference. "We actually give them the Matrix," he says. The movie's Matrix manipulated the brains of humans floating in tanks to provide the sensation that they were walking, talking, and living in a world that didn't exist. Nicira's version pulls a similar trick on the programs that reside on a server inside a data center, whether they are running a website or a phone app. In practice, this means that administrators can swiftly reprogram the virtual network to offer each application a private connection to the rest of the Internet. That keeps data more secure, and Coke's data crunch would affect Coke alone. It also lets the cloud provider set up automatic controls that compensate for events like sudden spikes in demand.

Ben Horowitz, a partner in the investment firm Andreessen-Horowitz, says he and his partner Marc Andreessen, a cofounder of Netscape, quickly realized that Nicira was delivering something long overdue in computing. "The total lack of innovation in networking compared to operating systems or storage had been bothering us for a while," he says. "It was holding back the industry." After meeting Casado, Horowitz invested in Nicira and joined its board. He saw in Nicira echoes of VMware, a company that helped set off the cloud computing boom and has a market capitalization of $40 billion. VMware's software creates virtual computers inside a server, boosting the efficiency of data centers and driving down the cost of servers. Nicira's software promises a similar instant upgrade to what a data center can do, by removing the efficiency bottleneck imposed by networks.



FREEDOM OF MOVEMENT

Nicira already has roughly a dozen customers, all of them large companies that offer services over the Internet. Several, such as Rackspace and Japan's NTT, the world's second-largest telecommunications provider, rent out clouds to other companies, a model known as the "public cloud." Nicira's biggest opportunity lies in helping such landlords fix the security and reliability problems that discourage large companies from using the public cloud, says Steve Mullaney, a veteran executive in the networking business who joined Nicira as chief executive in 2009, freeing Casado to be CTO. Mullaney left a VP position at Palo Alto Networks, a network security startup on track for a large IPO, because he saw in Nicira "the chance to do something really big." The public cloud is now used by small and medium-sized business and new ones like the social-gaming company Zynga, says Mullaney, but getting very large enterprises to follow suit promises "the big money." An estimated $26 billion a year is spent on the public cloud today, according to Forrester Research. Mullaney thinks the market would expand significantly if businesses, which spend $2 trillion a year worldwide on IT infrastructure, were more inclined to trust this technology.

The Matrix-like control that Nicira offers should also make the Internet more reliable. After the Fukushima-Daichi nuclear disaster in Japan last March, electricity rationing and scarce supplies of diesel for generators trapped some Web services offline in powerless data centers. Last August NTT showed that Nicira's technology could have kept those systems active by moving them rapidly elsewhere. In tests, software was smoothly transferred between data centers 30 miles apart without even having to stop the programs from running. Even as NTT's software moved to new physical hardware, Nicira's technology maintained the illusion that nothing had changed. "We can move like liquid between data centers ahead of brownouts," says Casado. Making such transfers without Nicira's technology would mean laboriously reprogramming network hardware and turning off the system being protected from the brownout.

Such flexibility could also make it cost-effective for companies to call on the cloud only in the circumstances when they need it most. Many online retailers today, Mullaney says, use roughly 40 percent of their computing infrastructure just to handle seasonal rushes, leaving it idle for most of the year. Nicira speeds the process of moving into the rented cloud to such an extent that a company could scrap that idle hardware and turn to the cloud temporarily when traffic surges. That would keep it from having to buy equipment that draws electricity even when idle. In a more futuristic energy-saving scenario, customers' virtual networks could migrate from one data center to another around the world, temporarily settling wherever power and cooling cost least.

And just as Keanu Reeves's character in The Matrix tweaks the virtual world to halt enemy bullets, Nicira's virtual networks could "change the laws of physics" for an attacker who gained access to a computer connected to one of them, Casado says. Computers' apparent location, their apparent activities, and the type of traffic they appear to be handling could all be altered to confuse a hacker. "You have this full God-like control," he says.

Any big change to the status quo produces losers as well as winners. But when asked who might be a victim of Nicira's success, Casado and Mullaney, sitting in Nicira's boardroom, exchange quick glances and are careful not to name any companies—even Cisco Systems, the world's leading maker of routers and switches. They're being diplomatic; Nicira has already recruited engineering and executive talent from Cisco, and Nicira's technology poses an even bigger threat. Cisco and other big networking companies, such as Juniper, market their routers and switches on the strength of the intelligence built into the chips inside, which is difficult to modify. In Nicira's world, however, a network's intelligence resides in its control software, and any network hardware will do—the cheaper the better. "A few years out, if I'm buying network infrastructure I just want the price to be right," says Casado. Recall what happened to the price of computer hardware in the personal-computing boom of the early 1980s.

IBM's PC standard separated hardware and software, making operating systems like Microsoft Windows the focus of innovation while hardware became a race-to-the-bottom commodity. Cisco and other vendors of traditional networking equipment will need to adapt, fast.
For its part, Cisco has introduced virtual versions of some data-center hardware, which offer greater flexibility than its traditional products. Yet it disputes the idea that this approach means hardware will be devalued. Guru Chahal, a director of product management in the Cisco group that works on virtualization, agrees that networks need to become more configurable. But he says that the solution will be to design hardware and software together. "At the end of the day, packets—data—are being forwarded by hardware," Chahal says.
Nicira's team is far from alone in seeking to overhaul the way we shuttle data around. Casado's academic collaborators at Stanford, Berkeley, and elsewhere are rapidly ramping up new projects in a field that has become known as software-defined networking, or SDN. (The term was coined by Technology Review when Casado and McKeown's work at Stanford was featured in the TR10 in March/April 2009.) A handful of other startups are getting funded to commercialize their own ideas, while large companies like Hewlett-Packard and IBM are creating network hardware that's designed to be more programmable.
But Nicira is establishing itself more quickly than other startups. In addition to NTT and Rackspace, its customers include AT&T, Deutsche Telekom, Fidelity Investments, and eBay. And in Casado, Nicira has a figure widely recognized by competitors and colleagues alike as a fierce talent who has generated and proved many of the very ideas now gaining traction.
Internet technology has brought us a long way in 25 years, but the time has come for it to grow up, he says. "Today it needs all this midwifing and manual care and feeding. That has to change."