D. Wetherall, “Active Network Vision and Reality: Lessons from a Capsule-Based System,” 17th Symposium on Operating Systems Principles, (December 1999). [PDF]
Summary
Active networks were a radical concept of allowing untrusted sources to execute codes on network operators’ hardware to allow faster and easier deployment of diverse distributed applications. Consequently, it also ran the risk of security violations on multiple levels, which essentially dissuaded most people – specially network operators or ISPs – to actually deploy it. Over time, the proponents of active networks had to make some compromise to increase its security and viability. This paper addresses different issues in three areas of active networks based on the authors’ experience of using ANTS, an experimental active networks implementation.
Active Networks (ANTS) Overview
Active networks consists of active nodes, which are basically programmable routers and can execute active codes carried around in capsules based on a type field. To develop a new service, the first step is to write a new set of forwarding routines implementing the desired behavior using a subset of Java (16KB max code size). The ANTS toolkit provides a core set of APIs that restricts what sort of routines can be developed. Once the code is written, it is signed and put up on a directory service. Anyone, who wants to use that service, can lookup the directory, fetch the code and register the service with the local active node. Once the local node calculates the types it is expected to find in capsules for that particular service and disseminate the code throughout the network (through caching and lazy dissemination), the service is ready to go. Capsule processing is pretty straightforward once the code is distributed: after reception, capsules are first demultiplexed using their type field to find references to code, which are then securely executed inside sandboxes, and the process goes on till capsules reach their destinations. There are additional mechanisms such as TTL, fingerprints etc. to provide security at the cost of performance.
Practicality of Active Networks
The authors argue that practical implementation and deployment of active networks hinge on the feasibility of using capsules, the openness of the framework regarding who can introduce new services, and the flexibility of the framework in respect to possible new applications.
- While capsules provide a more secure way of code dissemination (using fingerprints) and can be performance optimized (by carrying references to code instead of carrying the actual code, using caching), there is still a performance tradeoff. The authors argue that performance overhead of using capsules is minimal and can be contributed mostly to the use of Java.
- Making active networks more open attracts security risks in terms of protection against attacks as well as from global and local resource management perspective. To mitigate threats, the authors propose using (hierarchical) fingerprinting, restricted API, and strict isolation between different services’ codes. To avoid resource management threats, the authors propose partial solutions using TTL, restricted API, and eventually fall back to using trusted authority provided digital signature.
- Finally, this paper argues that the biggest gain of active networks is not some “killer app”, rather the flexibility it provides to gradually change things over time. Five different applications are reported to be implemented using active networks methodologies. The authors postulate that successful active network app must be: expressible using the available API, compact and fast, and incrementally deployable.
Comments
This paper does an excellent job in summarizing the active networks landscape as well as providing a overview of the challenges that exist toward its realization, complimented by solution hints. Active and programmable networks were one of the very few really awesome networking concepts that could do a lot in changing the research and commercial landscape. Unfortunately, at that time the available hardware were not fast nor programmable enough. In addition, there was and still is a lot of skepticism and prejudice among network operators regarding opening up their networks to untrusted sources.
However, in last couple of years, network virtualization has emerged as the solution for a secure, flexible, and extensible future networking platform that combines the programmability of active and programmable networks with concepts of overlay networks and VPNs. The main reasons behind this is, first and most importantly, programmability nowadays is cheaper and faster (with the wide-spread use of FPGAs and/or network processors) and secondly, using so-called “safe” hardware or execution environments do not take as much performance hit as they used to a decade ago.
To conclude, active network was too futuristic for its time and no one is still completely sure whether its time has come yet!