Application Application Presentation Presentation Session Session Transport Transport Network Network Network Data Link Data Link Data Link Physical Physical Physical The Seven Layers Intermediate End system End system system
Why only 3 layers inside the network? • The end-to-end principle: what ever can be done in the edge – don’t do inside! • “The network should be fast and dumb!”
Application Application Presentation Presentation Session Session Transport Transport Network Network Network Data Link Data Link Data Link Physical Physical Physical The Seven Layers Intermediate End system End system system What is wrong with this picture?
What’s wrong? – its not realistic • people are doing application layer tasks inside the network: • firewalls • proxies • L4-7 routing
Why not adding network support for applications • standards are very slooooow to develop • multicast! • we need a fast way to add features to our network core Virtualization
Solution • let’s agree on a standard interface for routers and let everyone run its own programs. • Questions: • who is everyone? • Do we have the cycles? • what about security? Active Networks
Programmable Routers • What is programmable? configuration code per packet policy based routing off-line download OS upgrade • Who can program? end user manufacturer owner authorized contractor “big” users
OS upgrade off-line download code per packet configuration policy based routing Capsules end user manufacturer owner authorized contractor “big” users current state
What is a Mobile Agent ? A mobile agent is an executing program that can migrate from machine to machine in a heterogeneous network under its own control. Here an agent has migrated to interact with a search engine and will migrate again to bring the results back to its owner.
Mobile Code • The basic idea is to allow code dispatching to remote sites where it is executed. • Move the programmer away from the rigid client-server model to the more flexible peer-peer model • programs communicate as peers • act as either clients or servers depending on their current needs • Problems arising from mobility • heterogeneity of systems • security (as more parties are involved)
Mobile Agents • Mobile Agents are program instances that are able move within a network under their own control • mobile agents consist of: • code • data state (i.e. variables) • execution state (i.e. stack) • Some basic capabilities: • able to autonomously migrate between places • able to communicate to each other • some agents offer services or interfaces to legacy applications
Application for Mobile Agents • Distributed Information Retrieval • Mobile computing • Distributed Network Management • Collaborative and workflow applications • Active networks • Electronic commerce
Distributed Network Computing • More than one user • More than one host • More than one application • Code can migrate from host to host • Who is in charge?
Hosting Mobile Code • We want the code to perform tasks related to the network • Who will host the mobile agent? • How will the agent locate its optimal location for the task? • What type of services are needed? • Is the applet sandbox model good enough?
Open Routers • Addresses at least one aspect of the problem • Define an interfacebetween the mobile code and the host • An interface is an agreed and shared contract, typically static knowledge that is not dynamically modified after the agreement
Terminology • Active Networks • Mobile agents • Mobile code • Programmable networks No clear definitions, depends who is using it
Programming paradigms based on code mobility Client Server Client Server local resources Client/server Remote evaluation Server Client local resources local resources local resources Code on Demand Mobile Agents
Active Networks: What? • Routers are programmable • An application generated code can be injected into the network, and executed in the routers • Aims at enriching functionality at the network layer (not at distributed computing) • From capsule to programmable switches
Active Networks: Why? • Producing a new networking platform, flexible and extensible at runtime to accommodate the rapid evolution and deployment of networking technologies • To provide the increasingly sophisticated services demanded by defense applications • The packet itself is the basis for describing, provisioning, or tailoring resources to achieve the delivery and management requirements • A killer application ?!
Killer Application • Was (and still is) an important issue • Do we really need one? • How about network management? • New services? What? • The ability to create new services in the network level
Challenges • Composite protocols: SmartPacket processing must be efficient, secure and survivable • Enhanced network services • quickly and safely deploy new services • achieve widespread use without need for a standardization process • upgrade crucial network services to keep pace with network complexity (size, speed, variety) • develop new strategies for routing and service provisioning in large networks that have overlapping topologies and mobility requirements
Is It • Safe? • safety and security • comparing to IP • Efficient? • an AN node is always slower than a router • system view: fewer packets, shorter control loops, smarteralgorithms • Feasible? • computation power, horizontal architecture
Are Active Networks Efficient? • An AN node is always slower than a router • Fast/slow track • System view: • fewer packets • shorter control loops • smarteralgorithms
Architecture - The Active Applications - Executing Environment EE EE -The underlying operating system Node OS channels storage
Assumptions Control plane Vs. Data plane • The unit of multiplexing of the network is the packet (and not, say, the circuit) • The primary function of the active network is communication and not computation. The network contains some nodes whose primary reason for existence is to switch packets and thus allow sharing of transmission resources • Active nodes are interconnected by a variety of packet-forwarding technologies, and this variety will evolve continuously. Therefore assumptions about underlying technologies must be minimized • Each active node is controlled by an administration, and no single administration controls all active nodes • Trust relationships between administrations will vary. Trust needs to be explicitly managed Everything is over IP
Objectives • Minimize the amount of standardization required, and support dynamic modification of aspects of the network that do not require global agreement • Support fast-path processing optimizations in nodes.(The architecture should not preclude active nodes from performing standard IPv4/IPv6 forwarding at speeds comparable to non-active IP routers.) • Support deployment of a base platform that permits on-the-fly experimentation. Backward compatibility, or at least the ability to fit existing network nodes into the architectural framework, is desirable
Objectives (2) • Scale to very large global active networks. The main implication for the node architecture is a requirement that network-scale parameters (e.g. number of principals using the entire active network) not be exposed at the individual node level • Provide mechanisms to ensure the security and robustness of active nodes individually. As with scalability, global security and robustness is the responsibility of each individual network architecture. However, the stability of individual nodes is necessary for that of the entire network • Support network management at all levels • Provide mechanisms to support different levels/qualities/classes of service
NodeOS and EE application application Active Applications application application application application EE EE Executing Environment Node OS channels storage
NodeOS and EE Packet Flow application application application EE classifier packets IP cutthrough application application application EE Link-level Node OS EE Node OS Link-level storage channels
NodeOS • Interfacing the link-level and the EEs • Controls resources: • CPU • memory • communications (channels) • Security • Routing
NodeOS Abstracts • Flows - the primary abstraction for accounting, admission control, and scheduling in the system • Thread pool - the primary abstraction for computation • Memory pool - the primary abstraction for memory • Channels - flows create channels to send, receive, and forward packets
Execution Environment • Interface to the NodeOS • The place where the actual active code is being executed • Application to application communication • EE to EE communication • Examples
NodeOS/EE • Do we really need it? • The cost of abstraction? • What about high-speed active networks? • Channels for local information and control
Safety and Security • Crucial for deployment • Safety (i.e. robustness to bugs and failures) and security (i.e. against malicious attackers) • Basic tradeoff: flexibility Vs. security • adding more power to the applications can be used by the “bad guys” • Is this a (good) reason to give up progress?
Possible Threats • Damage • an active packet damages the NodeOS/EE/network-level code in the router • an active packet changes code in other active packets • the active router may interfere with the original active packet’s code • Denial of service • an active packet “takes over” a certain resource (CPU, memory) and deny services from other active packets
Possible Threats (2) • Theft • an active packet may access and change information at a node (billing), or information used by other active pockets (passwords) • Compound attack • AN can be used to generate a coordinated attack aimed at a remote router. AN may allow a single attacker to generate traffic to a single destination with volume that is unlimited by the bandwidth of its own connection
Security - Enabling Techniques • AAA: • authorization • authentication: someone else vouches for the packet • access control to resources such as the file system • Resource consumption monitoring (with policy based management) • PPC - Proof Carrying Code - the code can prove that it is safe
Proof-Carrying Code (PCC)Peter Lee and George Necula • PCC is a technique by which a code consumer (e.g., host) can verify that code provided by an untrusted code producer adheres to a predefined set of safety rules (safety policy). These rules are chosen by the code consumer in such a way that they are sufficient guarantees for safe behavior of programs. • The code producer is required to create a formal safety proof that attests to the fact that the code respects the defined safety policy. The code consumer is able to use a simple and fast proof validator to check, with certainty, that the proof is valid.
A Secure Active Environment • Accept and authenticate the incoming packet • Identify the sender(s) of the packet • Authorize access to the appropriate resources • Allow execution based on the authorization and the security policy • Monitor the resource utilization • Encrypt/decrypt code/data as needed • Who should do it: nodeOS? EE?
DARPA Projects • ANTS at MIT • Smart Packets at BBN • Switchware at Upenn and Bellcore • Netscript at Columbia • Applications: • active reliable multicast, protocol boosters, active congestion control, Internet applications • ABone: a global AN network
ANTS (MIT) • ANTS - an Active Node Transfer System • a Java-based toolkit for experimenting with active networks. It provides a node runtime that can participate in an active network, and a protocol programming model that allows users to customize the forwarding of their packets • The first EE to be developed • Uses capsules that do not contain all the code • A code distribution system distributes the code to the different active nodes.
Smartpackets (BBN GTE) • Goal: to add programmability to management and diagnostic packets • Making packets smart by: • an easily compiled source code language -Sprocket • access to information on the fly (MIB) • Emphasis on runtime, no soft states, the code lifetime at a node is only during execution.
SwitchWare U. Penn. and Telecordia • Goal: understand the design space • investigate architectures and programming paradigms for AN • use modern programming languages • find “sweet spots” in tradeoffs among flexibility, usability, performance and security • Main features: • PLAN - Packet Language for Active Networks • ALIEN - Active Loader
SwitchWare Architecture PLAN Packet Caml Switchlet PLAN Packet Caml Switchlet PLAN ALIEN Library Dynamic Integrity Checks Node-Node Authentication ALIEN/Caml/OS AEGIS Static Integrity Checks Recovery
Packet Language for Active Networks • Domain-Specific Language for AN • Active Packets of ML-like code • Restricted for security & performance • Active extensions for restricted tasks • “Glue language” to build active applications • Resource-bounds for network protection • Access to link-layers w/extensions
The ALIEN Active Loader • Focus on generality and security • Crypto. Credentials extend to remote case active packets and active extensions all written in Caml with restricted runtime • Applications to LAN bridging, IP forwarding switchlets libraries Core Switchlet Loader Runtime (Caml) OS (Linux)
Issues • Packets size: • how much code can fit into a single packet? • offline loading of code • A safe execution of the code • how much control • offline guaranties Vs. runtime verification • Interactions: • packet -- EE • packet -- packet
Netscript (Columbia) • A glue language to compose and manage active flow processing applications • Enable significant domain-specific capabilities: • computation over flows • Simplify programming active nets • high-level abstraction of flow processing: end-end composition & coordination • Compiler-generated support of key functions • manageability: security, resource allocation • optimization • map to heterogeneous node architectures from JVM to ASIC/FPLA…