The Channel logo


By | Tom Welsh 3rd December 2005 07:25

Cisco’s AON: Jeeves in a router or a box of evils?

Cisco's latest contribution to the networked world

At first glance, Cisco’s AON (Application Oriented Networking) looks like a brilliant idea. Essentially, it proposes to suck all manner of security, administrative, and even business policy functions into its routers and switches. That looks as if it should benefit everyone – especially existing and prospective Cisco customers – and might even grease the wheels for quicker and easier adoption of SOA.

But it’s by no means clear that the rest of us should uncritically welcome “putting intelligence into the network”. One of the main reasons for the Internet’s success has been its profound indifference to the content of the packets it transports. Compromising on the hallowed principle of “dumb pipes” could crack open Pandora’s box – indeed, several boxes.

In Cisco’s words, AON “makes it possible to embed intelligence capabilities into the network”. Obviously this is a gross exaggeration: all it really does is to teach Cisco’s network devices a bunch of new rote tricks. Any intelligence involved must come from the developers, security specialists and sysadmins who write the rules (no doubt with plenty of help from Cisco’s Advanced Services, which will go to boost AON’s gross margins).

At the marketing level, AON really is a work of genius. It presses every hot button, leaves no fashionable acronym unmentioned, and on top of all that it promises to align IT with business, and cut costs, quickly and with little effort. Specifically, it is said to support Web services, SOA, BPM, and EDA, while supercharging BI, BAM, and RFID. It also helps companies to ensure compliance with Sarbanes-Oxley, HIPAA, Gramm-Leach-Bliley, and BASEL II. It’s fast, secure, selective, visible, cheap (well, relatively) – and it slices, dices and rices. What’s not to like?

Of course, the primary beneficiary of AON is meant to be Cisco itself. Despite its boast that “The Cisco name has become synonymous with the Internet”, the San Jose giant’s 85 per cent share of the router market in the late 1990s has dropped to somewhere between half and two thirds, depending on which segments you look at. Rivals like Juniper and Alcatel are winning sales and slicing into Cisco’s dominant position.

So it needs to tap some new markets quickly – preferably glamorous, lucrative ones with high margins. How better to exploit its mighty internet presence than by moving up the stack into higher added-value, higher-margin sales? “You seem to be struggling with those applications and that security, Ms Customer,” it cries. “I just happen to have an army of routers and switches standing around – they will be delighted to help you out for a small consideration”.

The main functions that Cisco sees AON performing are application-specific routing, enforcing security policies, monitoring and filtering messages, and boosting performance through load balancing, cacheing, and compression.

Policies are defined, and custom bladelets and adapters written, using the Windows-based AON Development Studio (ADS), and everything is set up and administered from the Linux-based AON Management Console (AMC). Today there are just two AON network modules, the 2600/2800/3700/3800 Series that slots into routers, and the Catalyst 6500 Series for switches. Each of these has a single processor, a 40MB hard drive, and 512MB or more of RAM, so they are proper little computers in their own right.

The supervisor or route processor in a switch or router transparently redirects packets that meet certain criteria to an AON module, which applies the appropriate policies before forwarding each packet to its destination (which the AON module may change). Clearly, this process introduces extra latency, and there are limits to how many packets can be processed and how long they can be delayed without noticeably degrading QoS.

Apparently, AON modules can and should be deployed everywhere – at remote offices, B2B spokes, on the enterprise edge, and in the enterprise core. Forget “Intel Inside”; this would be “Cisco Everywhere”. The cost savings and performance improvements go almost without saying. That’s progress: today, complex expensive integration software (analogous to a lashed-up prototyping rig); tomorrow smooth, fast, efficient, cheap hardware.

Inevitably, there is a downside to the AON dream. At first glance, three serious issues raise their heads: security, unfair competition, and the potential demise of the internet as a content-neutral medium.

By an odd coincidence, the latest SANS Top 20 Vulnerabilities list warns that attackers are broadening their focus, looking for exploits against network devices as well as operating systems and applications. Cisco makes the top 20, along with Juniper, CheckPoint and Symantec. As well as six critical vulnerabilities affecting Cisco’s IOS in the last year, SANS identifies five in non-IOS-based Cisco products. (For details, see SANS and The Register, passim).

The known weaknesses of IOS do not necessarily affect AON, because AON modules themselves do not run IOS. However, the route processor or switch supervisor – which sits between the AON blade modules and the network – is IOS-based. Anyway, if source code can be stolen wholesale (as it was last year), attackers could submit even new software to a rigorous search for potential exploits.

More broadly, there is a risk that security could be prejudiced if a giant networking supplier like Cisco vertically integrates functions like XML security and routing. Besides, the more successful Cisco is, the more of a monoculture it will create – giving attackers a standard set of targets, more or less like Windows. Imagine a single subverted router, sending carefully modified packets to servers, PCs, other AON routers…

The second issue with AON is that it gives Cisco what some may consider an unfair advantage over its competitors. As the market leader, it is well placed to dictate de-facto standards – just as Microsoft does – which might shut out other suppliers from the new segment. Soon, customers would find they have a choice between buying “dumb routers” from any of a hundred vendors, or “smart Cisco routers” from… well, Cisco. Even if someone else made a living selling smart routers, they probably wouldn’t be AON-compatible.

So far, so bad. But things get rapidly worse. We have all benefited from the flat-rate access, content-neutral model of the Internet. We sling bits into the big dumb pipes, which magically rematerialize them somewhere – anywhere – else, without caring in the least what they represent.

Meanwhile, all sorts of smart servers at the network edge do clever stuff with those bits. They might encode email, files, Web pages, XML messages, movies, music, or whatever we like. But as David Isenberg recently pointed out in VON magazine, telcos and cablecos hate the “fat, dumb pipes” model and would love to be able to discriminate between different kinds of traffic. Just think: they could recognize every single VoIP packet and charge the conversation at standard phone service rates, instead of having to pass it on unrecognized. Before we know it, we could be back in the AOL/Compuserve universe – paying extra for every piece of information and every “special” service.

The same issue is at the heart of a Slashdot discussion about some ideas floated by BellSouth CTO William L Smith. For instance, Smith told reporters that BellSouth should be able “to charge Yahoo Inc. for the opportunity to have its search site load faster than that of Google Inc.”

Or, still more provocatively, “his company should be allowed to charge a rival voice-over-internet firm so that its services can operate with the same quality as BellSouth’s offering”. Note the careful wording, which stops just short of suggesting that if a VoIP supplier didn’t pay up, its services might suffer a regrettable quality accident. After all, there would be no need to degrade the non-payer’s QoS – all the other companies that did pay would see to that by simply crowding its traffic out.

Cisco may have rendered moot the long-running argument about whether to run Web services over HTTP, JMS, or something else. Just run ‘em over Cisco… The question everybody has to ask is whether AON is Cisco’s bid (not the first, either) to “embrace, extend, and extinguish” (or at least domesticate) the internet as we know and love it. ®

alert Send corrections


Frank Jennings

What do you do? Use manual typwriters or live in a Scottish croft? Our man advises
A rusty petrol pump at an abandoned gas station. Pic by Silvia B. Jakiello via shutterstock

Trevor Pott

Among other things, Active Directory needs an overhaul
Baby looks taken aback/shocked/affronted. Photo by Shutterstock

Kat Hall

Plans for 2 million FTTP connections in next four years 'not enough'
Microsoft CEO Satya Nadella


League of gentlemen poster - Tubbs and Edward at the local shop. Copyright BBC
One reselling man tells his tale of woe