It's Time to Call Home

Hand on a laptop with padlock beside it

NETCONF Call Home, or reverse secure socket shell (SSH), is a technique that enables network functions virtualization (NFV) and software-defined networking (SDN) devices to establish a connection to a service provider control systems and protects the virtual customer premises equipment (vCPE), usually deployed behind a cable modem or a firewall.

Call Home Image

According to the Internet Engineering Task Force (IETF) draft, Call Home enables a NETCONF server to initiate a secure connection to a NETCONF client. By using this method, the network equipment initiates a secure connection with the network controller.

Call Home Image

This technique enables secured connectivity between NFV/SDN devices and control systems when a NETCONF client is otherwise unable to initiate an SSH connection directly to the NETCONF server on the NFV/SDN device. It does this by reversing the way a TCP connection is established between a client and server. Normally, when connecting to a network, the SSH client initiates and establishes a session. However, when reversing this process with Call Home, the SSH server initiates that request, rather than the client.

There are several reasons why this method is preferable and helps to deliver a better network service to its users. It is generally useful in both the initial deployment and ongoing management of network elements. When network elements are deployed behind a firewall that doesn’t allow any management access to the internal network, the connection cannot be established for control/management need. By reversing the direction, the connection can be established without relaxing any access restriction in the firewall. Thus, NETCONF Call Home brings a new mechanism of connectivity but with security.

Call Home enables the device to proactively connect and register itself when powered on for the first time. This helps in auto-discovery and zero-touch provisioning of network elements.

It can also be difficult for the controller to identify and connect to equipment when a dynamic IP address is being used and the lease expires, making it very difficult for that connection to be re-established. This problem is overcome by reversing the way the two connect and using the equipment to connect with the controller.

When private networks are linked to a data center, operators may prefer that centralized management initiate the connection, as it is easier to secure the one open port in the data center as opposed to the several ports that will be potentially opened in many private networks and end devices.

As networks become more advanced and an ever more fundamental part of everyday life, more and more elements will be virtualized. By removing the physical equipment within a network, it makes it safer and more cost efficient for both the service provider and the customer. But, manually establishing the connectivity and managing of each of these virtualized elements would be an operational nightmare. So, alternate techniques like NETCONF Call Home are needed to securely connect and manage the virtualized elements without manual intervention.

NETCONF Call Home represents a step forward for modern networking. It offers a better deal for both the consumer and the service provider by delivering better security and support.

NETCONF Call Home function can be integrated into an OpenDaylight-based SDN controller as a karaf deployable feature without impacting the functionality of any existing OpenDaylight features. This integration with an OpenDaylight-based controller enables the Call Home to be widely used for various SDN and NFV use cases.

Related articles