Active Networks: Applications, Security, Safety

Download Report

Transcript Active Networks: Applications, Security, Safety

Active Networks: Applications,
Security, Safety and
Architectures
Author: Konstantinos Psounis
Stanford University
Presenter: Sanjay Agrawal
Purdue University
Department of Computer Science,
Purdue University
Purdue University Nov 15, 2000
Passive and Active Networks
• Passive: Consists of smart hosts at the edges of
the network performing computations up to the
app layer, routers interconnecting them can only
perform computations up to the network layer.
• Active: Allows Intermediate routers to perform
computations up to the application layer. Users
can program the network by injecting programs
into them.
Department of Computer Science,
Purdue University
Networks, Passive and Active:
• Passive Networks:
Processing limited to Routing, congestion
Control and QoS Schemes
Problems:
1. Difficulty of integrating new technologies
2. No support for applications that require
computation within the network.
3. Poor performance due to redundant operations.
Department of Computer Science,
Purdue University
Need for Active Networks:
• Need an ability to program the networks.
• Networks should be able to do
computations on user data.
• Users can supply the programs to perform
these computations.
Department of Computer Science,
Purdue University
Arguments for and against AN
• Against:
– Internet successful because of its simplicity.
• For
–
–
–
–
Need
Will increase the pace of innovation.
Mobile code technology enables it.
End to end performance of applications will
improve.
Department of Computer Science,
Purdue University
End to End Argument:
• A function or service should be placed in
the network only if it can be implemented
cost effectively.
• Idea of AN is compatible with this
argument.
• Some services can best be supported using
info available inside the net.
Department of Computer Science,
Purdue University
Online Auctions
• The price info by server may not be up-to- date
causing client to submit a low bid.
• So auction server will receive bids that are too
low and must be rejected.
• In AN such low bids can be filtered out in the
network, before reaching the server.
• At heavy load, server activates filters in nearby
nodes, updating them with current price
periodically.
• Frees server resources for processing competitive
bids, reduces net
utilization
the server.
Department
of Computer at
Science,
Purdue University
Performance..
• Improvement brought about by delegating some
of app’s functionality to internal network nodes.
• Normal traffic could infact benefit from active
processing which will reduce bandwidth
utilization in some regions of the network.
• Doing work within the network reduces the total
amount of work done by the app.
Department of Computer Science,
Purdue University
Performance
• We need App performance rather than network
performance, which are not correlated.
• AN may cause fewer pkts to be sent, with longer
per hop latencies because of increased
computation and storage.
• Still overall app performance will improve,
because of reduced demand for bandwidth at endpoints.
Department of Computer Science,
Purdue University
Applications
• Active Networks can be beneficial for a
variety of applications:
–
–
–
–
Network Management
Congestion Control
Multicasting
Caching
Department of Computer Science,
Purdue University
Congestion Control
• Prime Candidate for Active Networking
• A special case of Network Management.
• It’s an intranetwork event, hence solutions
to it should be far removed from the app.
• Delay in congestion information to
propagate to the user.
Department of Computer Science,
Purdue University
AN and Congestion:
• Active Node can monitor the available bandwidth
and control data flow rate accordingly.
• Probe packets can gather congestion information
as they travel and Monitor packets can use the
info to identify the onset of congestion and
regulate the flow accordingly.
• Applications can produce congestion control data
according to the situation if they are aware of it,
like selective dropping.
Department of Computer Science,
Purdue University
Experimental Technologies:
• Network defines a finite set of functions which
can be performed at a node on the active packets.
• Header information in each packet called APCI to
specify the function.
• Packets processed according to APCI and the
header recomputed if the function transforms the
data.
• Tested using a Unit Level Dropping Function.
Department of Computer Science,
Purdue University
contd..
• Model is conservative, since no executable code
travels in the packets. However, it is a step
towards more radical changes.
• More complex models will have packets carrying
code that makes on the fly routing and congestion
control decisions based on information brought to
the node by other packets.
• Upcoming congestion tracked and regulation
done before congestion takes place.
Department of Computer Science,
Purdue University
Multicasting
• Current “passive” schemes provide only partial
solution to the problem of NACK implosion, load
of retransmissions, duplication of packets.
• Active Reliable Multicast deals with these
problems efficiently by storing a soft state and
performing customized computation based on
packet types.
• Note that not all nodes need to be active for ARM
to work. So an ActiveBONE similar to MBONE
will work.
Department of Computer Science,
Purdue University
Active Reliable Multicast
• Local retransmission handled by caching the
multicast packets which reduces both latency and
traffic.
• Active router maintains a NACK record and a
repair record to perform NACK suppression and
scoped retransmission.
• Flexible and robust as active routers do not need
knowledge of group topology.
• Results show ARM has lower recovery latency
than passive schemes.
Department of Computer Science,
Purdue University
Active Network Architectures
• Some architectures carry executable code,
which is executable on the data of the
packet that carries the code.
• Others place code in the active nodes.
Identifiers on the packets used to decide
which code to be executed.
Department of Computer Science,
Purdue University
Active IP Option:
• Active Packets approach.
• Extension to IP Options mechanism.
• Option to carry program fragments in a variety of
languages. And to query the languages supported.
• Backward compatibility ensured since unknown
options are silently ignored.
• Implementation in TCL, to take advantage of
TCL interpreter’s restricted execution
environment.
Department of Computer Science,
Purdue University
ANTS
• Active Nodes approach.
• Network viewed as a distributed programming
system. Packets travel as capsules carrying code.
• Some code is comprised of well-known routines
that reside at every active node.
• Rest of the application specific code is
transferred by mobile code distribution
techniques.
Department of Computer Science,
Purdue University
ANTS
• Provides a flexible network service.
Default forwarding. New protocols can
also be introduced into the network.
– Simultaneous use of a variety of network
protocols
– Construction and use of new protocols by
mutual agreement among interested parties,
rather than their centralized registration.
– Dynamic deployment of these protocols.
Department of Computer Science,
Purdue University
Security
• An active packet could consume not only
many resources but at a faster rate.
• Denial of service attacks may occur if there
is no resource management.
• SANE, a layered architecture proposed at
University of Pennsylvania addresses these
issues.
Department of Computer Science,
Purdue University
Architecture of ANTS
• The requirements for having a flexible
network layer met by having:
– Packets replaced by capsules, dictate the
processing to be performed on their behalf.
– Selected routers replaced by active nodes.
Provide an API for capsule processing and
execute those routines safely.
– A code distribution mechanism to enable
active nodes to download code when needed.
Department of Computer Science,
Purdue University
SANE Architecture
• A Computer system is organized as a series of
layers, each of which defines a virtual machine.
• Higher levels trust the integrity of the lower
layers.
• Uses AEGIS, a secure bootstrap architecture to
cold-start the system.
• Assumes a PKI Infrastructure for node to node
Authentication.
• Uses a special programming language, PLAN,
which is statically type checked and is pointer
safe.
Department of Computer Science,
Purdue University
Current Work
•
•
•
•
SANE at University of Pennsylvania.
Georgia Tech- congestion control.
Bowman an OS for Active Nodes.
ARM and active Router Architecture for
Multicasting.
Department of Computer Science,
Purdue University
Conclusions
• Definitely an exciting step in network design.
• Can potentially solve many of the current
problems in passive networks, with a wide
application range.
• Will increase the pace of innovation, through
rapid deployment and testing of new research.
• However, most of the current implementations
haven’t been deployed on a large-scale net.
• Security requirements are enormous!
Department of Computer Science,
Purdue University