smart packets: applying active networks to network …...ece697j, umass amherst 4 network management...

ECE697J, UMASS Amherst 1

Smart Packets: Applying Active Networks to Network Management

Beverly Schwartz et. al. BBN Technologies

Presented by Jinghua Hu09/17/2002

ECE697J, UMASS Amherst 2

OutlineIntroductionSmart Packets System ArchitectureDescriptions of Major Components

Smart Packets Formats/EncapsulationProgramming LanguagesVirtual MachineSecurity Considerations

Discussions

ECE697J, UMASS Amherst 3

IntroductionConcept of Active Networks

capsules carrying user injected programsactive nodes performing computations

Goals of this paperApply active networks to network managementArchitecture descriptions, design and implementation

ECE697J, UMASS Amherst 4

Network Management ReviewComponents

Management stations Managed objects/devicesNetwork Management ProtocolManagement Information Base (MIB)

ECE697J, UMASS Amherst 5

SNMP ReviewSNMP

Management station exchanges data/control with managed devices by polling/trappingSNMP PDU type

GetRequestSetRequestResponseInformRequest

ECE697J, UMASS Amherst 6

MotivationMore per-device processing power available for network managementPolling from management stations is not efficient in large scale networks

Thinking about applying Active NetworksProgrammable managed nodes

ECE697J, UMASS Amherst 7

System Architecture

ECE697J, UMASS Amherst 8

ANEP DaemonANEP: Active Network Encapsulation ProtocolANEP Daemon

Injection point for smart packetsReception point for smart packetsPerforming execution of the received programs on virtual machine

ECE697J, UMASS Amherst 9

Smart Packets ProjectFour Major Components

a specification for smart packet formatsa specification for programming languagesa virtual machinea security architecture

Design PrinciplesNo persistent stateProgram contained in a single packet

ECE697J, UMASS Amherst 10

Part 1: Smart Packets

ECE697J, UMASS Amherst 11

Smart Packet FormatsHeader

VersionType

program packet ( needs IP Router Alert Option)data packeterror packetmessage packet

Context: identifier for clientsSequence number

ECE697J, UMASS Amherst 12

Smart Packet FormatsPayload

Carrying program/data/error/messageBaggage area

Allowing loading/unloading of dataNOT protected

ECE697J, UMASS Amherst 13

ANEP encapsulationANEP headerANEP authentication option

ECE697J, UMASS Amherst 14

Summary of part 1A Smart Packet ( header+payload ) is encapsulated within an ANEP packet and then carried within IPNeed to set “Router Alert” option in IP header

ECE697J, UMASS Amherst 15

Part 2: Programming LanguagesLanguage Design Issues

Compact code sizeSafetyMobilitySupport of special data types and operations for network management

ECE697J, UMASS Amherst 16

SprocketC++ style language

removal of unnecessary constructsnew features such as built-in types for packet, address, identifier and MIB addedsupport operations such as getting address, sending packet, retrieving header, querying MIB information, etc

ECE697J, UMASS Amherst 17

SpannerStack-based CISC Assembly Language

multi-clock complex instructions compact code sizevariable declarationsno access to memorydata stored either in variables or stackbranch and flow controlsubroutines

ECE697J, UMASS Amherst 18

Summary of part 2Statelessness favors compact code size

High-level Language: SprocketAssembly Language: Spanner

Sprocket and Spanner are equivalent, while Spanner allows hand-optimization for a more compact size

ECE697J, UMASS Amherst 19

Part 3: Virtual MachineDesign Issues

feature setsecurity

When a Program packet arrives, Daemon willauthenticate the sender identityverify the data origin and data integritycheck if sender is authorized to run the programfork a child process to run the virtual machine

ECE697J, UMASS Amherst 20

Virtual Machine ImplementationSpanner Virtual Machine

stack-based CISC architectureconservatively handling of errorsaware of resource limitsresides on router’s control processorlimited impact on router performance

ECE697J, UMASS Amherst 21

Summary of part 3Virtual Machine is designed based on considerations of feature set, security and performance impact.

ECE697J, UMASS Amherst 22

Part 4: Security ConsiderationsSmart Packets: a security threat?Mechanisms to limit the threats:

limit on the creator of smart packetauthentication/authorization on data origindata integrity checkrestrict risky operations only to programs sent by authorized senders

ECE697J, UMASS Amherst 23

Authentication/AuthorizationPublic-key certificate for sender identificationDigital signature for data integrity protection

protect ANEP header and entire smart packet, except ANEP packet length field and baggage of smart packet

SNMPv3 Access Control database for authorization check

ECE697J, UMASS Amherst 24

Summary of part 4Security issues addressed in the design

authentication/authorization

Security challenges remainpart of the original packets is not protectedlarge certificates size vs. limited packet sizecomputation costs of verifying certificates

ECE697J, UMASS Amherst 25

ExperiencesExamples

Retrieval of interface address and MTUSNMP: two GET messages and two ResponseSmart Packets: one Program packet and one Data packet

Traceroute

Testbed experiments show that Smart packets network enables more efficient communications

ECE697J, UMASS Amherst 26

SummaryContributions

Design and development of Smart Packets projectProgrammable nodes provide more efficient communications and faster delivery of targeted network events

Lessons LearnedStatelessness is a double-edged swordCompact codes are valuableIP is less extensible than believedSecurity is challenging

ECE697J, UMASS Amherst 27

ReferencesKurose and Ross, Network Management. Computer Networks, Chap 8.RISC Architecture, http://cse.stanford.edu/class/sophomore-college/projects-00/risc/risccisc/

Beverly Schwartz, Technical Memos, http://www.ir.bbn.com/~bschwart/