BR102014009429A2 - NETWORK DATA VIRTUALIZATION SYSTEM AND FUNCTIONALITIES - Google Patents

Abstract

Abstract System and Process Data Virtualization and Network Features The present invention pertains to the technology sector of computer networking systems and relates more specifically to the context of virtualization enabled to share a cloud computing infrastructure. The invention proposes a system that ensures confidentiality and integrity in order to enable virtualization of network functions such as routing, packet filtering, address translation, establishment of secure virtual tunnels, intrusion detection and prevention, analysis. data streams, among other features currently available on separate physical equipment. In addition to information security issues, the invention uses techniques to optimize communication channels, distributing functionality so that only the necessary traffic is transmitted, ensuring maximum efficiency of network resources. In order to implement the system standard encryption algorithms and packet manipulation techniques are used at the link (l2) and network (l3) levels of the computer network interconnection reference osi standard. 1/1

Description

DATA VIRTUALIZATION SYSTEM AND DATA FUNCTIONALITIES

NETWORK

[01] The present invention belongs generally to the field of computer network systems using Ethernet, Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPv6) protocols, and is inserted, more specifically, in the context of virtualization of network functions, enabling information transfer with security, efficiency and high manageability.

State of the art [02] In general, equipment used in computer networks is currently deployed on proprietary hardware and software platforms, also called Appliances. Although such platforms are highly optimized for expected functionality, the innovation cycle for adding new features as well as the rapid expansion of capacity requires lengthy cycles of purchase and approval of new devices.

[03] The typical scenario for installing corporate Internet access involves routing, packet filtering, address translation, and the establishment of secure virtual tunnels. More complex installations can add network functions such as intrusion detection and prevention, corporate antivirus for e-mail (e-mail) and access to websites and archives, data flow analysis, traffic balancers, and more. In this context a range of physical equipment is required, most often in a one to one relationship. That is, in a simple installation it is common to find a device for each function: a router, a packet filter and address converter (firewall) and a secure tunnel concentrator (VPN Gateway). There are three different physical equipment, with scalability, lifetime and probably different manufacturers. This architecture makes it difficult to deliver on-demand services, where at any time users may require higher bandwidths, or new services, attributes that modern computing infrastructure as services (laaS) clouds provide.

[04] In order to offer the benefits of new cloud computing technologies, virtualization solutions of previously dispersed functionality on proprietary platforms have been proposed. Virtualization means the use of large commercial platforms, such as servers and storage (Storages) found in information technology applications, to run multiple virtual machines capable of processing packets and performing the required network functions. Because such cloud computing architectures have high processing and storage capacity, in a scalable structure as a design premise, it is expected to meet bandwidth requirements and new on-demand services with agility and increased capacity compared to the data-based model. Appliances Such proposals effectively remove a number of complex equipment from customers' physical structures, placing them in service provider cloud computing centers (Data Centers).

[05] However, a number of precautions must be taken, as traffic that was previously confined to the customer's Local Area Network (LAN) structure is now also shared with the operators' access network and network structure. of data center. Packages that did not need encryption because they were physically bounded to the customers' inner perimeter now travel over a public service provider structure, including sharing access rings with other customers. Therefore, encryption techniques must be adopted to ensure the confidentiality and integrity of packets. In addition, another relevant point is to ensure the efficiency of packet forwarding, so as to minimize sending only to really needed packets. In addition to the security aspects - confidentiality and integrity - and efficiency, the same manageability of the solution must be ensured, even in times of failure or disaster. Keep in mind that your corporate network administrator can no longer go to the data center (CPD) and check if the router's communication channel status LED is actively flashing, if there is power in the firewall, or if the storage disks are error free. Also, the service provider is probably miles and several minutes away from the customer's premises. That is, it is necessary to implement a series of tools that guarantee the operation, administration and maintenance of the system, in face of this modified virtualization scenario, in order to preserve and if possible improve the amount of information available to the system operators.

[06] In summary, in the vast majority of current network systems, it is customers who have equipment, such as firewall and router, within their physical structure. These devices limit network changes on demand. However, the virtualization alternatives presented to date do not offer security, optimization and high manageability.

Novelties and objectives of the invention [07] The present invention aims to provide a data virtualization system and network functionality from a series of packet manipulation techniques according to standards defined by the entities responsible for the standardization of the desktop environment. computer network. The proposal offers security through encryption, efficiency through optimization of packet flows, and special concern in the administration, operation and maintenance aspects of the solution, ie management.

[08] In order for a system to be implemented securely, it is proposed by the invention that data be encrypted. From this implementation it will not be possible to access the contents of the company's internal information, nor can packages be inserted and removed from internal networks, in order to affect internal communications.

[09] Predicting an efficient solution is directly linked to data packet forwarding. For example, before Internet-directed communication succeeds, a series of internal transactions may be required. Ideally, only packets destined for the Internet, which would travel on the telecommunication service provider's access networks, should be transmitted while internal transactions remain within a restricted scope. This preserves the good features of the customer-centric appliance landscape by adding the scale gains of a cloud structure for on-demand services and reducing investment and maintenance values.

[10] In addition, with the proposed system, today's appliances, such as the router and firewall, would be dispensed with, as network services would be provided by the service provider itself through virtual machines on servers. Thus, the evolution of the current system is evident, dispensing equipment that limits the services provided by the providers. The connection, even if virtualized, with the provider will be made through the WAN or MAN network. To meet this demand, a switch called Ethernet Demarcation Device (EDD) is used, capable of managing what should or should not circulate through the external network, in order to optimize the efficiency of network virtualization. That is, he knows what will circulate only within the company's physical facilities and what is destined for the Internet.

[11] The EDD switch is also responsible for encrypting data that will go to the virtualized provider. To prevent data from being decrypted and encrypted at each point it passes, the switch creates a virtual tunnel with the provider that enables direct communication between it and the servers or aggregators, ensuring end-to-end confidentiality and integrity.

Description of the accompanying drawings [12] In order for the present invention to be fully understood and practiced by any person skilled in the art, it will be clearly, concisely and sufficiently described on the basis of the accompanying drawings which illustrate it. and subsidy listed below: [13] Figure 1 depicts typical scenarios for provision of Ethernet Access channels by known telecommunication service providers.

[14] Figure 2 represents the communication system with virtualization of network functions by known telecommunication service providers.

[15] Figure 3 represents the communication system with the implementation of radial network configuration.

[16] Figure 4 represents the communication system with the implementation of tree network configuration.

[17] Figure 5 represents selective application of MACsec, choosing which streams will be applied for encryption and packet integrity checking.

[18] Figure 6 represents the formation of Ethernet packet fields in unencrypted streams for Q-in-Q Ethernet networks.

[19] Figure 7 represents the formation of Ethernet packet fields in encrypted streams for Q-in-Q Ethernet networks.

[20] Figure 8 represents the formation of Ethernet packet fields in encrypted streams for networks implementing L2 VPN over MPLS tunnels.

[21] Figure 9 represents the symmetric key distribution that will be used in centrally managed MACsec from a management server.

[22] Figure 10 represents the symmetric key distribution that will be used in MACsec with the KeySec protocol.

[23] Figure 11 represents the mainly bandwidth differences of a LAN environment with respect to MAN and WAN architectures.

[24] Figure 12 represents packet streams in LAN and MAN / WAN environments in non-virtualized mode, without virtualizing network functions, primarily. Firewall and / or Router.

[25] Figure 13 depicts packet flows in LAN and MAN / WAN environments in virtualized mode with an L2 switch in LAN / MAN / WAN mediation.

DETAILED DESCRIPTION OF THE INVENTION [26] The present invention proposes a system for providing computer network services in the Telecommunications and Internet environment, in which there is a switch with specific Ethernet access termination features, and network functions such as router and firewall, offered as virtual machines on servers with high commercial scale. The technologies employed ensure encryption, optimization and high level of solution management.

[27] Figures 1, 2, 3 and 4 illustrate the typical scenarios of an access network for telecommunication service offerings, especially corporate Internet, showing the traditional architecture, where router and firewall are physical equipment installed in the network infrastructure. as well as the new design, in which there is an Ethernet switch with specific Ethernet access termination features, and router and firewall functions are offered as virtual machines on high-end commercial servers. Ring, radial, and tree-like architectures are presented where derivations from an access link allow the aggregation of multiple clients over a communication channel. Such architectures are shown by way of illustration in order to explain and detail the invention, but in no way should they be construed as restricting the methodology to other access network architectures, as a number of options can be implemented by providers without invalidate the central idea of the proposed invention. Also, Figures 1, 2, 3, and 4 greatly simplify service provider internal networks, from aggregation points to servers positioned in the service cloud, so as not to complicate with details that do not change the core proposition of the service provider. invention.

[28] In the traditional scenario, traffic between the internal network and corporate firewall (T100) does not use L2 and L3 level encryption, as the company's physical perimeter is considered to provide security against intruders from outside the structure. In this scenario only sensitive traffic such as user and password credentials, or data considered confidential use encryption at higher levels of the OSI model. After the firewall, the environment is considered inhospitable, since it can already be considered a public network, and the most widespread use of encryption and secure virtual tunnels is implemented in Internet communications (T110). Note that in Figure 1 no distinction is made between active (T120) or protective (T130) paths, but only packet end-to-end traffic (T110) is shown. Even in case of interception of Clientel data by Company A (T140), it is considered that the important data is already being protected as this is already a public network, insecure and prone to any kind of attack.

[29] In the virtualized scenario, represented in Figure 2, the firewall and router function is performed in the service provider cloud (T150) on virtual machines (T155) that process internal network (T160) packets before applying the firewall techniques to protect against the insecure network that is the Internet. However, in terms of end-to-end traffic, the same packets (T100) that were previously confined to the Clientel physical perimeter now need to travel through the carrier access network (T160) until they reach virtual machines, and it is not possible to require that the entire LAN architecture be modified to implement L2 and L3 encryption.

[30] On the other hand, when deploying Ethernet accesses, L2 switches with special features such as Ethernet First Mile (EFM) and Connectivity Fault Management (CFM) protocols are increasingly used. Such devices are commonly called Ethernet Demarcation Device (EDD) (T165). The first proposal of the invention is to use symmetric encryption based on the IEEE 802.1 AE MACsec standard to implement encryption directly over Ethernet packets, ensuring confidentiality and integrity of communications (T160) between the internal network and cloud-hosted virtual machines. provider services. It is possible to encrypt all communication over an Ethernet link (T170), in which case all devices along the way need to implement the functionality, and on each internal equipment the packets are handled in clear text, enabling traffic mirroring techniques on road equipment (T175), for example located in Point of Presence (POPs) without proper physical security or even in other companies, allow unwanted packet capture;

[31] A second possibility is to implement encryption selectively using the Ethertype field of the Ethernet protocol, choosing certain VLANs according to IEEE 802.1q, or over packets with type defined as MPLS as defined in RFC 3031 and RFC 3032. This way you can encrypt end-to-end traffic from the EDD appliance to the first aggregation point (T180) securely installed at the service provider's premises, or from the EDD to the server responsible for the virtualized network function. (T185) in charge of firewall and edge router functionality. Thus, from the possibility of selectively using MACsec, and using Ethernet addresses and packet types (Ethertype field) according to known computer network standards, such as IEEE 802.3 and IEEE 802.1, it is possible to traffic multiple streams. packets, some encrypted and some not.

[32] Figure 5 shows an example of an access network in a virtualized scenario, where we have link-scoped flow 1 (T200), typically slow control protocols, bridge protocol data units (BPDUs) for loop control. ), for management (Operation, Administration, and Maintenance Protocol Data Units (OAMPDU)), or Link Layer Discovery Protocol (LLDP) topology discovery packages. Stream 2 (T210) packets destined between non-adjacent T210 devices can use VLAN identifiers or encapsulate non-encrypted IP or MPLS protocols. From selectivity, MACsec can be used to encrypt only stream 3 (T220), which is terminated end-to-end from client 1 to the provider, so that only the start and end devices need to support this functionality. The rest of the network with its control protocols and other types of traffic, for example, streams 1 and 2, continue normal operation without encryption and no additional change requirements in either equipment or network design.

[33] Figures 6 and 7 show examples of Ethernet packets, clarifying the differences between the unencrypted packets and the encrypted streams explained earlier. Figure 6 shows an unencrypted stream on a Q-in-Q Ethernet network defined in the IEEE 802.1 ad Provider Bridging standard. The original customer packet (T300) already has a Customer Virtual LAN identifier, called Customer-VLAN (CVLAN), and when it is routed to the network, it gains an additional provider VLAN identifier (T310), called Service-VLAN. (SVLAN). In Figure 7, an original client packet (T320) is shown before entering the Q-in-Q network, now with the encryption requirement. The packet within the provider's network is shown, with the addition of the SVLAN identifier (T330) to allow correct forwarding, but also using MACsec. The SecTAG identifier (T340) is inserted after SVLAN to allow encryption and integrity checking of the client's original CVLAN, Etype / Len and Payload fields. Finally the ICV field (T350) for verification is added and the FCS field (T360) for error detection is recalculated.

[34] Figure 8 represents packet manipulation for an access network that uses MPLS instead of Q-in-Q. In this case the original client packet (T400) receives the normal Ethernet over MPLS encapsulation identifiers (T410), as per L2 VPN over MPLS technique known as Virtual Private Wire Service (VPWS), defined primarily by RFC 4906. Following the methodology, after the VPWS identifiers, the clients' destination address (DMAC) and source address (SMAC) are preserved (T420), and the SecTAG identifier (T430) is inserted to allow encryption and integrity checking of the fields. Original customer CVLAN, Etype / Len and Payload. Finally the ICV field (T440) for verification is added and the FCS field (T450) for error detection is updated.

[35] Q-in-Q and MPLS encapsulations are shown to exemplify possible use cases of cryptography in the context of the invention, but should not be considered as limiting the use of the technique described as the concept of the invention. In addition, it is important to note that other network architectures can seamlessly use MACsec to ensure the security of virtualized network functionality as well as multi-participant tunneling, not limited to only 2 endpoints. Another relevant aspect is that in defining MACsec encryption is optional, while packet integrity checking is mandatory. In the context of the present invention encryption is mandatory and is a requirement for architecture.

[36] All of the described packet manipulation with field insertion, new error detection code calculations and especially applying inline encryption with packet transmission requires great processing power. In order to work at rates of 1 Gbit / s, 10 Gbit / s and especially the new rates of 40 and 100Gbit / s, it is likely that this processing will be done in hardware as processor and software solutions would be economically and technically unviable. By implementing encryption selectively, only a few points in the framework need to implement these features, so only the starting and ending points of secure tunnels need to have this hardware support. The starting point of this transaction is equipment called Switch EDD, located at the customer's physical premises. The presence of MACsec functionality in this equipment is therefore a requirement for the architecture described in this invention to be deployed. The endpoint of the secure tunnel can be located on network aggregation equipment, typically high performance routers with Ethernet interfaces, or directly on server structures that host virtualized network function virtual machines.

[37] The addition of the Ethernet packet encryption functionality in the EDD Switch utilizes specific integrated circuits that support the Advanced Encryption Standard (AES), defined in the National Institute of Standards and Technology (NIST) FIPS97 standard, with minus 128 bits in Galois / Counter Mode (GCM-AES) according to the MACsec standard. The application of MACsec is done selectively, as described in the set of figures 6, 7 and 8. In addition, as will be explained below, the EDD Switch also has specific features to act as Ethernet Device under the aspect of administration, operation. and maintenance, ie management.

[38] Similarly, the addition of packet encryption functionality in network aggregators requires support for Ethernet interfaces using specific integrated circuits that support the AES standard with at least 128-bit keys, complying with MACsec and mode. Alternatively, the addition of packet encryption functionality may be present on servers that host virtual machines that implement virtualized network functions, and are done on network adapter interfaces, or Network Interface Cards (NICs). Such NICs also make use of specific integrated circuits that support the AES standard with keys of at least 128 bits, complying with the MACsec standard and selectively as described in the set of figures 6, 7, and 8. NICs process MACsec. and deliver decrypted and decrypted packages to virtual machines, relieving the commercial server processor of MACsec-specific and intensive tasks. The reverse path is also required, with the NIC encrypting using MACsec.

[39] However, most endpoint (EDD) or aggregator switches, as well as server network interfaces currently on the market do not have MACsec functionality embedded in their hardware platform. However, the vast majority implement their Ethernet ports using transceivers in the form of modules that can be inserted with the equipment in operation. Such modules are called SFP for 1GbE, XFP, or SFP + interfaces for 10GbE, QSFP +, and CFP ports for 40GbE and CFP, CFP2, CFP4, or QSFP28 interfaces for 100GbE interfaces. Because they have modular characteristics and are positioned in the port data path, the SFP, XFP and SFP +, QSFP +, QSFP28, CFP, CFP2 and CFP4 modules can be used to add MACsec functionality to switches and servers not originally designed for this purpose. Using modules to implement MACsec functionality has the advantage that only ports where encryption is required will need modules with this support.

[40] The AES standard used in MACsec is a symmetric encryption algorithm that uses session keys of typical sizes 128, 192, and 256 bits. Such keys are shared by both parties participating in the secure tunnel. That is, all endpoints of a given secure tunnel share the same cryptographic key. Therefore, the key distribution mechanism needs to be defined so that everyone can have a set of current and future keys that allow the continuous exchange of encrypted packets. Due to the size of the symmetric key, which, even with great technical difficulties, allows brute force attacks, in which all key possibilities are generated and tested against the encrypted packets eventually captured, it is necessary to define the periodicity of exchange of this key. The present invention proposes two ways to establish key exchange: centralized management from the network management service or use of the MACsec Key Agreement (MKA) protocol, also called KeySec, defined by the IEEE 802.1 X ..

[41] Virtually all service provider networks have a centralized management service (T500), which provides Fault, Configuration, Provisioning, and Security (FCAPS) functionality, following the model ITU-T Telecommunication Management Network (TMN). The periodic generation and distribution of keys can be assigned to the centralized management service (T500), as shown in figure 9, since it has full knowledge of the network, its circuits and elements. Communication is via specific encrypted control channels (T510) established between central management and the various elements that need to establish MACsec tunnels. Using MACsec, secure connections are created between stream participants, who are designated Connectivity Association (CA), and each CA (T520) has a symmetric single session key (T530) generated and distributed by the centralized Management server. Network

[42] When KeySec is used, EDD switches assume the role of Supplicants (T540), the network aggregator, or directly the servers that have MACsec-enabled NICs assume the role of Authenticator (T550). , while the Authentication Server (T560) role must be played by an authentication, authorization, and accounting server (AAA Server) of the service provider framework. The KeySec protocol handles the function of generating a master key and distributing it to endpoints so that they can generate periodic session keys called Secure Association Key (SAK).

[43] The first thing to consider when it comes to network virtualization efficiency is the bandwidth of the Metropolitan Area NetWork (MAN) and wide area network (WAN) access channels when compared to networks. Local Area Network (LAN). LANs have speeds of the order of several Gbit / s (T600), while often corporate or dedicated Internet access channels for branch office communication are in the order of Mbit / s (T610). That is, a LAN is typically at least 10 times faster than a MAN or WAN network, as illustrated in Figure 11. How virtual machines that fulfill virtualized network functions are located in the cloud of service providers ( T620), accessible via MAN or WAN networks, it is important to analyze the packet traffic that will circulate in this interconnection in order to preserve the response time and speed previously offered to network users.

[44] As we can demonstrate from Figure 12, in the non-virtualized situation, where Firewalls / Routers have interfaces directly on the clients LAN (T700), Unicast and Multicast (T710) flows to the Internet arrive at these devices. However, it is part of the Ethernet LAN architecture to have a certain level of Broadcast, Destination Lookup Failure (DLF) and Multicast (T720) packets that also reach the internal interface of these Firewalls / Routers. Broadcast packets include Address Request Protocol (ARP), Free ARP. There are also some routing protocols that use internal multicast packets. DLF packets occur when there are no matches in the internal tables, forcing packets to be forwarded to all possible interfaces within a given VLAN. However, due to the operating character at OSI Layer level L3 and later, Routers and Firewalls intrinsically route through the WAN channel only Unicast and Multicast streams with external destination (T730).

[45] However, if the virtualized scenario in Figure 13 considers a 1 Gbit / s (T740) interface for interconnecting the EDD Switch with the internal network, and 100Mbit / s (T750) as the MAN / WAN channel, a ten to one ratio (10: 1) in the LAN: MAN / WAN comparison. If the EDD switch operates at the OSI layer L2 level and the number of Broadcast packets, for example, reaches 5% (T760) on the LAN network interface, the reflection on the WAN channel is 50% (T770) channel occupancy. traffic the customer's Internet packets, impacting the quality of service perceived by users. It is therefore clear that it is necessary to maximize MAN / WAN channel availability for external Unicast and Multicast traffic through L3 routing functions or intelligent and selective L2 packet filters.

[46] In the case of an option for EDD switches that have L3 routing, it should be integrated into the customer's LAN network and preferably not use any kind of NetWork Address Translation (NAT) or Port Address Translation (IPv4) address translation. - PAT). This preserves the original network addresses so that the edge firewall, now hosted on the service provider's virtual structure, has full knowledge of the network. In the option for ED2 switches with L2 functionality, the requirement is to limit Broadcast, Multicast and DLF traffic on the MAN / WAN channel, ie the channel with the lowest bandwidth. This limitation is specified in packets per second or directly in band in the form of kbit / s, and is preferably implemented in hardware, without burdening the control plane and central processor of the equipment. Bandwidth limiters may be used directly on the ports or complex filters that have inclusion criteria and configurable actions. The end result is effective control of the Broadcast (T770), Unknown Unicast (T780) and Internal Multicast (T790) streams. figure 13.

[47] Any traffic limitation in the case of continuous transmission of higher than defined thresholds will result in packet discarding. However, some Broadcast and Multicast packets must be prioritized and transmitted for proper network operation even in threshold saturation situations. Thus, in addition to simply limiting, it is necessary for the EDO Switch to be able to do this in a granular manner. The technique consists of the EDO switch and the network aggregator equipment supporting as bandwidth filtering traffic prioritization requirement the following packet types: ARP Request with questioning of IP addresses of virtualized functions; ARP Reply with response to queries made by IP addresses of virtualized functions; Connectivity Fault Management packets, First Mile Ethernet packets, LLDP packets; multicast and broadcast packets of dynamic routing protocols, such as OSPF; VRRP packets and ICMPv6 packets.

[48] The fact that the router, firewall, WAN network accelerator, or any other network functionality is virtualized modifies the concept of operating, administering and maintaining a network (Operation, Administration and Maintenance - OAM). Therefore, the EDD Switch, servers and aggregating equipment must have specific functionalities that allow centralized and remote network management. The network access equipment suggested in the architecture of the present invention supports Connectivity Fault Management (CFM), offering end-to-end OAM. This support enables proactive monitoring of connectivity (Continuity Check) and fault isolation through Loopback Messages (ping L2) and Linktrace Messages (traceroute L2) packages. It is also possible to monitor performance by measuring Frame Delay and Frame Delay Variation, both Unidirectional and Bidirectional.

[49] There is still support for OAM peer-to-peer via Ethernet First Mile (EFM) protocol following the IEEE 802.3ah standard. This enables fault indication including Dying Gasp and Unidirectional Link. Dying Gasp in particular is very useful in power outages, as an out-of-power alarm is sent to the server before the power goes off, notifying the switch that there were no data transmission issues but power problems. Unidirectional Link detects situations where only one of the transmission directions is active. Also present are tools for network diagnostics and cabling infrastructure. You can test for possible cable shortages or shortages by showing the approximate distance from the problem with copper cables, or the signal strength on optical modules that have Digital Diagnostic, defined in the SFF 8472 standard.

[50] This descriptive report deals with a peculiar and innovative system and process for virtualization of data and network functionalities, capable of greatly improving its use, with novelty, inventive activity, descriptive sufficiency and industrial application, and consequently all the essential requirements for granting the claimed privilege.

Claims (30)

1- DATA VIRTUALIZATION SYSTEM AND NETWORK FEATURES consisting of servers, transport network and access composed of network aggregating equipment, switches and routers with Ethernet interfaces, centralized management of elements and network, network functions and EDD switches characterized by introduce data encryption, packet selectivity, and network management. 2. DATA VIRTUALIZATION SYSTEM AND NETWORK FEATURES as claimed in claim 1, further characterized by the network functions being performed in the cloud of the service provider on virtual machines. DATA VIRTUALIZATION SYSTEM AND NETWORK FUNCTIONALITY as claimed in claim 1, further characterized in that symmetric encryption of Ethernet packets is applied to the internal traffic information flow of clients in portions of the access network of the telecommunications and Internet service provider. DATA VIRTUALIZATION SYSTEM AND NETWORK FUNCTIONS according to claims 1, 2 and 3, further characterized by encrypting all communication of an Ethernet link (T170) and implementing such functionality in all equipment along the way. DATA VIRTUALIZATION SYSTEM AND NETWORK FUNCTIONALITIES according to claims 1, 2 and 3, and further characterized by selectively encrypting the communications of a specific client on an Ethernet link. DATA VIRTUALIZATION SYSTEM AND NETWORK FUNCTIONALITIES according to claims 1, 2, 3, 4 and 5 characterized by the EDD switch performing the encryption and integrity checking of Ethernet packets based on the MACsec protocol. DATA VIRTUALIZATION SYSTEM AND NETWORK FUNCTIONALITIES according to claims 1, 2, 3 and 5, and further characterized by the fact that encryption is implemented in determined VLANs. DATA VIRTUALIZATION SYSTEM AND NETWORK FUNCTIONALITIES according to claims 1, 2, 3 and 5, and further characterized by the fact that encryption is implemented over packets with type defined as MPLS. DATA VIRTUALIZATION SYSTEM AND NETWORK FUNCTIONALITIES according to claims 1, 2, 3, 4 and 5, and further characterized by the fact that packet encryption is performed in hardware. DATA VIRTUALIZATION SYSTEM AND NETWORK FUNCTIONS according to claims 1, 2, 3, 4 and 5, and further characterized by the data encryption being implemented by AES with keys of at least 128 bits in GCM-AES mode. DATA VIRTUALIZATION SYSTEM AND NETWORK FUNCTIONALITIES according to claims 1, 2, 3, 4 and 5, and further characterized by the implementation of periodic exchange of symmetric keys from the centralized management server control. DATA VIRTUALIZATION SYSTEM AND NETWORK FUNCTIONALITIES according to claims 1, 2, 3, 4 and 5, and further characterized by the implementation of the periodic exchange of symmetric keys from the use of the KeySec standard and actuation of the EDD switch as a supplicant. DATA VIRTUALIZATION SYSTEM AND NETWORK FUNCTIONALITIES according to claims 1, 2, 3 and 5, and further characterized in that the packets are encrypted end-to-end from the EDD switch equipment to the aggregation point (T180). DATA VIRTUALIZATION SYSTEM AND NETWORK FUNCTIONS according to claims 1, 2, 3 and 5, further characterized by the fact that packets are encrypted end-to-end from the EDD switch to the server responsible for the virtualized network function (T185). DATA VIRTUALIZATION SYSTEM AND NETWORK FUNCTIONS as claimed in claims 1, 2, 3, 4 and 5, and further characterized by the fact that the encryption functionality of packets on servers is performed on network adapter interfaces (NICs). DATA VIRTUALIZATION SYSTEM AND NETWORK FUNCTIONS according to claims 1, 2, 3, 4 and 5, and further characterized by the beginning and end of a secure tunnel sharing the same symmetric cryptographic key and periodically changing that key. DATA VIRTUALIZATION SYSTEM AND NETWORK FUNCTIONALITY as claimed in claim 1, further characterized by the EDD switch having L3 IP packet routing version 4 and version 6, being integrated into the customer's LAN network and not using any type of address translation. 18- DATA VIRTUALIZATION SYSTEM AND NETWORK FUNCTIONALITIES according to claim 1, and further characterized by the L2 functionality EDD switch utilizing bandwidth limiters directly on the ports. DATA VIRTUALIZATION SYSTEM AND NETWORK FUNCTIONS according to claim 1, and further characterized by the ED2 switch with L2 functionality using complex filters with inclusion criteria and configurable actions. DATA VIRTUALIZATION SYSTEM AND NETWORK FUNCTIONS according to claim 1, and further characterized by selecting the packets that will circulate through the external network through the EDD switch. DATA VIRTUALIZATION SYSTEM AND NETWORK FUNCTIONS as claimed in claim 1, further characterized by the EDD switch supporting Connectivity Fault Management (CFM) and allowing end-to-end network operation, administration and maintenance. DATA VIRTUALIZATION SYSTEM AND NETWORK FUNCTIONS as claimed in claim 1, further characterized by the EDD switch supporting Ethernet First Mile (EFM) and indicating network failures. DATA VIRTUALIZATION SYSTEM AND NETWORK FUNCTIONS according to claim 1, and further characterized by the EDD switch supporting the FCAPS functionality defined by the ITU-T TMN model. DATA VIRTUALIZATION SYSTEM AND NETWORK FUNCTIONS according to claim 1, and further characterized by the EDD switch, the network aggregator equipment and the server computers implement communication protocol with the centralized management and allow the availability of FCAPS requirements. DATA VIRTUALIZATION SYSTEM AND NETWORK FUNCTIONS according to claim 1, further characterized by the EDD switch and the network aggregator equipment allowing the limitation of certain L2 traffic flows, with selective packet prioritization. 26- DATA VIRTUALIZATION SYSTEM AND NETWORK FUNCTIONALITY as claimed in claim 1, further characterized by the EDD switch, server computers and network aggregator equipment implementing administration, operation and maintenance techniques in accordance with Ethernet OAM standards. DATA VIRTUALIZATION SYSTEM AND NETWORK FUNCTIONS as claimed in claim 1, further characterized by the network aggregating equipment and server computers having the application of encryption and integrity checking of Ethernet packets based on the MACsec protocol. DATA VIRTUALIZATION SYSTEM AND NETWORK FUNCTIONS as claimed in claim 1, further characterized by the network aggregating equipment and server computers implementing the KeySec standard and acting as authenticators. 29- DATA VIRTUALIZATION SYSTEM AND NETWORK FUNCTIONALITY as claimed in claim 1, further characterized by the centralized element and network management service offering FCAPS functionality, the management of Ethernet elements through OAM standards and the generation and distribution of symmetric keys. for MACsec channels. DATA VIRTUALIZATION SYSTEM AND NETWORK FUNCTIONS according to claim 1, further characterized by the use of transceivers in the form of slot-type modules such as SFP, XFP, SFP +, QSFP + (QSFP10), QSFP28, CFP, CFP2 and CFP4. MACsec functionality on switches.