introduction to active networks stephen f. bush [email protected] bushsf/an ge global research...

Introduction to Introduction to Active NetworksActive Networks

Stephen F. BushStephen F. Bush

[email protected]@research.ge.com

www.research.ge.com/~bushsf/anwww.research.ge.com/~bushsf/an

GE Global Research CenterGE Global Research Center

2Copyright 2002 Stephen F. Bush

AcknowledgementsAcknowledgements

The volume of research in the Active Networking field is too The volume of research in the Active Networking field is too large to include references to all the excellent work in this large to include references to all the excellent work in this

area. We would like to extend our thanks and appreciation to area. We would like to extend our thanks and appreciation to all those whose work is cited in this presentation as well as all those whose work is cited in this presentation as well as

those whose work we were not able to cite for lack of time and those whose work we were not able to cite for lack of time and space.*space.*

*GE related research in this presentation has been funded by the Defense Advanced Research Projects Agency (DARPA) contract F30602-01-C-0182 and managed by the Air Force Research Laboratory (AFRL)

Information Directorate. Our thanks go to Doug Maughan, the Active Networks Program Manager and Scott Shyne, Air Force Rome Labs, for their generous support throughout our research.

Introduction


Outline

1)1) Active Network FrameworkActive Network Framework

2)2) Active Network Execution Environments and Active Network Execution Environments and TestbedsTestbeds

3)3) Active Network Security ArchitectureActive Network Security Architecture

4)4) Data Versus Code Tradeoff: Kolmogorov Data Versus Code Tradeoff: Kolmogorov ComplexityComplexity

Introduction


Three Points to RememberThree Points to Remember

Active Networks Are CoolActive Networks Are Cool

Active Networks Can Be At Least As Secure Active Networks Can Be At Least As Secure As Legacy Networks ;)As Legacy Networks ;)

Data and Algorithm Are Mutable and Fluid Data and Algorithm Are Mutable and Fluid Within Active NetworksWithin Active Networks

Introduction


Motivation for Active NetworkingMotivation for Active Networking

Faster Hardware Not Fully Utilized Enables More Flexible Network De-couples Protocol From Transport Minimizes Requirements for Global Agreement Enables On-the-fly Experimentation Enables Faster Deployment of New Services

Introduction

• http://www.darpa.mil/ato/programs/activenetworks/actnet.htmhttp://www.darpa.mil/ato/programs/activenetworks/actnet.htm• Email List: [email protected] List: [email protected]


DataHeader

Traditional Packet Network

Header Code Data

Active NetworkActive Network

Network-AwareDevices

Devices BecomeNetwork-aware and

Smart

Custom Code InjectedBy Applications/devices

Makes Network IntelligentReduces Protocol Deployment

Time From Years to Months

Adaptive Monitoring,

And Predictive Control

Active Networking: A Natural Active Networking: A Natural EvolutionEvolution

Introduction


Change Is InevitableChange Is Inevitable

Internet Protocol Active and Programmable Networks

• Fossilized: Resistant to Change• Layers of Complexity O(4000) RFCs• Inability to Customize Quickly or Efficiently• Lack of Security Paradigm• Downward Side of the Innovation Curve

• Built for Change• Reduced Complexity

• Rapid, Efficient Customization• Security Paradigm Built-in

• Upward Innovation Path

Introduction


Integrated Versus Discrete Integrated Versus Discrete ApproachesApproaches

Discrete ApproachDiscrete Approach Programs (P) Injected Programs (P) Injected

Into Active Nodes Into Active Nodes Separately From Passive Separately From Passive Data (D)Data (D)

Integrated ApproachIntegrated Approach Programs Integrated Into Programs Integrated Into

Every Packet Along With Every Packet Along With Passive DataPassive Data

D PD

P

P D PD

Introduction

Active Network Node


Many Recent ExamplesMany Recent Examples Active Distributed Simulation

SANDS: Specialized Active Networking for Distributed Simulation, S. Zabele, M. Dorsch, Z. Ge, P. Ji, M. Keaton, J. Kurose, J., Shapiro, and D. Towsley, Proceedings of the 2002 DARPA Active Networks Conference and Exposition (DANCE 2002). IEEE Computer Society Press. pp. 534-553, ISBN 0-7695-1564-9. May 29-30, 2002. San Francisco, California, USA

Active Network Monitoring and Control Active Network Monitoring and Control: The SENCOMM Architecture and

Implementation, A. Jackson, J. Sterbenz, M. Condell, and R. Hain, Proceedings of the 2002 DARPA Active Networks Conference and Exposition (DANCE 2002). IEEE Computer Society Press. pp. 534-553, ISBN 0-7695-1564-9. May 29-30, 2002. San Francisco, California, USA

Self –Organizing Video Transcoding Resource Adaptive Netcentric Systems on Active Networks: A Self-

Organizing Video Stream that Auto Morphs Itself While in Transit… J. Khan, S. Yang, D. Patel, O. Komogortsev, W. Oh, Z. Guo, Q. Gu, and P. Mail, Proceedings of the 2002 DARPA Active Networks Conference and Exposition (DANCE 2002). IEEE Computer Society Press. pp. 534-553, ISBN 0-7695-1564-9. May 29-30, 2002. San Francisco, California, USA

Introduction


““Active” ConferencesActive” Conferences

IWAN (http://www.iwan2003.org/)IWAN (http://www.iwan2003.org/) IEEE OpenArch (http://www.openarch.org/)IEEE OpenArch (http://www.openarch.org/) AMS Active Middleware Services (AMS Active Middleware Services (

http://www.caip.rutgers.edu/ams2003/http://www.caip.rutgers.edu/ams2003/)) Etc…Etc…

Introduction

Section 1Section 1

Active Network FrameworkActive Network Framework


HostActiveRouter

Legacy Co-ExistenceLegacy Co-Existence

Host

ip_active

ActiveRouter

LegacyRouter

ip_active

Cut-through Cut-through

Sect. I: Framework



Active Application (AA)Active Application (AA) The active network applicationThe active network application

Execution Environment (EE)Execution Environment (EE) Analogous to a Unix shell in which to Analogous to a Unix shell in which to

execute a packetexecute a packet

Node Operating System (NodeOS)Node Operating System (NodeOS) Operating System support for Execution Operating System support for Execution

EnvironmentsEnvironments

EE 1

NodeOS

EE 2

Hardware

AAAA AA AA

Sect. I: Framework



Primary Focus Is Communication and Not Primary Focus Is Communication and Not ComputationComputation

Packet Is Unit of MultiplexingPacket Is Unit of Multiplexing No Assumptions About Underlying No Assumptions About Underlying

Forwarding TechnologiesForwarding Technologies

Sect. I: Framework


EE 1 EE 2 ... IPv6

Policy dbChannels Store

NodeOS

ExecutionEnvironment

ManagementEE

SecurityEnforcement

Engine......

Active Network Working Group Version 1.0, Ken Calvert ed. Active Network Framework. http://www.cc.gatech.edu/projects/canes/arch/arch-0-9.ps, August 31 1998. Version 0.9.", citeseer.nj.nec.com/group98architectural.html.


Sect. I: Framework


Management Execution Management Execution EnvironmentEnvironment

Maintains Security Policy DatabaseMaintains Security Policy Database Loads/Configures New EEsLoads/Configures New EEs Supports Instantiation of Network Supports Instantiation of Network

Management ServicesManagement Services See Anetd and the ABone See Anetd and the ABone

Defines Management OperationsDefines Management Operations

Sect. I: Framework


Framework Considerations (I)Framework Considerations (I)

End Systems (ES) and Intermediate Systems (IS)End Systems (ES) and Intermediate Systems (IS) No Architectural Differences Between EEs and ISs.No Architectural Differences Between EEs and ISs.

Execution Environment (EE) and Active Execution Environment (EE) and Active Application (AA)Application (AA) AA Implements an End-to-end Service Executed Within AA Implements an End-to-end Service Executed Within

an EEan EE AA Can Be Loaded Either In-band or Out-of-bandAA Can Be Loaded Either In-band or Out-of-band

Sect. I: Framework


Framework Considerations (II)Framework Considerations (II)

AA Should Be ComposableAA Should Be Composable Mobility and Multicast AAs Should Work Mobility and Multicast AAs Should Work

Together to Implement Mobile MulticastTogether to Implement Mobile Multicast EE and AA DeploymentEE and AA Deployment

EE API Must Be Available for AA AccessEE API Must Be Available for AA Access ANEP Packet Types Accepted by EE Must Be ANEP Packet Types Accepted by EE Must Be

AvailableAvailable

Sect. I: Framework


Framework Considerations (III)Framework Considerations (III)

Node Operating System (NodeOS)Node Operating System (NodeOS) Primary Role Is Mediator of Node Resources to Primary Role Is Mediator of Node Resources to

the EEsthe EEs SecuritySecurity

All Requests to the NodeOS Are Verified Based All Requests to the NodeOS Are Verified Based Upon Credentials Sufficient to Verify Authorized Upon Credentials Sufficient to Verify Authorized AccessAccess

EEs Must Trust NodeOS and Can Add Stricter EEs Must Trust NodeOS and Can Add Stricter PoliciesPolicies

NodeOS May Trust Some EEs More Than OthersNodeOS May Trust Some EEs More Than Others

Sect. I: Framework


Framework Considerations (IV)Framework Considerations (IV)

Bounding Resource UsageBounding Resource Usage TransmissionTransmission

Relatively easy – we know how to do this (bit rate)Relatively easy – we know how to do this (bit rate) ComputationComputation

Hard – NIST computational models*Hard – NIST computational models* StorageStorage

Relatively easy – (bytes)Relatively easy – (bytes)

Sect. I: Framework

* V. Galtier, K. Mills, and Y. Carlinet National Institute of Standards and Technology, S. Bush and A. Kulkarni, General Electric Corporate R&D. PREDICTING RESOURCE DEMAND IN HETEROGENEOUS ACTIVE NETWORKS. MILCOM 2001, McLean, VA, October 28-31.


Framework Considerations (V)Framework Considerations (V)

Division of Labor Example: NodeOS Division of Labor Example: NodeOS Implement Routing for EEs Rather Than Each EE Implement Routing for EEs Rather Than Each EE

Implementing Its Own RoutingImplementing Its Own Routing Loss of Flexibility If Each EE Wants to Use Different Loss of Flexibility If Each EE Wants to Use Different

Routing AlgorithmRouting Algorithm

Sect. I: Framework


Hardware Reference ModelHardware Reference Model

SwitchFabric

input ports output ports

SwitchFabric

input ports output portsEE EE EE

Sect. I: Framework

Passive

Active



Active Hardware PerformanceActive Hardware Performance Fred Kuhns, John DeHart, Anshul Kantawala, Ralph Keller, John

Lockwood, Prahanth Pappu, David Richard, David Taylor, Jyoti Parwatikar, Ed Spitznagel, Jon Turner, and Ken Wong, Design and Evaluation of a High-Performance Dynamically Extensible Router. Proceedings of the 2002 DARPA Active Networks Conference and Exposition (DANCE 2002). IEEE Computer Society Press. pp. 534-553, ISBN 0-7695-1564-9. May 29-30, 2002. San Francisco, California, USA.

Active QoS Video Streams at Several Megabits Per Second Tal Lavian, Phil Wang, Franco Travostino, Siva Subramanian and Ramesh

Duraraj, Enabling Active Flow Manipulation in Silicon-based Network Forwarding Engines, ibid.

Hrishikesh Dandekar, Andrew Purtell, and Stephen Schwab. AMP: Experiences with Building an Exokernel-based Platform for Active Networking. ibid.

Sect. I: Framework


SmallState and GlobalStateSmallState and GlobalState

Active Packets Leave Information on Node for Use Active Packets Leave Information on Node for Use by Other Active Packets and Other Active by Other Active Packets and Other Active ApplicationsApplications SmallState Access PolicySmallState Access Policy SmallState Time to LiveSmallState Time to Live SmallState CPU and Memory UsageSmallState CPU and Memory Usage

Only Method of Inter-Active Application Only Method of Inter-Active Application Communication Communication Potential BottleneckPotential Bottleneck

Sect. I: Framework


Node Operating System Node Operating System (NodeOS) Resource Abstractions(NodeOS) Resource Abstractions

Thread poolsThread pools Memory poolsMemory pools ChannelsChannels FilesFiles Flows (or Domains)Flows (or Domains)

Active Network Working Group, Larry Peterson ed. NodeOS Interface Specification. January 24, 2000, citeseer.nj.nec.com/532678.html.

Sect. I: Framework


NodeOS

EE

AN

EP

|UD

P|IP

|AT

M

AN

EP

|UD

P|IP

|AT

M

NodeOS

EE

AN

EP

|UD

P|IP

|AT

M

AN

EP

|UD

P|IP

|AT

M

ETH|IP|ATM

EE

NodeOS

Port

Anchored

Cut-Through

Node Operating SystemNode Operating System

Sect. I: Framework



NodeOS

EE 2EE 1

Domain 1

OutChan

InChan

Domain 2

OutChanInChan

Active Domains (Flows): Resource Active Domains (Flows): Resource ControlControl

Each Domain Is Each Domain Is Allocated Resources Allocated Resources According to Policy in According to Policy in Effect at Flow Creation Effect at Flow Creation TimeTime

Patrick Tullman, Mike Patrick Tullman, Mike Hibler, and Jay Lepreau. Hibler, and Jay Lepreau. Janos: A Java-oriented Janos: A Java-oriented OS for Active Network OS for Active Network NodesNodes, 2002, 2002

Sect. I: Framework


Threads

Memory


Composable ServicesComposable Services Sequence ControlSequence Control

Ordering of Component ExecutionOrdering of Component Execution Shared Data ControlShared Data Control

Sharing Data Among ComponentsSharing Data Among Components Binding TimeBinding Time

Instantiation/selection of a Service From OptionsInstantiation/selection of a Service From Options Invocation MethodsInvocation Methods

Event Causing a Service to Be ExecutedEvent Causing a Service to Be Executed Division of FunctionalityDivision of Functionality

Packet Versus Node Content (What Goes Where?)Packet Versus Node Content (What Goes Where?)

Sect. I: Framework

Section 2Section 2

Active Network Frame work Active Network Frame work and Testbedsand Testbeds


Purpose of ANEPPurpose of ANEP Uniquely and Quickly Determine the Uniquely and Quickly Determine the

Environment in Which the Packet Is Intended Environment in Which the Packet Is Intended to Be Evaluatedto Be Evaluated

Allow Minimal, Default Processing of Packets Allow Minimal, Default Processing of Packets for Which the Intended Evaluation for Which the Intended Evaluation Environment Is UnavailableEnvironment Is Unavailable

Information That Does Not Fit Conceptually or Information That Does Not Fit Conceptually or Pragmatically in the Encapsulated Program Pragmatically in the Encapsulated Program Can Be Placed in the HeaderCan Be Placed in the Header

Active Network Group. Active Network Encapsulation Protocol. July 1997, http://www.cis.upenn.edu/~switchware/ANEP/docs/ANEP.txt.

Sect. II: Framework


ANEP Packet StructureANEP Packet Structure

Active Network Encapsulation Protocol (ANEP)Active Network Encapsulation Protocol (ANEP) Allows Encapsulation of Active Packets in Any Allows Encapsulation of Active Packets in Any

Transport MediaTransport Media

Sect. II: Framework

Options

Payload

ANEP Header Length ANEP Packet Length

Version Flags Type ID310 7 15


ANEP Flag OptionANEP Flag Option Bit 0Bit 0

Indicates That This Option Is Valid Only Within the Indicates That This Option Is Valid Only Within the Type ID i.e. Do Not Parse the Option at This LevelType ID i.e. Do Not Parse the Option at This Level

Bit 1Bit 1 Indicates Whether to Discard Packet If Option Indicates Whether to Discard Packet If Option

Cannot Be ParsedCannot Be Parsed

Options Payload

Flag Type Length

310 1 2 15 16

Sect. II: Framework


ANEP Option TypesANEP Option Types

OptionOption Type Type Source Identifier 1Source Identifier 1

Ipv4 Address (32 Bits) 1Ipv4 Address (32 Bits) 1 Ipv6 Address (128 Bits) 2Ipv6 Address (128 Bits) 2 802.3 Address (48 Bits) 3802.3 Address (48 Bits) 3

Destination Identifier 2Destination Identifier 2 Same Addressing Schemes As AboveSame Addressing Schemes As Above

Sect. II: Framework


ANEP Option TypesANEP Option Types

Integrity Checksum Integrity Checksum 33 Option Payload Contains 1’s Complement of the 1’s Option Payload Contains 1’s Complement of the 1’s

Complement Sum of the Entire ANEP Packet, Complement Sum of the Entire ANEP Packet, Starting With the ANEP Version FieldStarting With the ANEP Version Field

Non-negotiated AuthenticationNon-negotiated Authentication 44 Non-negotiated AuthenticationNon-negotiated Authentication

– SPKI Self-signed Certificate SPKI Self-signed Certificate 11– X.509 Self-signed Certificate X.509 Self-signed Certificate 22

Sect. II: Framework


ANEP PayloadANEP Payload

Any Data or Code to Be Executed by an EEAny Data or Code to Be Executed by an EE ANTS CodeANTS Code Magician CodeMagician Code ASP CodeASP Code SmartPacket CodeSmartPacket Code PLAN CodePLAN Code

Sect. II: Framework

Options

Payload


Version Flags Type ID310 7 15


Active Network Backbone Active Network Backbone (ABone)(ABone)

ACTIVATE (SRI) ACTIVATE (SRI) Collaborative Project to Design, Build, and Manage a Collaborative Project to Design, Build, and Manage a

Large-scale Testbed to Meet the Unique Requirements Large-scale Testbed to Meet the Unique Requirements of Active Network (AN) Research and Developmentof Active Network (AN) Research and Development

http://ftp.isi.edu/abone/http://ftp.isi.edu/abone/ [email protected] Mailing List Using [email protected] Mailing List Using

[email protected]. [email protected].

Sect. II: Framework


ANTS Execution EnvironmentANTS Execution Environment Capsules Identify Their Type As They TravelCapsules Identify Their Type As They Travel If Required Code Is Not at a Node, a Load If Required Code Is Not at a Node, a Load

Request Is Sent to the Previous NodeRequest Is Sent to the Previous Node Previous Node Sends Entire Code Required Previous Node Sends Entire Code Required

by Capsuleby Capsule Requesting Node Incorporates the Code Into Requesting Node Incorporates the Code Into

Its Cache and Can Respond As Previous Its Cache and Can Respond As Previous Node Did If NecessaryNode Did If Necessary

David J. Wetherall, John V. Guttag and David L. Tennenhouse. ANTS: A Toolkit for Building and Dynamically Deploying Network Protocols. In IEEE OPENARCH, April 1998. http://citeseer.nj.nec.com/wetherall98ants.html

Sect. II: Framework


Magician Execution EnvironmentMagician Execution Environment

Java-based Runs at the User Level.Java-based Runs at the User Level. Easy to Install on Any Java VM in Order to Build Easy to Install on Any Java VM in Order to Build

Prototype Active Network.Prototype Active Network.

Magician Active Packets Are Java Objects and Magician Active Packets Are Java Objects and Can Contain Java Objects…Can Contain Java Objects… Not Limited to Primitive Data TypesNot Limited to Primitive Data Types

Serialized Objects Sent One Time OnlySerialized Objects Sent One Time Only Remaining Packets Use Pointer to Stored ObjectRemaining Packets Use Pointer to Stored Object

Sect. II: Framework


SmartPacket StructureSmartPacket Structure

* The authentication option payload is a MD-5 message digest of the structure of the SmartPacket.

Sect. II: Framework

ANEP Source Option TLV

SmartPacket Java Serialized Object


Version Flags Type ID

310

ANEP Destination Option TLV

ANEP Authentication Option TLV *

7 15

Section 3Section 3

Active Network Security Active Network Security FrameworkFramework


Security Is Not a Solved ProblemSecurity Is Not a Solved Problem

Network Security in General Is Not a Solved Network Security in General Is Not a Solved ProblemProblem

Active Networking Has a Well-defined Active Networking Has a Well-defined Framework in Which Security Can Be Framework in Which Security Can Be ManagedManaged

This Section Discusses That FrameworkThis Section Discusses That Framework


Security Framework DocumentSecurity Framework Document

Security Architecture for Active Security Architecture for Active NetworksNetworks

AN Security Working GroupAN Security Working Group

DRAFT StatusDRAFT Status

Sect. III: Security

Sandy Murphy, NAI Labs

Security Architecture for Active Networks (latest version is May 2001). Discussion on ActiveNets_Security mailing list. Sandy Murphy is the editor.


AbstractionsAbstractions

PolicyPolicy SubjectsSubjects ObjectsObjects ActionsActions

Sect. III: Security

Unauthorized Unauthorized DisclosureDisclosure

DeceptionDeception DisruptionDisruption UsurpationUsurpation

NodeNode EEEE SenderSender Active codeActive code

*RFC2828

Attacks* Assets


Threat TableThreat Table

Packet Code EE Node

Sender Yes Yes Yes

Code Yes Yes Yes Yes

EE Yes Yes Yes Yes

Node Yes Yes Yes

Packet Code EE Node

Sender N/A Yes Not Really Not Really

Code Yes Yes Not Really Not Really

EE Yes Yes Yes Not Really

Node Yes Yes Yes and No

N/A

This Column: Can See Threat From:

This Column: Can Be Protected From:

Sect. III: Security


Security in the Life of an Active Security in the Life of an Active PacketPacket

Hop-hop Key IdentifierHop-hop Key Identifier--if integrity check fails, packet dropped--if integrity check fails, packet dropped Domain FilterDomain Filter--packet assigned to domain--packet assigned to domain Credentials ExtractedCredentials Extracted--and verified--and verified AuthenticationAuthentication--NodeOS checks EE & Domain if such pkts. --NodeOS checks EE & Domain if such pkts.

allowedallowed Code ExtractionCode Extraction--from packet --from packet Credentials Bound to CodeCredentials Bound to Code--only authorized operations allowed --only authorized operations allowed

to continueto continue ExecutionExecution--code executes--code executes Access to ResourcesAccess to Resources--controlled by credentials--controlled by credentials Packets Are EncryptedPackets Are Encrypted—for transmission by NodeOS—for transmission by NodeOS Hop-hop Integrity Applied to Transmitted PacketsHop-hop Integrity Applied to Transmitted Packets--cycle --cycle

repeats at next noderepeats at next nodeSect. III: Security


Integration with NAI LabsIntegration with NAI Labs

Integrate GE Complexity Measures and Active Integrate GE Complexity Measures and Active Network Fault Response (ANFR) RevocationNetwork Fault Response (ANFR) Revocation

The GE Complexity Measures Spot Misbehavior, The GE Complexity Measures Spot Misbehavior, Instigating a RevocationInstigating a Revocation GE Code Notices Code Complexity Is Outside GE Code Notices Code Complexity Is Outside

ToleranceTolerance Sends Revocation Notice of That Active CodeSends Revocation Notice of That Active Code

Needed to Align GE and ANFR Ways of Identifying CodeNeeded to Align GE and ANFR Ways of Identifying Code

Makes Network Self-healingMakes Network Self-healing

Sect. III: Security


Integration of GE Complexity:Integration of GE Complexity:Self-Healing NetworkSelf-Healing Network

... And Tool Sends Revocation Notices

Magician Probe

ANFR

Revocation Tool

GE Probe Measures Traffic Complexity of ANEP Traffic...

Active Code

Active Packets(ANEP-EE Traffic)

Sect. III: Security


Active Network SecurityActive Network Security S. Murphy, E. Lewis, and R. Watson. Secure Active Network Prototypes.

Proceedings of the 2002 DARPA Active Networks Conference and Exposition (DANCE 2002). IEEE Computer Society Press. pp. 534-553, ISBN 0-7695-1564-9. May 29-30, 2002. San Francisco, California, USA.

Secure version of MIT ANTS EE W. La Cholter P. Narasimhan, D. Sterne, R. Balupari, K. Djahandari, A.

Mani and S. Murphy. IBAN: Intrusion Blocker Based on Active Networks, ibid.

Adaptive Intrusion Detection and Response w/ANTS EE D. Sterne, K. Djahandari, R. Balupari, W. La Cholter, B. Babson, B. Wilson,

P. Narasimhan, and A. Purtell. Developing Dynamic Security Policies. ibid.

S. Krishnaswamy, J. Evans, and G. Minden. A Prototype Framework for Providing Hop-by-hop Security in an Experimentally Deployed Active Network, ibid.

Sect. I: Framework

Section 4Section 4

Data Versus Code Data Versus Code Tradeoff: Kolmogorov Tradeoff: Kolmogorov

ComplexityComplexity


Relating Computation and Relating Computation and CommunicationCommunication

Pre-active (Node only Processing)Pre-active (Node only Processing) Existed Before Active NetworkingExisted Before Active Networking Fixed Processing CapabilityFixed Processing Capability Attempted to Squeeze All Processing Out of the Middle and Towards Attempted to Squeeze All Processing Out of the Middle and Towards

the Ends of the Protocolthe Ends of the Protocol Attempted to Focus on Movement of BitsAttempted to Focus on Movement of Bits

Active Network Era (Packet Dominated Processing)Active Network Era (Packet Dominated Processing) Fluid Processing CapabilityFluid Processing Capability Processing Placed When/where It Makes Sense Processing Placed When/where It Makes Sense Developer’s Must Have a Keen Sense of the Trade-offs in Developer’s Must Have a Keen Sense of the Trade-offs in

Processing Versus CommunicationProcessing Versus Communication

Sect. IV: Computation


Computation vs. Communication Computation vs. Communication TradeoffTradeoff

How Much Code Should Be in an Active How Much Code Should Be in an Active Application (i.e. in the network)?Application (i.e. in the network)?

How Should Code Be Partitioned Into How Should Code Be Partitioned Into Packets?Packets?

Answers to These Questions Can Be Answers to These Questions Can Be Derived Through Complexity TheoryDerived Through Complexity Theory



Active PacketActive Packet

D|HD|H EE

Challenges in Active NetworkingChallenges in Active Networking When Does Active Networking Offer a Benefit?When Does Active Networking Offer a Benefit? Playing With This Dial Is Extremely Challenging and Playing With This Dial Is Extremely Challenging and

Expensive Inside a Network!!Expensive Inside a Network!! Solutions May Come From Biological Research:Solutions May Come From Biological Research:

““Evolve” New Code Inside the NetworkEvolve” New Code Inside the Network Use Complexity/homology in the Network to Reduce Likelihood of Use Complexity/homology in the Network to Reduce Likelihood of

AttackAttack



Early Active Networking Results: Early Active Networking Results: Packet Size Versus ProcessingPacket Size Versus Processing

Per Packet Resource Consumption Must Be Per Packet Resource Consumption Must Be Predicted and Guaranteed Quickly and EfficientlyPredicted and Guaranteed Quickly and Efficiently

No Backward Code PointerNo Backward Code Pointer Forced Relationship Between Packet Size and Forced Relationship Between Packet Size and

Resources UsedResources Used

Simple Solution, But Too ConstrainingSimple Solution, But Too Constraining

Moore, Jonathan T., Hicks, Michael, and Nettles, Scott. Practical Programmable Packets. Proceedings of the 20th Joint Conference IEEE Computer and Communications Societies, Apr 2001.



What Is Kolmogorov Complexity?What Is Kolmogorov Complexity?

A Measure of Descriptive ComplexityA Measure of Descriptive Complexity K Among Different Universal Computers Differs by K Among Different Universal Computers Differs by

a Constanta Constant Bounded by the Length of the StringBounded by the Length of the String Related to EntropyRelated to Entropy ( )

( ) min ( )p x

K x l p

A Fundamental Measure of Information Content



Program Complexity Versus Program Complexity Versus ProcessingProcessing

Kolmogorov ComplexityKolmogorov Complexity Data Versus CodeData Versus Code All Bars (Graph at Right) All Bars (Graph at Right)

Represent the Same Represent the Same InformationInformation

Li, Ming and Vitányi, Paul. An Introduction to Kolmogorov Complexity and Its Applications, ISBN 0-387-94868-6, Springer, NY 1997.



Legacy Versus Active NetworkingLegacy Versus Active Networking

Legacy (Non Active) Networking Applications and Network Oblivious of One-another

Active Networking• Tighter Integration of Full System• Applications Decoupled From the Legacy Infrastructure

Network

Applications

Network

Applications

Performance Is No Longer Measured by How Fast Meaningless Bits Are Pumped Across at the Network Level



000000000000..000000000000000..000000000000000..001000000000000..001000000000000..010000000000000..010000000000000..011000000000000..011

……1111111111111..101111111111111..101111111111111..111111111111111..11

{128 bit {128 bit strings}strings}

38128 x103.42

Model Versus Data TradeoffModel Versus Data TradeoffSuppose we want to estimate the complexity of a string of

alternating 1’s and 0’s

Small model, lots of data– most irrelevant in identifying target pattern– poor

complexity estimate

D|HD|H EE



Model Versus DataModel Versus Data

{128 bit strings with 64 1s}{128 bit strings with 64 1s}

1111…00001111…00001100..11001100..11001001..10011001..1001

……1010..10101010..1010

171.1242

Suppose we want to estimate the complexity of a string of alternating 1’s and 0’s

Slightly larger model, less data– better complexity estimate

D|HD|H EE



Minimum Description LengthMinimum Description Length

Data Size Model Size(Sophistication)

K(x)

101010010101

{128 bit strings alternating 1 and 0}

2

Slightly larger model, small amount of data– good complexity estimate

D|HD|H EE



Thoughts on the Future of Active Thoughts on the Future of Active Networks…Networks…

Change Is Inevitable-- Active Networking Is Still in Its Change Is Inevitable-- Active Networking Is Still in Its InfancyInfancy Excellent Experimental Platform for Developing ProtocolsExcellent Experimental Platform for Developing Protocols Active Concepts Rising in Demand by Developers and CustomersActive Concepts Rising in Demand by Developers and Customers Internet Becoming Too Complex to Hard-wire All User Internet Becoming Too Complex to Hard-wire All User

Customizations Into the NetworkCustomizations Into the Network When Physical Limit on Bit Transfer Rate Reached, a Re-thinking When Physical Limit on Bit Transfer Rate Reached, a Re-thinking

of Computation Versus Communication (i.e. Active Networking) Will of Computation Versus Communication (i.e. Active Networking) Will Occur (a la ad-hoc networking now)Occur (a la ad-hoc networking now)

Summary

THE END(Bibliography and Appendices Follow…)


Additional InformationAdditional Information

Proceedings of the 2002 DARPA Active Networks Proceedings of the 2002 DARPA Active Networks Conference and Exposition (DANCE 2002). IEEE Conference and Exposition (DANCE 2002). IEEE Computer Society Press. pp. 534-553, ISBN 0-Computer Society Press. pp. 534-553, ISBN 0-7695-1564-9. May 29-30, 2002. San Francisco, 7695-1564-9. May 29-30, 2002. San Francisco, California, USACalifornia, USA

www.research.ge.com/~bushsf/ftnwww.research.ge.com/~bushsf/ftn

Summary


Kluwer Academic/Plenum Publishers, New York, Boston, Dordrecht, London, Moscow, 2001, 196 pp. Hardbound, ISBN 0-306-46560-4

Bibliography


Bibliography IBibliography I

Ken Calvert ed., Active Network Framework, Active Network Working Group Version 1.0, July 27, 1999, http://www.cc.gatech.edu/projects/canes/papers/arch-1-0.ps.gz.

Alexander et al., Active Network Encapsulation Protocol., July 1997, http://www.cis.upenn.edu/switchware/ANEP.

Peterson, Larry ed., NodeOS Interface Specification. Active Network Working Group, January 24, 2000, http://www.cs.princeton.edu/nsg/papers/nodeos.ps.

Zegura, Ellen ed., Composable Services for Active Networks. AN Composable Services Working Group September 1998, http://www.cc.gatech.edu/projects/canes/papers/cs-draft0-3.ps.gz.

M. Hicks, P. Kakkar, T. Moore, C. Gunter, and S. Nettles, PLAN: A Programming Language for Active Networks. International Conference on Functional Programming (ICFP’98), 1998.

Bush, Stephen F., Kulkarni, Amit B., Active Networks and Active Network Management: A Proactive Management Framework. Kluwer Academic/Plenum Publishers, New York, Boston, Dordrecht, London, Moscow, 2001, 196 pp. Hardbound, ISBN 0-306-46560-4

Bibliography


Bibliography IIBibliography II

S. da Dilva, D. Florissi and Y. Yemini, Composing Active Services in NetScript. DARPA Active Networks Workshop, Tuscon AZ, March 1998.

S. Bhattacharjee, K. Calvert, and E. Zegura. Reasoning about active network protocols. In IEEE ICNP’98, Austion, TX, October 1998.

Livio Ricciulli, Anetd: Active NETworks Daemon. September 2, 1998.

David J. Wetherall, John V. Guttag and David L. Tennenhouse. ANTS: A Toolkit for Building and Dynamically Deploying Network Protocols. Submitted to IEEE OPENARCH 1998, April 1998.

A. B. Kulkarni and G. J. Minden and R. Hill and Y. Wijata and S. Sheth and H. Pindi and F. Wahhab and A. Gopinath and A. Nagarajan. Implementation of a Prototype Active Network. IEEE OPENARCH 1998, April 1998.

Bibliography


Bibliography IIIBibliography III

Stephen F. Bush. Active Virtual Network Management Prediction. Proceedings of the Conference on Parallel and Discrete Event Simulation (PADS) 1999, Atlanta, GA. April 1999.

Stephen F. Bush. Active Virtual Network Management Prediction. Virtual Worlds (VWSIM) 2000, San Diego, CA. Jan 2000.

Bhattacharjee, Calvert, Zegura. Self-Organizing Wide-Area Network Caches, Proceeding of IEEE INFOCOM, 1998.

Li-wei, H. Lehman, Stephen J. Garland, and David L. Tennenhouse. Active Reliable Multicast, Proceeding of IEEE INFOCOM, 1998.

Wetherall, David. Active Network Vision and reality: lessons from a capsule-based system. 17th ACM Symposium on Operating Systems Principles.

Bibliography

Appendix AAppendix A

Active Packet DetailsActive Packet Details


Active Network Application Active Network Application Packet ProgrammingPacket Programming

Packet Class Definition Base Class*Packet Class Definition Base Class* Extend KU_SmartPackets_V2 or ReliableCommFWExtend KU_SmartPackets_V2 or ReliableCommFW Active Packets Must Be SerializableActive Packets Must Be Serializable Class Definitions Sent Before Packets Are TransmittedClass Definitions Sent Before Packets Are Transmitted

(Can Cause Delay Upon First Packet Transmission)(Can Cause Delay Upon First Packet Transmission)

public class AA_Packet_Base extends magician.Node.KU_SmartPacket_V2

implements java.io.Serializable {

...

App A: Framework

* The Magician EE is freely available as part of Atropos library in http://Atropos.sourceforge.net/download.html


Application Base ClassApplication Base Class…private void writeObject(ObjectOutputStream out)

throws IOException {

try { Field[] comps = Class.forName("Atropos.java.lp.AtroposBase").getDeclaredFields();

describeComponents(comps, out); } catch(ClassNotFoundException e){ e.printStackTrace(); } out.defaultWriteObject();}

App A: Framework

Extend AA_Packet_Base For Your Active Application


Extend Base Class From Previous Slideexec() Method Overridden With Code to Be Executed

public class AA_Packet extends AA_Packet_Base {…

public void exec() {...}}

Programming the PacketProgramming the Packet

App A: Framework

ANEP Packet


public void exec() { String NodeName = GetNodeName(); if (NodeName.equals(Source_Address) && !hasPinged)

sendTime = System.currentTimeMillis();if (NodeName.equals(Destination_Address)) {

if (hasPinged) { rtt = System.currentTimeMillis();rtt = rtt - sendTime; System.out.println("SmartPingV2: Round trip time = " + rtt + " ms"); halt();

} else {hasPinged = true;Destination_Address = Source_Address;Source_Address = NodeName;

} }

}

Example: Active PingExample: Active Ping

App A: Framework

ANEP Packet


Example: Active Ping Spatial Example: Active Ping Spatial ViewView

App A: Framework

Source DestinationA

B

if (NodeName.equals(Source_Address) && !hasPinged)

sendTime = System.currentTimeMillis();

hasPinged = true;Destination_Address = Source_Address;Source_Address = NodeName;

rtt = System.currentTimeMillis();rtt = rtt - sendTime; System.out.println("SmartPingV2: Round trip time = " + rtt + " ms"); halt();

ANEP Packet

A

B

Pack Forwarded

What part of the code tells the packet to travel to the Destination?How does the returning packet “interact” with the initial packet?


SmallState: Leaving State BehindSmallState: Leaving State Behind

import magician.Node.*; …

if(NodeName.equals(Destination_Address)) {

try {

o = (Object)

ActiveNodeManager.GetGlobalState("rQ");

rQ = (AtroposQueue) o;

} catch (NullPointerException e) {

error = 1;

System.out.println("AtroposPacket rQ does not exist");

} catch (NoSuchElementException e) {

error = 2;

System.out.println("AtroposPacket rQ is empty");

}

…

Retrieve a SmallState object

App A: Framework

ANEP Packet


SmallState: Leaving State BehindSmallState: Leaving State Behind

import magician.Node.*;

…

if(error == 0 || error == 2) {

rQ.add((AtroposPacket) this);

ActiveNodeManager.SetGlobalState("rQ", rQ);

}

halt();

}

Retrieve a SmallState object

App A: Framework

ANEP Packet


String NextNode;

for (Enumeration e = ActiveNodeManager.getNeighbors().elements();

e.hasMoreElements(); ) {

NextNode = (String) e.nextElement();

if (NextNode.equals(getSourceAddress())) {

continue;

}

if (!isInOthers(NextNode, "snmp_others")) {

InjectSnmp app = new InjectSnmp(NextNode);

app.redundant = false;

app.addresses = getOtherAtropos("snmp_others");

app.Destination_Address = NextNode;

app.SendForProcessing(NextNode);

}

Retrieve List of Adjacent Nodes

App A: Framework

Active Packet Example CodeActive Packet Example CodeANEP Packet

Send App to Next Neighboring Node

Appendix BAppendix B

Active In-line Prediction Active In-line Prediction ApplicationApplication


ActualSystem

(t)

Distributed Model Prediction Capability

within/among Systems(t+Lookahead)

Goal: Active Virtual Network Management Prediction

Deployment:Best use of space and time

Space

Time

L-1 L-3

L-2

L-4

AN-5AN-1

AN-4

Real System

Virtual System

L-1 L-3

L-2

L-4

AN-5AN-1

AN-4DP

LP

LPLP

Injecting a Model into the Net Injecting a Model into the Net (Self Prediction)(Self Prediction)

App B: Prediction


PropertiesProperties Active Virtual Network Management Prediction (Atropos) is Active Virtual Network Management Prediction (Atropos) is

asynchronousasynchronous One input queue for each Logical ProcessOne input queue for each Logical Process No restriction on the order in which messages are sentNo restriction on the order in which messages are sent Virtual time is the simulation time as seen by individual Virtual time is the simulation time as seen by individual

processesprocesses Processes need not wait until they can safely process the Processes need not wait until they can safely process the

next input messagenext input message False messages cause a process to go backwards in False messages cause a process to go backwards in

simulation timesimulation time

App B: Prediction


Experiment involved demanding more accuracy over time by reducing the error between predicted and actual values, however...

…the tradeoff was loss in Look-ahead... …. and loss in speedup

Prediction ErrorPrediction Error

Look-ahead SpeedupSpeedup

… this required more out-of-tolerance messages...

Out of Tolerance MessagesAccuracy-Performance TradeoffAccuracy-Performance Tradeoff

App B: Prediction


Tangled Hierarchy Caused by Tangled Hierarchy Caused by Self PredictionSelf Prediction

Tangled HierarchyTangled Hierarchy Virtual Time/real TimeVirtual Time/real Time Real Process/logical ProcessReal Process/logical Process Simulation of Atropos Predictive Management SystemSimulation of Atropos Predictive Management System

Predictive Management System Uses Simulation (Lookahead)Predictive Management System Uses Simulation (Lookahead) Predictive SNMP Manager Uses Atropos to Optimize Predictive SNMP Manager Uses Atropos to Optimize

Polling of AtroposPolling of Atropos Experimental ValidationExperimental Validation

Predictive Network Management System Managing aPredictive Network Management System Managing a Predictive Mobile NetworkPredictive Mobile Network

App B: Prediction


Prediction ends when preset look ahead is reached Previous predictions are refined as time progresses

Cyclic Self-Prediction RefinementCyclic Self-Prediction Refinement

App B: Prediction


Self Prediction: Experimental Validation of KC Self Prediction: Experimental Validation of KC (estimated) and Error (E) given Hypotheses (estimated) and Error (E) given Hypotheses (H(Hnn))

nH

Inverse relationship between compression ratio and prediction error...

… however complexity and error are directly related

Error(pkts)

(CR)

Tolerance

(CR)

App B: Prediction


Validating Hypotheses for Validating Hypotheses for Complex Systems (MDL)Complex Systems (MDL)

Hypothesis (H)

Data (D)

Error (E)

Complex System

Step 1. Collect Data Samples:

Step 2. Form Hypothesis:Step 3. Validate Hypothesis (Prediction): Min{K(H)+K(E|H)} given

• Correlate Gene Function to Planetary Alignment : Small H, but a Large E

• “Correct” Planetary Alignment Algorithm to Predict Gene Function: Small E, but much larger H

• The True Hypothesis Describing Gene Function: Smallest Sum of H and E


-- Simple Illustration--

Appendix CAppendix C

Kolmogorov Complexity Kolmogorov Complexity and Information Assuranceand Information Assurance


Complexity EstimationComplexity Estimation



Context of Complexity for Context of Complexity for Vulnerability AnalysisVulnerability Analysis

Evaluate

Detect


introduction to active networks stephen f. bush [email protected] bushsf/an ge global research...

Documents

active nodes

active networksstephen

specialized active networking

active networking field

usaactive network monitoring

coolactive networks

rememberactive networks

programmable networks