open programmable architecture for java-enabled network devices
DESCRIPTION
Programmable Network Devices. Openly Programmable devices enable new types of intelligence on the network. Changing the Rules of the Game. The Web Changed Everything -Browsers:Introducing JVM to browsers allowed dynamic loading of Java Applets to end stations -Routers:Introducing JVM to routers allows dynamic loading of Java Oplets to routersTRANSCRIPT
9/29/99 1Santa Clara University
Open Programmable Architecturefor Java-enabled Network Devices
Tal LavianTechnology CenterNortel Networks
9/29/99 2Santa Clara University
Programmable Network Devices
Openly Programmable devices enable
new types of intell igence on the network
9/29/99 3Santa Clara University
Agenda
• Local Computation
• New types of applications
• Architecture
• API’s
• Summary
9/29/99 4Santa Clara University
Changing the Rules of the Game
• Move Turing Machine onto device—Add local intelligence to network
devices
while (true) {doLocalProcessingOnDevice()
}
9/29/99 5Santa Clara University
Technology Concept
Reversed Applet
non-bundled applicationServer
Web Server Web Browser
Applet
The JVM is in the Browser
Download applications for local processingDownload applications for local processing
9/29/99 6Santa Clara University
The Web Changed Everything
• Browsers—Introducing JVM to
browsers allowed dynamic loading of Java Applets to end stations
• Routers—Introducing JVM to routers
allows dynamic loading of Java Oplets to routers
This Capability WILL Change Everything
9/29/99 7Santa Clara University
—JVM on a silicon-based Routing Switch
—ORE - Oplet Run-time Environment
—Java-enabled Device Architecture
—Java SNMP MIB API
—Implementation of Network Forwarding API
—All of this enables implementation of Dynamic Classification in Silicon-Based Forwarding
Accomplishments
9/29/99 8Santa Clara University
Paradigm Shift
• Supports distr ibuted computing applications in which network devices part icipate— router to router— server to router
• Supports Intel l igent Agents
• Supports Mobile AgentsJava-basedApplication
Java-basedApplication
Java-basedApplication
9/29/99 9Santa Clara University
Network Device
Dynamicloading
Example: Downloading IntelligenceExample: Downloading Intelligence
HWOS
JVM
React
MonitorA
uthe
ntic
atio
n
Sec
urity
Intelligenceapplication
9/29/99 10Santa Clara University
Security and Stabil ity
• secure download of Java Applications
• safe execution environment—insulate core router applications from dynamically
loaded applications
9/29/99 11Santa Clara University
Device-based Intell igence
• Static-vs-Dynamic Agents—Static
– SNMP set/get mechanisms – Telnet, User Interfaces (cli, web, etc…)
—Dynamic closed-loop interaction on nodes– capable of dealing with new and difficult situations – autonomous and rational properties. – dynamically system monitoring & modification – report status and trends
9/29/99 12Santa Clara University
Agenda
• Local Computation
• New types of applications
• Architecture
• API’s
• Summary
9/29/99 13Santa Clara University
New Types of Applications
• Mobile Agents
• Local Intell igence for NMS
• Collaboration among routers
• Router & Server Collaboration
• E-commerce
9/29/99 14Santa Clara University
Mobile Agents
• Intrusion Detection - Hacker Chaser
• Trace-route for Layer 2
• Mobile Connectivity Mapper
9/29/99 15Santa Clara University
Local Intell igence for NMS:Diagnostic Agents
• Download Intel l igent Agent monitor from NMS to the device.
• Wait for threshold.• Might be complex conditions• Trend analysis
• Send “condition exceeded” event to NMS.
• Automatic download appropriate application
• Application takes action.
Monitor
AppropriateApplication
Download
Download
Complex Condition Exceeded
NMS
No more polling
router
Extensive access to internal resources
9/29/99 16Santa Clara University
Application Layer Collaboration Among Routers and Servers
• Application aware routing
• Server farm load balancing— server state monitored— rerouting based on congestion/load
• Auctioning Applications
9/29/99 17Santa Clara University
Applications Aware Forwarding
Business logic based operation changes
• Resize forwarding queues
• Modify congestion control algorithm
• Adjust Packet Scheduling
• Change routing table
9/29/99 18Santa Clara University
Agenda
• Local Computation
• New type of applications
• Architecture
• API’s
• Summary
9/29/99 19Santa Clara University
ORE - Oplet Run-time Environment
Service A
JVM
ORE
Service B
Oplet 1
Service C
Oplet 2
Why ORE?
9/29/99 20Santa Clara University
Node Architecture Node Architecture
Device HWOperating System
JVM
Oplet
C/C++API
JavaAPI
DeviceCode
Oplet Runtime Env
DeviceDrivers
JNIJF
WD
AP
I
ORE Service
Download
9/29/99 21Santa Clara University
Architecture Issues
• Green Threads -vs- Native Threads —Native threads:
– provides non-interference between Java applications
– difficult thread-to-thread communication and sharing of data between threads
– creates a dependency on underlying RTOS
– multiple JVM instances consume resources
—Green Threads– single JVM must manage CPU & memory
resources between concurrently running threads
9/29/99 22Santa Clara University
Evolution of Router Architecture
Line cardLine card(forwarding (forwarding
buffering)buffering)
Line cardLine card(forwarding (forwarding
buffering)buffering)
Lin
e c
ard
Lin
e c
ard
(fo
rwa
rdin
g
(fo
rwa
rdin
g
bu
ffe
rin
g)
bu
ffe
rin
g)
Lin
e c
ard
Lin
e c
ard
(fo
rwa
rdin
g
(fo
rwa
rdin
g
bu
ffe
rin
g)
bu
ffe
rin
g)
CPUCPU BufferBuffermemorymemory
Routing softwareRouting softwarew/ COTS OSw/ COTS OS
Routing softwareRouting softwarew/ COTS OSw/ COTS OS
NI
as
NI
as
lin
e c
ard
lin
e c
ard
NI
as
NI
as
lin
e c
ard
lin
e c
ard
NI
as
NI
as
lin
e c
ard
lin
e c
ard
......
RoutingRoutingCPUCPU
BufferBuffermemorymemory
Routing softwareRouting softwarew/ router OSw/ router OS
Routing softwareRouting softwarew/ router OSw/ router OS
Centralized, Centralized, CPU-based ModelCPU-based Model
Distributed, Distributed, line-card based Modelline-card based Model
Control + ForwardingControl + ForwardingFunctions combinedFunctions combined Control separatedControl separated
From forwardingFrom forwarding
Added scalability, Flexibility, extensibility
9/29/99 23Santa Clara University
Explicit Separation of Control Plane from Data Forwarding
ForwardingElement
ForwardingElement
ControlElement
ForwardingElement
ForwardingRoutin
g
SharedMemory
Packet Flow
Forwarding
Forwarding
Forwarding
Forwarding/Flow/filterTableDownloadCPU
Line Card
Traditional device
Line Card
9/29/99 24Santa Clara University
Separation of Control and Forwarding Planes
Centralized, Centralized, CPU-based RouterCPU-based Router
Forwarding-ProcessorsForwarding-Processors based Routerbased Router
Control + ForwardingControl + ForwardingFunctions combinedFunctions combined
Control separatedControl separatedFrom forwardingFrom forwarding
CPU
Routing SW
CPU
Control Plane
Forwarding Processor
Forwarding Processor
Forwarding Processor
Slow Wire Speed
9/29/99 25Santa Clara University
Open Networking Architecture
Network Services Protocol
Connect Transport Interface
Real-time OSNetwork Si
Network OS
Network Services Objects
Server Operating System
Un
ified p
olicy-b
ased m
anag
emen
t Forwardingelement
Controlelement
Applicationserver
Today
Networking Box Level Hardware
Proprietary NOS
Proprietary Apps
Custom Switch ASIC’s
Vertical Proprietary
Open
IP Telephony
VPN
Policy Server
Firewall
9/29/99 26Santa Clara University
Dynamic Configuration of Forwarding Dynamic Configuration of Forwarding Rules Rules
CPU
ForwardingProcessor
ForwardingProcessor
ForwardingProcessor
ForwardingProcessor
ForwardingRules
SW
HW
ForwardingRules
ForwardingRules
ForwardingRules
AN Apps
9/29/99 27Santa Clara University
Real-time forwarding Stats and Monitors Real-time forwarding Stats and Monitors
CPU
SW
HW
AN Apps
ForwardingProcessor
ForwardingRules
Statistics &Monitors
ForwardingProcessor
ForwardingRules
Statistics &Monitors
ForwardingProcessor
ForwardingRules
Statistics &Monitors
9/29/99 28Santa Clara University
Dynamic - On the Fly ConfigurationDynamic - On the Fly Configuration
ForwardingProcessor
ForwardingProcessor
Pac
ket
Policy
Filters
AN Apps
Packet
Pack
et Filte
r
9/29/99 29Santa Clara University
Active Networks Packet Active Networks Packet CaptureCapture
CPU
ForwardingProcessor
ForwardingProcessor
ForwardingProcessor
ForwardingProcessor
AN Apps
JFWD to Divert or Copy
Wire Speed
Pac
ket
9/29/99 30Santa Clara University
Scaling up Active Networks Routing Protocol to commercial networks
• Overcome the need to predefine the next hopOvercome the need to predefine the next hop
• No need to know AN topology a head of t ime
• Divert/CarbonCopy specif ic packets to control plane (e.g. packets on ANEP port )
• Wire speed of all other packets
• End to end forwarding
• Future: Active Networks Routing Protocols
9/29/99 31Santa Clara University
Mixed Topology of AN systemMixed Topology of AN system
- AN Node - Non AN Node
NO need to know the AN topology ahead of time
9/29/99 32Santa Clara University
Virtual Topology of AN systemVirtual Topology of AN system
- AN Node - Non AN Node
NO need to know the AN topology ahead of time
9/29/99 33Santa Clara University
Java Environment
• Green Threads -- Present RTOS with single unif ied task that includes:—Java VM (JVM)—Java Resource Manager (JRM)
– thread scheduling– manages CPU utilization
– JVM time-slice is managed by the JRM preemptive thread scheduler
– internal memory manager (intercepts “new”)
– garbage collection with priority based on available memory
9/29/99 34Santa Clara University
Non-Interference w/ Single JVM
• Multiple threads compete for resources—memory—CPU—persistent storage
• Denial-of-service attacks possible—memory or CPU consumption attacks —trusted/untrusted service interactions
9/29/99 35Santa Clara University
Why Java
• Reuse security mechanisms—byte-code verifier—security manager—classloader
• System stabil i ty —constrains applications to the JVM —Prohibits native code applications
• Extensible, portable, & distributable services
9/29/99 36Santa Clara University
But Java is slooowwwww
• Not appropriate in the fast-path data forwarding plane—forwarding is done by ASICs—packet processing not affected
• Java applications run on the CPU—Packets destined for Java
application are pushed into the control plane
9/29/99 37Santa Clara University
Strong Security in the new model
• The new concept is secure to add 3rd party code to network devices—Digital Signature—Administrative “Certified Optlet”—No access out of the JVM space —No pointers that can do harm —Access only to the published API—Verifier - only correct code can be loaded—Class loader access list—JVM has run time bounds, type, and execution
checking
9/29/99 38Santa Clara University
Old model Security (C/C++)
• Old model: Not safe to add 3rd party code—Dangerous, C/C++ Pointers
– Can touch sensitive memory location—Risk: Memory allocations and Free
– Allocation without freeing (leaks)– Free without allocation (core dump !!!! )
• Limited security in SNMP
9/29/99 39Santa Clara University
Agenda
• Openness
• Local Computation
• New types of applications
• Architecture
• API’s
• Summary
9/29/99 40Santa Clara University
An Open Service API Example
—SNMP API for Network Management– generated automatically– allows device-based applications to
query MIB– device-based application -- query
local MIB– report trends or significant events– initiate downloading of problem
specific diagnostic code – take corrective action
9/29/99 41Santa Clara University
MIB API Example
JavaVirtualMachine
SNMP PDU Layer
Instrumentation& AnnotationLayer
Real Time Operating System
Processor and other Hardware
Native Variable Interface
MIB Map
Abstract Variable Interface
Client API
Client Bean
•API uses a MIB Map to dispatch requests to variable access routines•Different parts of the MIB tree can be serviced by different mechanisms•Two main schemes:•An ad hoc interface to the SNMP instrumentation layer•A generic SNMP loopback
9/29/99 42Santa Clara University
Agenda
• Openness
• Local Computation
• New type of applications
• Architecture
• API’s
• Summary
9/29/99 43Santa Clara University
Summary• Programmable
—Turing Machine on network devices—dynamic agents vs. static agents—dynamic loading —strong security
• Openness - successfully proven paradigm —Facilitates innovation—Domain experts - virtual development community
• Enabling Technology for the Revolution
9/29/99 44Santa Clara University
This is only the first step
Compare to this first f l ight and look where aviation is today
1903 the Wright brothers