open programmable architecture for java-enabled network devices
DESCRIPTION
Vision: JOOSE - the OS of Choice for Programmable Network Devices: JOOSE - Java Oplet Operation System Environment JOOSE is OS of choice for routers and network devices. Be the Microsoft for Routers (or better way the Linux for Programmable Network Devices)TRANSCRIPT
9/29/99 1
Open Programmable Architecturefor Java-enabled Network Devices
A Revolution!
Tal LavianTechnology Center
t [email protected]://openet.lab.baynetworks.com
9/29/99 2
Programmable Network Devices
Openly Programmable devices enable
new types of intell igence on the network
9/29/99 3
Agenda
• The market is changing
• Local Computation
• Architecture
• New types of applications
• ORE - Oplet Run-time Environment
• API’s
• Summary
9/29/99 4
Our Market is Changing
• Customers demand for Openness & programmability
• IEEE P1520
• Lucent’s Programmable Networks
• Intel as driving force
9/29/99 5
Lucent in Open Programmable Networks• Lucent’s Programmable Network Conference 9/15-
16— Cosponsored: Sun, HP, Oracle, Novell, Compaq …….— Over 500 participants, enthusiastic response
• SoftSwitch as programmable network— 70 developers— Jun 99 - PR, Sept 99 - Prog Conference, October 99 - SDK, Jan 00 -
APIs, Feb 00 - Dev Conference, May 00 - 3rd party Test Lab
• 7 R/E program
• $1.7B- Excel Switching acquisit ion (Programmable switch)
• Other products and directions in Openness and Programmabil ity
• Marketing and PR on Lucent’s Openness
9/29/99 6
ES - Openet Center
• Create an open development community to deliver customer-valued solutions based on Nortel Networks’ and partners’ products and technologies
• Openet Center creates a focus to open Nortel Networks platforms
• Promotes Open Network Computing
• This potentially changes landscape and rules of the networking industry
9/29/99 7
Vision: JOOSE - the OS of Choice for Programmable Network Devices
• JOOSE - Java Oplet Operation System Environment
• JOOSE is OS of choice for routers and network devices.
• Be the Microsoft for Routers
• (or better way the Linux for Programmable Network Devices)
9/29/99 8
Agenda
• The market is changing
• Local Computation
• Architecture
• Applications
• ORE - Oplet Run-time Environment
• API’s
• Summary
9/29/99 9
Evolution vs. Revolution
HW
Net
Static Net SW
Net SW Intelligence Dynamic
Time
Performance /Enhancement
Log
arit
hmic
Now
10M
100M
1G
10G
Web
Bandwidth x200Last Mile56kb ==>10Mb
9/29/99 10
Changing the Rules of the Game
• Move Turing Machine onto device—Add local intelligence to network
devices
while (true) {doLocalProcessingOnDevice()
}
9/29/99 11
Technology Concept
Reversed AppletServer
Web Server Web Browser
Applet
The JVM is in the Browser
Download applications for local processingDownload applications for local processing
9/29/99 12
The Web Changed Everything
• Browsers—Introducing JVM to
browsers allowed dynamic loading of Java Applets to end stations
• Routers—Introducing JVM to routers
allows dynamic loading of Java Oplets to routers
This Capability WILL Change Everything
9/29/99 13
Network Device
Dynamicloading
Example: Downloading IntelligenceExample: Downloading Intelligence
HWOS
JVM
React
MonitorA
uthe
ntic
atio
n
Sec
urity
Intelligenceapplication
9/29/99 14
Security and Stabil ity
• secure download of Java Applications
• safe execution environment—insulate core router applications from dynamically
loaded applications
9/29/99 15
Device-based Intell igence
• Static-vs-Dynamic Agents—Static
– SNMP set/get mechanisms – Telnet, User Interfaces (cli, web, etc…)
—Dynamic closed-loop interaction on nodes– capable of dealing with new and difficult situations – autonomous and rational properties. – dynamically system monitoring & modification – report status and trends
9/29/99 16
Agenda
• The market is changing
• Local Computation
• Architecture
• Applications
• ORE - Oplet Run-time Environment
• API’s
• Summary
9/29/99 17
ORE - Oplet Run-time Environment
Service A
JVM
ORE
Service B
Oplet 1
Service C
Oplet 2
Why ORE?
9/29/99 18
Java-enabled Device Architecture Java-enabled Device Architecture
Device HWOperating System
JVM
Oplet
C/C++API
JavaAPI
DeviceCode
Oplet Runtime Env
DeviceDrivers
JNIJF
WD
AP
I
ORE Service
Download
9/29/99 19
Architecture Issues
• Green Threads -vs- Native Threads —Native threads:
– provides non-interference between Java applications
– difficult thread-to-thread communication and sharing of data between threads
– creates a dependency on underlying RTOS
– multiple JVM instances consume resources
—Green Threads– single JVM must manage CPU & memory
resources between concurrently running threads
9/29/99 20
Evolution of Router Architecture
Line cardLine card(forwarding (forwarding
buffering)buffering)
Line cardLine card(forwarding (forwarding
buffering)buffering)
Lin
e c
ard
Lin
e c
ard
(fo
rwa
rdin
g
(fo
rwa
rdin
g
bu
ffe
rin
g)
bu
ffe
rin
g)
Lin
e c
ard
Lin
e c
ard
(fo
rwa
rdin
g
(fo
rwa
rdin
g
bu
ffe
rin
g)
bu
ffe
rin
g)
CPUCPU BufferBuffermemorymemory
Routing softwareRouting softwarew/ COTS OSw/ COTS OS
Routing softwareRouting softwarew/ COTS OSw/ COTS OS
NI
as
NI
as
lin
e c
ard
lin
e c
ard
NI
as
NI
as
lin
e c
ard
lin
e c
ard
NI
as
NI
as
lin
e c
ard
lin
e c
ard
......
RoutingRoutingCPUCPU
BufferBuffermemorymemory
Routing softwareRouting softwarew/ router OSw/ router OS
Routing softwareRouting softwarew/ router OSw/ router OS
Centralized, Centralized, CPU-based ModelCPU-based Model
Distributed, Distributed, line-card based Modelline-card based Model
Control + ForwardingControl + ForwardingFunctions combinedFunctions combined Control separatedControl separated
From forwardingFrom forwarding
Added scalability, Flexibility, extensibility
9/29/99 21
Explicit Separation of Control Plane from Data Forwarding
ForwardingElement
ForwardingElement
ControlElement
ForwardingElement
ForwardingRoutin
g
SharedMemory
Packet Flow
Forwarding
Forwarding
Forwarding
Forwarding/Flow/filterTableDownloadCPU
Line Card
Traditional device
Line Card
9/29/99 22
Separation of Control and Forwarding Planes
Centralized, Centralized, CPU-based RouterCPU-based Router
Forwarding-ProcessorsForwarding-Processors based Routerbased Router
Control + ForwardingControl + ForwardingFunctions combinedFunctions combined
Control separatedControl separatedFrom forwardingFrom forwarding
CPU
Routing SW
CPU
Control Plane
Forwarding Processor
Forwarding Processor
Forwarding Processor
Slow Wire Speed
9/29/99 23
Open Networking Architecture
Network Services Protocol
Connect Transport Interface
Real-time OSNetwork Si
Network OS
Network Services Objects
Server Operating System
Un
ified p
olicy-b
ased m
anag
emen
t Forwardingelement
Controlelement
Applicationserver
Today
Networking Box Level Hardware
Proprietary NOS
Proprietary Apps
Custom Switch ASIC’s
Vertical Proprietary
Open
IP Telephony
VPN
Policy Server
Firewall
Copyright - Intel
9/29/99 24
Dynamic Configuration of Forwarding Dynamic Configuration of Forwarding Rules Rules
CPU
ForwardingProcessor
ForwardingProcessor
ForwardingProcessor
ForwardingProcessor
ForwardingRules
SW
HW
ForwardingRules
ForwardingRules
ForwardingRules
AN Apps
9/29/99 25
Real-time forwarding Stats and Monitors Real-time forwarding Stats and Monitors
CPU
SW
HW
AN Apps
ForwardingProcessor
ForwardingRules
Statistics &Monitors
ForwardingProcessor
ForwardingRules
Statistics &Monitors
ForwardingProcessor
ForwardingRules
Statistics &Monitors
9/29/99 26
Dynamic - On the Fly ConfigurationDynamic - On the Fly Configuration
ForwardingProcessor
ForwardingProcessor
Pac
ket
Policy
Filters
Dynamic Apps
Packet
Pack
et Filte
r
9/29/99 27
Packet CapturePacket Capture
CPU
ForwardingProcessor
ForwardingProcessor
ForwardingProcessor
ForwardingProcessor
Oplet
JFWD to Divert or Copy
Wire Speed
Pac
ket
9/29/99 28
Java Environment
• Green Threads -- Present RTOS with single unif ied task that includes:—Java VM (JVM)—Java Resource Manager (JRM)
– thread scheduling– manages CPU utilization
– JVM time-slice is managed by the JRM preemptive thread scheduler
– internal memory manager (intercepts “new”)
– garbage collection with priority based on available memory
9/29/99 29
Non-Interference w/ Single JVM
• Multiple threads compete for resources—memory—CPU—persistent storage
• Denial-of-service attacks possible—memory or CPU consumption attacks —trusted/untrusted service interactions
9/29/99 30
Agenda
• The market is changing
• Local Computation
• Architecture
• Applications
• ORE - Oplet Run-time Environment
• API’s
• Summary
9/29/99 31
Applications
• Active Network Management — Proactive Network Management — Diagnostic Agents
• Dynamic DiffServ Classif ier
• Active Intrusion Detection
• Multicast Caching
• IP Accounting
• Application-Layer Router-Server Collaboration
• Pseudo Default Drop Capabil ity
9/29/99 32
Active Network Management
• Download Oplet Service to the device.
• Monitor MIB variables • Might be complex conditions• Trend analysis• DiffServ, RMON-II, etc… MIBs
• Report “events” to NMS — drop rate, packets/second
• Allow Service to take action
• Download application
• Adjust parameters based on direction from NMS
Monitor
AppropriateApplication
Download
Download
Complex Condition Exceeded
NMS
No more polling
router
Extensive access to internal resources
9/29/99 33
An Open Service API Example
—SNMP API for Network Management– generated automatically– allows device-based applications to
query MIB– device-based application -- query
local MIB– report trends or significant events– initiate downloading of problem
specific diagnostic code – take corrective action
9/29/99 34
Proactive Network Management
• Device-based Intell igence is Dynamic—Static Management
– SNMP set/get mechanisms – Telnet, User Interfaces (cli, web, etc…)
—Dynamic Closed-loop Management at Network Node– capable of dealing with new and difficult situations – autonomous and rational properties. – dynamically system monitoring & modification – report status and trends
—Monitor MIB to identify poor performance and notify NMS prior to failures
—Downloaded service can instantiated new services
9/29/99 35
Diagnostic Mobile Agents
• Automatic trace-route from edge router where problem exists.—Each node reached generates a report to NMS—Trace-route code “moves” to next node in path—Mobile agents identify router health—Create logs for NMS
9/29/99 36
Dynamic DiffServ Classif ier
• Set router f i l ters to sample packets from edge device host ports
• Identify real-t ime traff ic (RTP flows)
• Set f i l ter on port to adjust DS-byte value based on policy
• Keep track of f i l ters set
• Remove f i l ters no longer in use
9/29/99 37
Dynamic DiffServ Classif icationDynamic DiffServ Classif ication
ForwardingProcessor
ForwardingProcessor
Policy
Filters
ORE Service
Packet
Packet Filter
• Sample packets, set f i l ters to modify DS-byte for Per-Hop-Behavior modif ication
Packet
Control
Plane
9/29/99 38
Active Intrusion Detection
• Intruder is identif ied by Intrusion Detection software
• Intruder signature is identif ied
• Mobile agent is dispatched in direction of intruder (based on physical port of entry)
• Mobile agent “chases” intruder and terminates him (shuts down link, reboot host, notify NMS)
9/29/99 39
Multicast Caching
• Reliable Mult icasting
• Distr ibute error control throughout mult icast tree
• Retransmission a local node keeps control close to lossy l inks
• Balances processor load away from mult icast source
9/29/99 40
IP Accounting
• Project ABCD (Active Bean Counter in Device)
• Perform usage accounting at edge node
• PreCorrelate/aggregate/reduce accounting record on-site
• $1 rule for bil l ing
• Real-t ime bil l ing can be realized
• Customize bil lable resources
9/29/99 41
Server Collaboration
• Supports distr ibuted computing applications in which network devices part icipate— router to router— server to router
• Supports Intel l igent Agents
• Supports Mobile AgentsJava-basedApplication
Java-basedApplication
Java-basedApplication
9/29/99 42
Application Layer Collaboration Among Routers and Servers
• Server farm load balancing— server state monitored; rerouting based on congestion/load
• Auctioning Applications
• Bandwidth Broker
9/29/99 43
Collaboration with Business Applications
• New paradigm of distributed applications
• Network devices collaborating with business applications
• Application aware routing
JVM
Oracle DBE-CommerceBusiness appsSAP , ERP,Optivity
RMI, XML, CORBAApps
AccelarPassportShastaBayRSBS450
JVM
Apps
Apps Server
Oplet Oplet
9/29/99 44
Bandwidth Broker Collaboration
• Routers Monitor RMON and DIFFSERV MIB
• Report Per-IPAddress, Per Protocol stat ist ic to resource broker
• Adjust DS-byte and Per Hop Behavior based on Bandwidth Broker directions
9/29/99 45
Dynamic - On the Fly ConfigurationDynamic - On the Fly Configuration
• From downloadable Java application, we can modify the behavior of the ASICs
9/29/99 46
Agenda
• Our market is changing
• Local Computation
• Architecture
• Applications
• ORE - Oplet Run-time Environment
• API’s
• Summary
9/29/99 47
Oplet Runtime EnvironmentAn Overview
• A platform to dynamically deploy services on network elements
• Desirable propert ies— Portable to many different devices— Secure, reliable— Low impact on device performance— Open— Provide a framework to structure code
– Reusable, maintainable, robust
• Implemented in Java
9/29/99 48
ORE - Basic Concepts
• Oplet Runtime Environment (ORE)— A kernel that manages the life cycle of oplets and services— Provides a registry of services
• Service— The value being added. Minimal constraints, could be
anything…— Represented as a Java interface
• Oplet— The unit of deployment: a JAR file— Contains meta-data (eg signatures, dependency declarations)— Contains services and other resources (data files, images,
properties, JAR files)
9/29/99 49
Dependencies
• A service S can use facil i t ies provided by another service T
• This means that the oplet containing S has a dependency on service T
• Before an oplet can be started, all of its dependent services must have be started
• ORE manages dependencies and l ifecycle of oplets and services
9/29/99 50
ORE Architecture
Java Virtual Machine API Extensions
Oplet Runtime Environment
Oplet
Service
Oplet
Service
Oplet
ServiceOplet
Service
Service
9/29/99 51
Oplet Lifecycle
• Install— Loaded from URL
• Start— Services that are depended on must already be started
• Stop— Any oplets that depend on this oplet’s services will be stopped— Code and data can be unloaded from ORE
• Uninstall
9/29/99 52
Some services
• Bootstrap— Basic configuration
• Log— Centralized logging for oplets
• HTTP server— Simple servlet support
• Command line shell
• Administrat ion commands— Manage oplets and services
9/29/99 53
An Example
Log
Native MIB Variables
Loopback SNMP Access
MIB Engine
RSVP MIB Group
HTTP Server
Servlet Engine
Traffic Monitor
JFWD
9/29/99 54
Security Issues
• Sandbox— Each oplet provides a Java name space and applet-like
sandbox
• Signed oplets— Oplets can be signed for assigning trust
• Denial of service— Vulnerable to DoS (memory, cycle, bandwidth, peristent
storage, monitors) like all Java applications
9/29/99 55
ORE Status
• Done now— Runs on Accelar and workstations— First release of ORE SDK available internally
• To be done— More APIs and services (MIB, JFWD, Wrapper)— Security (authentication)— Oplet updates— Persistent storage
9/29/99 56
ORE Future work
• Capabil it ies— Revocable services
• Security— Java 2 style permissions
• Resource l imits, DoS protection— Probably requires support from JVM
• Jini, Oplet Directory
• Mobile Agents
• Open source
9/29/99 57
Agenda
• Our market is changing
• Local Computation
• Architecture
• Applications
• ORE - Oplet Run-time Environment
• API’s
• Summary
9/29/99 58
Init ial APIs
• Console Logging API
• Generic MIB Access API
• Optimized MIB Access APIs
• Trap Interception API
• Management Authentication API
• Web-Based Management Extensions API
• CLI Extensions API
• MIB Extensions API
• Pluggable Authentication API
• Network Forwarding API
9/29/99 59
Tools
• MIB API— Monitor device Management Information Base variables
– MIB– RMON and RMON-II– DiffServ
• Network API (JFWD) — Interface to Filters
– set packet drop filters– intercept packets– carbon copy packets while forwarding at line-speed
9/29/99 60
MIB API Example
JavaVirtualMachine
SNMP PDU Layer
Instrumentation& AnnotationLayer
Real Time Operating System
Processor and other Hardware
Native Variable Interface
MIB Map
Abstract Variable Interface
Client API
Client Bean
•API uses a MIB Map to dispatch requests to variable access routines•Different parts of the MIB tree can be serviced by different mechanisms•Two main schemes:•An ad hoc interface to the SNMP instrumentation layer•A generic SNMP loopback
9/29/99 61
An Open Service API Example
—SNMP API for Network Management– generated automatically– allows device-based applications to
query MIB– device-based application -- query
local MIB– report trends or significant events– initiate downloading of problem
specific diagnostic code – take corrective action
9/29/99 62
ApplicationApplicationServersServers
Java MIB API - Proxy Mode
• Uses SNMP loopback mechanism to target a remote network element
• API can be used to control devices that don’t have an embedded JVM
Router with No JVM
JSNMP APIProxy mode
JVM on PC
Java Oplet
9/29/99 63
Agenda
• Our market is changing
• Local Computation
• Architecture
• New types of applications
• ORE - Oplet Run-time Environment
• API’s
• Summary
9/29/99 64
Summary• JOOSE - OS of Choice for Open Routers
• Programmable—Turing Machine on network devices—dynamic agents vs. static agents—dynamic loading
• Our market is changing
• Openness - successfully proven paradigm —Facilitates innovation—Domain experts - virtual development community —With 3rd parties we can change the networking landscape
• Application aware routing
9/29/99 65
This is only the first step
Compare to this first f l ight and look where aviation is today
1903 the Wright brothers
9/29/99 66
Appendix
9/29/99 67
Why Java• Dynamic Loading
• Reuse security mechanisms—byte-code verifier—security manager—classloader
• System stabil i ty —constrains applications to the JVM —Prohibits native code applications
• Extensible, portable, & distributable services
9/29/99 68
Bandwidth x200 - start of new demand
Bandwidth
Content
Applications
• Intel web hosting - BIG pipes
• Last mile bandwidth x 200
• Mult imedia and new applications wil l drive the demand.
9/29/99 69
The P1520 Reference Model
Algorithms for value-added communication services created by network operators, users, and third parties
Algorithms for routing and connection management, directory services etc.
Value Added Services Level
Virtual Network Device (software representation)
Physical Elements (hardware, namespace)
L interface
Network Generic Services Level
Virtual Network Devices Level
End User ApplicationsV interface
U interface
CCM interface
PE Level
9/29/99 70
CSIX Consortium
• Common switch interface for switch fabric independence— www.csix.org
— Detailed interface specification between port/packet processor logic and interconnect fabric logic
— Similar to common media interface such as Utopia, but for switch fabric interface
— Targeted at scalable switches at higher end— Permits mix-and-match of silicon and software components
9/29/99 71
Multi-Services Switching Forum (MSF)www.msforum.org
• Open Mult i-service Switching— Common transmission and switching infrastructure— Modular, layered architecture— Integration at a module level through open interfaces— Multi-vendor model with 3rd party software options
SwitchSwitchAdaptionAdaption
SwitchSwitchAdaptionAdaption
IP Services
Source: MSS
ATM Services
Voice Service