The SwitchWare Active Network Architecture

1
The SwitchWare Active Network Architecture

• Young-Ju, Han
• Real-Time Systems Laboratory,
• School of Electrical and Computer Engineering,
  Sungkyunkwan University,
• 300 Chun-chun-dong, Changan-Gu, Suwon City
  Kyounggi-Do, Korea
• Tel 82-31-290-7222, Fax 82-31-290-6673Emai
  l yjhan_at_rtlab.skku.ac.kr

2
Agenda

• Introduction
• The SwitchWare Architecture
• Active Packet - PLANet
• Active Extensions Active Bridge
• Secure Active Routers - SANE
• Conclusions
• References

3
Introduction

• IP Interoperability
• The packet format and its addressing scheme
• to provides virtual infrastructure
• Active Network
• IP interoperability layer -gt Programmable
  interoperability layer
• An approach to providing a programmable network
  infrastructure based on such a programmable
  interoperability layer
• provide a range of different flexibility, safety
  and security, performance, and usability tradeoffs

4
SwitchWare Architecture(1/4)

• uses a layered arch. to provide tradeoffs
• 3 Layered Architecture
• Active Packets
• Active Extensions
• Active Router Infrastructure

5
SwitchWare Architecture(2/4)

• Active Packets
• Active Packets carry mobile programs
• Active Packets consist of both code and data
• code part provides the control function of a
  traditional packet header
• data part replaces the payload of a traditional
  packet
• Network elements(NE) are store, compute and
  forward
• Code execution must be lightweight
• Programming Language for Active Packets PLAN
• very simple and provides a minimum of
  functionality
• execution model includes a mechanism for remotely
  evaluating PLAN programs on other routers
• statically type-checked improving usability
• authentication and other costly checks are
  unnecessary
• restricting their actions
• limit the resources used by an active packet

6
SwitchWare Architecture(3/4)

• Active Extensions
• Dynamically-loaded extensions over the base
  router infra.
• New functionality loaded when needed
• Not mobile to communicate with other routers
  they use Active Packets
• only invoked when needed(no need to be
  lightweight)
• use a variety of security mechanisms
• type-safety, cryptography-based authentication,
  program verification
• a mixture of PLAN and router extension provides
  greater flexibility

7
SwitchWare Architecture(4/4)

• Active Router Infrastructure
• to provide a secure foundation upon which the
  other two layers build (SANE)
• System integrity
• The system is not altered from some known (and
  presumably correct) state
• SANE use the approach of guaranteeing integrity
  of the lower layers of the system (AEGIS)
• SANE identifies a minimal set of system
  elements(e.g. a small area of BIOS, some
  cryptographic material, and a trusted source)
  upon which system integrity is dependent
• SANE builds an integrity chain with cryptographic
  hashes
• SANE provides a public-key infra.
• used for cryptographic authentication of module
  sources

8
Active Packets PLANet(1/4)

• PLANet
• An active internetwork
• All transmitted packets are PLAN program
• written in Caml
• PLANet active node components
• packet processing core
• network functions
• the PLAN interpreter
• library of service routines

9
Active Packets PLANet(2/4)

• ping in PLAN
• fun ping (srchost, dsthost) unit
• if (not(thisHostIs(dst))) then
• OnRemote (ping(src,dst),dst,getRB(),defaultRou
  te)
• else
• OnRemote (ack(),src,getRB(),defaultRoute)
• fun ack() unit print(Success)
• PLAN Packet Format

Addr on which to evaluate
Addr of source
Int global resource bound
Int session ID
Str Name of routing func
Str Name of exception handler
Str Name of fn to evaluate
list of plan value binding
PLAN code
Int Flow ID
10
Active Packets PLANet(3/4)

• Packet Processing Core
• one thread running for each network interface
• Once a packet arrives, the thread call to handler
  to process the packet
• If the packet has reached its evaluation dest.,
  it is passed to the PLAN interpreter to be
  evaluated Otherwise it is routed forwards
• During interpretation, PLAN programs may make
  service calls, perform remote evaluations,
  recursively call the PLAN interpreter, etc
• If a remote evaluation occurs, a PLAN packet is
  constructed, the net hop determined, and send out
  network interface

11
Active Packets PLANet(4/4)

• Network Functions
• In order to maintain the routing tables needed to
  implement remote evaluation, implement based on
  RIP
• routing software updates its routing table based
  on two events
• received advertisements
• entry expirations
• The PLAN Interpreter
• Programs are compiled at the source and
  Type-checking is done dynamically during
  interpretation
• Service Routine Libraries
• In order to augment the limited abilities of PLAN
  programs, we needed to provide a fairly rich
  library of service routines
• include packet interrogation functions(get the
  source of the current packet), network service
  functions(show me the routing table, get the name
  of the current host), cryptographic function for
  security and a service loading new services

12
Active Extensions-Active Bridge

• using Caml
• Caml bytecodes are dynamically loadable
• machine independent
• strong typing
• namespace security
• Based on a module loader(the Active Loader(ALIEN)
  and a set of core system services
• An initial implementation is a simple buffered
  repeater
• switchlet dynamically loaded
• add functionally of self-learning
• followed by spanning tree algorithm
• Automatic Protocol Transition
• control Switchlet control the transition between
  the two protocols

13
Secure Active Routers - SANE

• Goal
• To support the language-oriented model used at
  higher layers of the SwitchWare Arch.
• To incur minimal costs while the system is an
  operational state
• To maximize system security
• SANE Design Principles
• Dynamic checks
• Static checks
• System performance can be improved

14
Conclusions

• The SwitchWare active network arch. integrates
  the necessary components of any active network
  element
• The integration takes the form of a layered arch,
  with functions partitioned between layers based
  on the flexibility and security tradeoffs
  required at each layer

15
References

• D.Scott Alexander, William A.Arbaugh, Michael
  W.Hicks, Pankaj Kakkar, Angelos D.Keromytis,
  Jonathan T.Moore, Carl A.Gunter, Scott M.Nettles,
  and Jonathan M.Smith, The SwitchWare Active
  Network Architecture, July7, 1998
• D.Scott Alexander, Michael W.Hicks, Pankaj
  Kakkar, Angelos D.Keromytis, Marianne Shaw,
  Jonathan T.Moore, Carl A.Gunter, Trevor Jim,
  Scott M.Nettles, and Jonathan M.Smith, The
  SwitchWare Active Network Implementation,
  September 1998
• D.Scott Alexander, Marianne Shaw, Scott M.
  Nettles and Jonathan M.Smith, Active Bridging
• Michael Hicks, Jonathan T.Moore, D.Scott
  Alexander, Carl A.Gunter, and Scott M.Nettles,
  PLANet An Active Internetwork