Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Seven Layers Presentation Application Session Transport Network Data Link Physical Presentation Application Session Transport Network Data Link Physical.

Similar presentations


Presentation on theme: "The Seven Layers Presentation Application Session Transport Network Data Link Physical Presentation Application Session Transport Network Data Link Physical."— Presentation transcript:

1 The Seven Layers Presentation Application Session Transport Network Data Link Physical Presentation Application Session Transport Network Data Link Physical Network Data Link Physical End system Intermediate system

2 Why only 3 layers inside the network? The end-to-end principle: what ever can be done in the edge – don’t do inside! “The network should be fast and dumb!”

3 The Seven Layers Presentation Application Session Transport Network Data Link Physical Presentation Application Session Transport Network Data Link Physical Network Data Link Physical End system Intermediate system What is wrong with this picture?

4 What’s wrong? – its not realistic people are doing application layer tasks inside the network: –firewalls –proxies –L4-7 routing

5 Why not adding network support for applications standards are very slooooow to develop –multicast! we need a fast way to add features to our network core

6 Solution let’s agree on a standard interface for routers and let everyone run its own programs. Questions: –who is everyone? –Do we have the cycles? –what about security?

7 Programmable Routers What is programmable? configuration policy based routing OS upgrade off-line download code per packet Who can program? manufacturer owner authorized contractor “big” users end user

8 configuration policy based routing OS upgrade off-line download code per packet manufacturer owner authorized contractor “big” users end user current state Capsules

9 What is a Mobile Agent ? A mobile agent is an executing program that can migrate from machine to machine in a heterogeneous network under its own control. Here an agent has migrated to interact with a search engine and will migrate again to bring the results back to its owner.

10 Mobile Code The basic idea is to allow code dispatching to remote sites where it is executed. Move the programmer away from the rigid client- server model to the more flexible peer-peer model programs communicate as peers act as either clients or servers depending on their current needs Problems arising from mobility –heterogeneity of systems –security (as more parties are involved)

11 Mobile Agents Mobile Agents are program instances that are able move within a network under their own control mobile agents consist of: –code –data state (i.e. variables) –execution state (i.e. stack) Some basic capabilities: –able to autonomously migrate between places –able to communicate to each other –some agents offer services or interfaces to legacy applications

12 Application for Mobile Agents Distributed Information Retrieval Mobile computing Distributed Network Management Collaborative and workflow applications Active networks Electronic commerce

13 Distributed Network Computing More than one user More than one host More than one application Code can migrate from host to host Who is in charge?

14 Hosting Mobile Code We want the code to perform tasks related to the network Who will host the mobile agent? How will the agent locate its optimal location for the task? What type of services are needed? Is the applet sandbox model good enough?

15 Open Routers Addresses at least one aspect of the problem Define an interface between the mobile code and the host An interface is an agreed and shared contract, typically static knowledge that is not dynamically modified after the agreement

16 Terminology Active Networks Mobile agents Mobile code Programmable networks No clear definitions, depends who is using it

17 Programming paradigms based on code mobility ClientServer Client/server local resources Client Server Code on Demand Mobile Agents local resources Client Server Remote evaluation local resources

18 Active Networks: What? Routers are programmable An application generated code can be injected into the network, and executed in the routers Aims at enriching functionality at the network layer (not at distributed computing) From capsule to programmable switches

19 Active Networks: How?

20

21 Producing a new networking platform, flexible and extensible at runtime to accommodate the rapid evolution and deployment of networking technologies To provide the increasingly sophisticated services demanded by defense applications The packet itself is the basis for describing, provisioning, or tailoring resources to achieve the delivery and management requirements A killer application ?! Active Networks: Why?

22 Goals Quantifiable improvement in network services –audio/video synchronization and full-rate video over multicast –fewer retransmitted packets, 100% increase in useful data rate to end applications Architecture creates solutions to future DoD needs –e.g., "addressless" networks, resource directed communication Fault-tolerance mechanisms based in network Multi-tiered mobile security –authentication forms basis for dynamic access control –separate traffic and administrative functions based on types and policy

23 Killer Application Was (and still is) an important issue Do we really need one? How about network management? New services? What? The ability to create new services in the network level

24 Challenges Composite protocols: SmartPacket processing must be efficient, secure and survivable Enhanced network services –quickly and safely deploy new services –achieve widespread use without need for a standardization process –upgrade crucial network services to keep pace with network complexity (size, speed, variety) –develop new strategies for routing and service provisioning in large networks that have overlapping topologies and mobility requirements

25 Is It Safe? –safety and security –comparing to IP Efficient? –an AN node is always slower than a router –system view: fewer packets, shorter control loops, smarter algorithms Feasible? –computation power, horizontal architecture

26 Are Active Networks Efficient? An AN node is always slower than a router Fast/slow track System view: –fewer packets –shorter control loops –smarter algorithms

27 Architecture EE channelsstorage - The underlying operating system Node OS - Executing Environment - The Active Applications

28 Assumptions The unit of multiplexing of the network is the packet (and not, say, the circuit) The primary function of the active network is communication and not computation. The network contains some nodes whose primary reason for existence is to switch packets and thus allow sharing of transmission resources Active nodes are interconnected by a variety of packet-forwarding technologies, and this variety will evolve continuously. Therefore assumptions about underlying technologies must be minimized Each active node is controlled by an administration, and no single administration controls all active nodes Trust relationships between administrations will vary. Trust needs to be explicitly managed Control plane Vs. Data plane Everything is over IP

29 Objectives Minimize the amount of standardization required, and support dynamic modification of aspects of the network that do not require global agreement Support fast-path processing optimizations in nodes. (The architecture should not preclude active nodes from performing standard IPv4/IPv6 forwarding at speeds comparable to non-active IP routers.) Support deployment of a base platform that permits on- the-fly experimentation. Backward compatibility, or at least the ability to fit existing network nodes into the architectural framework, is desirable

30 Objectives (2) Scale to very large global active networks. The main implication for the node architecture is a requirement that network-scale parameters (e.g. number of principals using the entire active network) not be exposed at the individual node level Provide mechanisms to ensure the security and robustness of active nodes individually. As with scalability, global security and robustness is the responsibility of each individual network architecture. However, the stability of individual nodes is necessary for that of the entire network Support network management at all levels Provide mechanisms to support different levels/qualities/classes of service

31 NodeOS and EE EE application channelsstorage Node OS Executing Environment Active Applications

32 NodeOS and EE Packet Flow EE application channels storage Node OSEENode OSLink-level IP cutthrough classifier packets

33 NodeOS Interfacing the link-level and the EEs Controls resources: –CPU –memory –communications (channels) Security Routing

34 NodeOS Abstracts Flows - the primary abstraction for accounting, admission control, and scheduling in the system Thread pool - the primary abstraction for computation Memory pool - the primary abstraction for memory Channels - flows create channels to send, receive, and forward packets

35 Execution Environment Interface to the NodeOS The place where the actual active code is being executed Application to application communication EE to EE communication Examples

36 NodeOS/EE Do we really need it? The cost of abstraction? What about high-speed active networks? Channels for local information and control

37 Safety and Security Crucial for deployment Safety (i.e. robustness to bugs and failures) and security (i.e. against malicious attackers) Basic tradeoff: flexibility Vs. security –adding more power to the applications can be used by the “bad guys” Is this a (good) reason to give up progress?

38 Possible Threats Damage –an active packet damages the NodeOS/EE/network- level code in the router –an active packet changes code in other active packets –the active router may interfere with the original active packet’s code Denial of service –an active packet “takes over” a certain resource (CPU, memory) and deny services from other active packets

39 Possible Threats (2) Theft –an active packet may access and change information at a node (billing), or information used by other active pockets (passwords) Compound attack –AN can be used to generate a coordinated attack aimed at a remote router. AN may allow a single attacker to generate traffic to a single destination with volume that is unlimited by the bandwidth of its own connection

40 Security - Enabling Techniques AAA: authorization authentication: someone else vouches for the packet access control to resources such as the file system Resource consumption monitoring (with policy based management) PPC - Proof Carrying Code - the code can prove that it is safe

41 Proof-Carrying Code (PCC) Peter Lee and George Necula PCC is a technique by which a code consumer (e.g., host) can verify that code provided by an untrusted code producer adheres to a predefined set of safety rules (safety policy). These rules are chosen by the code consumer in such a way that they are sufficient guarantees for safe behavior of programs. The code producer is required to create a formal safety proof that attests to the fact that the code respects the defined safety policy. The code consumer is able to use a simple and fast proof validator to check, with certainty, that the proof is valid.

42 A Secure Active Environment Accept and authenticate the incoming packet Identify the sender(s) of the packet Authorize access to the appropriate resources Allow execution based on the authorization and the security policy Monitor the resource utilization Encrypt/decrypt code/data as needed Who should do it: nodeOS? EE?

43 DARPA Projects ANTS at MIT Smart Packets at BBN Switchware at Upenn and Bellcore Netscript at Columbia Applications: active reliable multicast, protocol boosters, active congestion control, Internet applications ABone: a global AN network

44 ANTS (MIT) ANTS - an Active Node Transfer System –a Java-based toolkit for experimenting with active networks. It provides a node runtime that can participate in an active network, and a protocol programming model that allows users to customize the forwarding of their packets The first EE to be developed Uses capsules that do not contain all the code A code distribution system distributes the code to the different active nodes.

45 Smartpackets (BBN GTE) Goal: to add programmability to management and diagnostic packets Making packets smart by: –an easily compiled source code language - Sprocket –access to information on the fly (MIB) Emphasis on runtime, no soft states, the code lifetime at a node is only during execution.

46 SwitchWare U. Penn. and Telecordia Goal: understand the design space –investigate architectures and programming paradigms for AN –use modern programming languages –find “sweet spots” in tradeoffs among flexibility, usability, performance and security Main features: –PLAN - Packet Language for Active Networks –ALIEN - Active Loader

47 SwitchWare Architecture PLAN ALIEN/Caml/OS AEGIS Static Integrity Checks Dynamic Integrity Checks Node-Node Authentication Recovery ALIEN Library PLAN Packet PLAN Packet Caml Switchlet Caml Switchlet

48 Packet Language for Active Networks Domain-Specific Language for AN Active Packets of ML-like code Restricted for security & performance Active extensions for restricted tasks “Glue language” to build active applications Resource-bounds for network protection Access to link-layers w/extensions

49 The ALIEN Active Loader Focus on generality and security Crypto. Credentials extend to remote case active packets and active extensions all written in Caml with restricted runtime Applications to LAN bridging, IP forwarding switchlets Loader Core Switchlet libraries Runtime (Caml) OS (Linux)

50 Issues Packets size: –how much code can fit into a single packet? –offline loading of code A safe execution of the code –how much control –offline guaranties Vs. runtime verification Interactions: –packet -- EE –packet -- packet

51 Netscript (Columbia) A glue language to compose and manage active flow processing applications Enable significant domain-specific capabilities: –computation over flows Simplify programming active nets – high-level abstraction of flow processing: end-end composition & coordination Compiler-generated support of key functions – manageability: security, resource allocation – optimization –map to heterogeneous node architectures from JVM to ASIC/FPLA…

52 Applications Multicast –ARM (at MIT), PANAMA (U.Mass and TASC) Caching –Adaptive Web Caching (UCLA) Active congestion control –(USC/ISI, GaTech) Auctions –(MIT)

53 Applications Applications that can use servers inside the network: –multicast retransmission –caches Data corresponding to a certain application is manipulated by the routers

54 ABone Active Network Backbone An experimental network consisting of nodes from all over the world used to prototype and test new ideas related to Active Networking ~96 nodes (October 2001) Assembled from existing links and node, mainly Linux machine with ANetd: – a basic EE for Linux –a way to manage different EEs

55 ABone Active Network Backbone

56 AN Outside DARPA IWAN since 1999 (International Working Conference on Active Networks –many of the papers deals with network management EU research: large investment –FAIN - Future Active IP Networks Network operators like BT,DT,AT&T, MCI see in the programmable switch/router paradigm a way to: –allow them to program their own networks to achieve better functionality/efficiently over competitors –offer big clients unique custom designed services in a very short time frame –shift some of the revenue opportunities from manufactures to service providers

57 What is missing? Access to the network: –local information: topology, interfaces, load –routing - access to routing tables and manipulation of routing/forwarding tables Soft states: allowing a truly distributed application to run for a long period of time Integration with current routers

58 ABLE (Active Bell Labs Engine) Shorter control loops Fusion of control messages in the network Exposing the actual cost to the programmer Introduce efficiency to network management using active networks technology

59 ABLE Architecture An adjunct active engine to any router R/W interface with the router Long lived sessions Use of standard tools The broker concept Security Active Engine Session Broker MIB router filter session 1session 2 security session n Control Broker Info Broker CLI

60 An EarlyArchitecture An adjunct active engine to any router: –modularity –easy deployment –safe R/W interface with the router MIB router filter Active Engine manager

61 An Early Architecture An adjunct active engine to any router R/W interface with the router Long lived “sessions” –generalized “soft state” –rendezvous Use of standard tools: –Java, ANEP over UDP/IP, SNMP, IP filtering MIB router filter Active Engine manager session 1session 2

62 The Router Forwarding + basic routing Filtering: active packets (with active UDP ports) are sent to the active engine (AE) Support for SNMP Fast-track user-controlled routing and filtering Active Engine manager MIB router filter controller

63 The Active Engine Can be separate, or in the same box R/W interface with the router: – SNMP – vendor’s specific control Long lived sessions: – rendezvous – generalized soft state Use of standard tools: – Java, ANEP over UDP/IP, SNMP, IP filtering Active Engine manager MIB router filter session 1session 2 security

64 Addressing Modes Explicit - sent directly to a known AE –efficient Oblivious - sent along a path, and intercepted by the first AE en-route –topology learning –robust

65 An Early Architecture An adjunct active engine to any router R/W interface with the router Long lived “sessions” Use of standard tools Security MIB router filter Active Engine manager session 1session 2 security

66 Safety & Security The active engine is separate from the router - regular IP traffic is safer Inside the active engine: – AAA (authentication, authorization, access control) – blocking unauthorized TCP connections – monitoring resource consumption of sessions – Java SecurityManager: blocking native methods and foreign file access

67 An Application Example: Bottleneck Detection Currently can be done using the traceroute program: –inefficient and limited in scope (route + timing info) An active solution: –efficient –versatile –can do much more

68 Current Traceroute Program Quadratic number of messages Quadratic completion time

69 An Active Solution Each AE duplicates the program it receives and forwards it Linear completion time Quadratic number of messages

70 Bottleneck Detection Tishrey inbar Heshvan Kislev Adar Amir From: inbar To:tishrey get_code(code); get_data(hop#,dest,reportto); hop# ++; packet = prepare_new_packet (code,hop#,dest,reportto); send_new_pack(packet,dest); info = get_local_info(); send_report(reportto, info, hop#); finish(); hop#: 0 dest: adar reportto: inbar Razcisco1 MIB filter manager session 1 security Active Engine router session 2

71 ABLE++ Architecture An adjunct active engine to any router R/W interface with the router Long lived sessions Use of standard tools The broker concept Security Active Engine Session Broker MIB router filter session 1session 2 security session n Control Broker Info Broker CLI

72 ANEP A mechanism for encapsulating Active Network frames for transmission over different media –an active node receiving a packet must be able to uniquely and quickly determine the environment in which it is intended to be evaluated –to allow minimal, default processing of packets for which the intended evaluation environment is unavailable –so that information that does not fit conceptually or pragmatically in the encapsulated program (such as security headers), can be placed in the header

73 The ANEP Header | Version | Flags | Type ID | | ANEP Header Length | ANEP Packet Length | ~ Options ~ |. | ~ Payload ~ |. |

74 ANEP Header Fields The Version field indicates the header format in use Only the most significant bit of the flag field is used. It indicates what the node should do if it does not recognize the Type ID: 0 - try to forward, 1 - discard The ANEP Header Length field specifies the length of the ANEP header in 32 bit words. If no options are included in the packet, then its value must be 2 The ANEP Packet Length field specifies the length of the entire packet, including the packet payload, in octets

75 ANEP Header Fields (2) The Type ID field indicates the evaluation environment (EE) of the message The proper authority for assigning Type ID values to interested parties is the Active Networks Assigned Numbers Authority (ANANA) (61-64) The Type ID value 0 is reserved for possible future network layer information and error messages If the value contained in this field is not recognized, the node should check the value of the most significant bit of the Flags field when deciding how to handle the packet

76 ABLE Implementation Active engine: – C code, in user space –active packet’s code in Java –Java methods for performance, security, and ease of use Router: –FreeBSD on a PC with ipfw as the filter, or –Linux on a PC with ipTables as the filter, or –COTS (Commercially Of The Shelf) routers (CISCO, Lucent RABU), with filters

77 Divertor Free BSD: –using the built in fire wall - ipfw –special divert socket –all UDP traffic to socket 3322 goes to this socket Linux: –using the built in ipTables –User-level program –all UDP traffic to socket 3322 goes to this program, and diverted to the session manager

78 Session Broker Operation: –listen on all sockets –if arrive from outside Send data to session, or Create new session –if from inside: Send data/code to network (as an active packet) –if admin: Do whatever –kill,referesh,update-new Session Broker session 1 session 2 security router Interfaces: ACTEXTPort 3322 ACTINPort 3691 ADMININPort 3692

79 Session Broker Creating a new session: –get packet – reassemble –create session –get session socket number –send data to socket Session Broker session 1 session 2 security router

80 Session Broker The session SB communication: –UDP sockets –“Our” headers –one admin and one data socket to the SB –one socket for each session –The session part is done via the Act class Session Broker session 1 session 2 security router

81 Information Broker The session IB communication: –TCP streams sockets –“Our” functions –The session part is done via the BrokerInterface class –The broker part in JAVA security router MIB session 1session 2 Info Broker CLI

82 Information Broker Caching information: –interfaces and routing information is cached, and retrieved locally –cache is updated every (C) seconds –saves accesses to the router, may result in getting staled information OID access: –allow direct access to the MIB security router MIB session 1session 2 Info Broker CLI

83 Bottleneck Detection Tishrey Inbar Heshvan Kislev Adar Amir From: inbar To:tishrey get_code(code); get_data(hop#,dest,reportto); hop# ++; packet = prepare_new_packet (code,hop#,dest,reportto); send_new_pack(packet,dest); info = get_local_info(); send_report(reportto, info, hop#); finish(); hop#: 0 dest: adar reportto: inbar Razcisco1 MIB filter manager session 1 security Active Engine router session 2

84 Ses.Java import java.io.*; import java.lang.*; import java.net.*; import Act.*; import AdventNetSnmp.*; // This is an example for an active session that computes traceroute public class Ses { public static void main ( String args[] ) throws Exception, AdventNetSnmpException { AdventNetSnmp request = new AdventNetSnmp(); DatagramPacket udppacket; /* set to number of bytes of data. Should be divisible by 4 */ int datasize = 12; System.out.println(">>>>> before Act");

85 Ses.Java Act session = new Act(datasize * -1); System.out.println(">>>>> After Act"); byte[] p = session.getProg(); byte[] v = session.getInitVars(); int[] senderip = new int[4]; byte[] destip = new byte[4]; byte[] udpmsg ; // get original sender IP address for (int i=0;i<4;i++) senderip[i] = (int) ((v[i] < 0 ) ? v[i]+256 : v[i]); String sendername = Integer.toString(senderip[0]) + "." + Integer.toString(senderip[1]) + "." + Integer.toString(senderip[2]) + "." + Integer.toString(senderip[3]); // get target IP address System.out.println("Destination IP address"); for (int i=0;i<4;i++) {destip[i] = v[i+4]; System.out.println(destip[i] + ".");} // get hop number int hopnum = (int) v[8]; System.out.println("Hop number" + hopnum); int dummy = (int) v[9];

86 Ses.Java // prepare new message if (v[8]>127) System.out.println("too big "); else v[8]++; // send new message byte[] newpck = new byte[p.length+datasize]; for (int i=0;i

87 Ses.Java // send udp to original sender reporting your status String udpmsgtext = "hop " + v[8] + ": " + res1; System.out.println(">>>>>>>>UDPMSG>>>>>>>>>>>>>>>>>>>> " + udpmsgtext); System.out.println(udpmsgtext); int udpmsglen = udpmsgtext.length(); udpmsg = new byte[udpmsglen]; udpmsg = udpmsgtext.getBytes(); udppacket = new DatagramPacket ( udpmsg, udpmsglen,session.IPaddr( sendername),9901); try{ session.socket.send(udppacket); } catch ( Exception exc) { System.out.println( "Error! - " + exc.toString()); } // be nice report: I'm done //session.send(v,session.internetAddress); } }

88 Using the information broker BrokerInterface localBroker = new BrokerInterface(); int ifi= 0; String res1 = " " ; try{ ifi = localBroker.getNextHopIf(destname); float load = localBroker.getLoad(ifi); res1 = "The load is: " + Float.toString(load); } catch ( Exception exc) { res1 = "The load value is unavailable ";}


Download ppt "The Seven Layers Presentation Application Session Transport Network Data Link Physical Presentation Application Session Transport Network Data Link Physical."

Similar presentations


Ads by Google