smart packets: applying active networks to network …...ece697j, umass amherst 4 network management...
TRANSCRIPT
ECE697J, UMASS Amherst 1
Smart Packets: Applying Active Networks to Network Management
Beverly Schwartz et. al. BBN Technologies
Presented by Jinghua Hu09/17/2002
ECE697J, UMASS Amherst 2
OutlineIntroductionSmart Packets System ArchitectureDescriptions of Major Components
Smart Packets Formats/EncapsulationProgramming LanguagesVirtual MachineSecurity Considerations
Discussions
ECE697J, UMASS Amherst 3
IntroductionConcept of Active Networks
capsules carrying user injected programsactive nodes performing computations
Goals of this paperApply active networks to network managementArchitecture descriptions, design and implementation
ECE697J, UMASS Amherst 4
Network Management ReviewComponents
Management stations Managed objects/devicesNetwork Management ProtocolManagement Information Base (MIB)
ECE697J, UMASS Amherst 5
SNMP ReviewSNMP
Management station exchanges data/control with managed devices by polling/trappingSNMP PDU type
GetRequestSetRequestResponseInformRequest
ECE697J, UMASS Amherst 6
MotivationMore per-device processing power available for network managementPolling from management stations is not efficient in large scale networks
Thinking about applying Active NetworksProgrammable managed nodes
ECE697J, UMASS Amherst 7
System Architecture
ECE697J, UMASS Amherst 8
ANEP DaemonANEP: Active Network Encapsulation ProtocolANEP Daemon
Injection point for smart packetsReception point for smart packetsPerforming execution of the received programs on virtual machine
ECE697J, UMASS Amherst 9
Smart Packets ProjectFour Major Components
a specification for smart packet formatsa specification for programming languagesa virtual machinea security architecture
Design PrinciplesNo persistent stateProgram contained in a single packet
ECE697J, UMASS Amherst 10
Part 1: Smart Packets
ECE697J, UMASS Amherst 11
Smart Packet FormatsHeader
VersionType
program packet ( needs IP Router Alert Option)data packeterror packetmessage packet
Context: identifier for clientsSequence number
ECE697J, UMASS Amherst 12
Smart Packet FormatsPayload
Carrying program/data/error/messageBaggage area
Allowing loading/unloading of dataNOT protected
ECE697J, UMASS Amherst 13
ANEP encapsulationANEP headerANEP authentication option
ECE697J, UMASS Amherst 14
Summary of part 1A Smart Packet ( header+payload ) is encapsulated within an ANEP packet and then carried within IPNeed to set “Router Alert” option in IP header
ECE697J, UMASS Amherst 15
Part 2: Programming LanguagesLanguage Design Issues
Compact code sizeSafetyMobilitySupport of special data types and operations for network management
ECE697J, UMASS Amherst 16
SprocketC++ style language
removal of unnecessary constructsnew features such as built-in types for packet, address, identifier and MIB addedsupport operations such as getting address, sending packet, retrieving header, querying MIB information, etc
ECE697J, UMASS Amherst 17
SpannerStack-based CISC Assembly Language
multi-clock complex instructions compact code sizevariable declarationsno access to memorydata stored either in variables or stackbranch and flow controlsubroutines
ECE697J, UMASS Amherst 18
Summary of part 2Statelessness favors compact code size
High-level Language: SprocketAssembly Language: Spanner
Sprocket and Spanner are equivalent, while Spanner allows hand-optimization for a more compact size
ECE697J, UMASS Amherst 19
Part 3: Virtual MachineDesign Issues
feature setsecurity
When a Program packet arrives, Daemon willauthenticate the sender identityverify the data origin and data integritycheck if sender is authorized to run the programfork a child process to run the virtual machine
ECE697J, UMASS Amherst 20
Virtual Machine ImplementationSpanner Virtual Machine
stack-based CISC architectureconservatively handling of errorsaware of resource limitsresides on router’s control processorlimited impact on router performance
ECE697J, UMASS Amherst 21
Summary of part 3Virtual Machine is designed based on considerations of feature set, security and performance impact.
ECE697J, UMASS Amherst 22
Part 4: Security ConsiderationsSmart Packets: a security threat?Mechanisms to limit the threats:
limit on the creator of smart packetauthentication/authorization on data origindata integrity checkrestrict risky operations only to programs sent by authorized senders
ECE697J, UMASS Amherst 23
Authentication/AuthorizationPublic-key certificate for sender identificationDigital signature for data integrity protection
protect ANEP header and entire smart packet, except ANEP packet length field and baggage of smart packet
SNMPv3 Access Control database for authorization check
ECE697J, UMASS Amherst 24
Summary of part 4Security issues addressed in the design
authentication/authorization
Security challenges remainpart of the original packets is not protectedlarge certificates size vs. limited packet sizecomputation costs of verifying certificates
ECE697J, UMASS Amherst 25
ExperiencesExamples
Retrieval of interface address and MTUSNMP: two GET messages and two ResponseSmart Packets: one Program packet and one Data packet
Traceroute
Testbed experiments show that Smart packets network enables more efficient communications
ECE697J, UMASS Amherst 26
SummaryContributions
Design and development of Smart Packets projectProgrammable nodes provide more efficient communications and faster delivery of targeted network events
Lessons LearnedStatelessness is a double-edged swordCompact codes are valuableIP is less extensible than believedSecurity is challenging
ECE697J, UMASS Amherst 27
ReferencesKurose and Ross, Network Management. Computer Networks, Chap 8.RISC Architecture, http://cse.stanford.edu/class/sophomore-college/projects-00/risc/risccisc/
Beverly Schwartz, Technical Memos, http://www.ir.bbn.com/~bschwart/