Active network vision and reality: lessons from a capsule-based system April 14, 2009

Salient points:

This paper packages the idea of Active Networks in a way that’s different from the then existing line of thought. The following are the salient points:

1. Active networks are not impractical, and can be built incrementally: This perhaps best describes the author’s message. His ideology has been to introduce processing along the route of a packet. He goes on to demonstrate that the capsule-based active network performs reasonably well, when compared to static routing in software. A real system ANTS has been built to reassure the critics of active network of its feasibility. Also, the active network can co-exist with the regular IP-network.
2. Concept of capsules: These special packets introduce the element of processing in the active nodes along the network path. Capsule processing helps to ease the burden of point-wise updates from the network administrators, by dynamically changing the forwarding entries at active nodes based on the factors such as the current load on that route.
3. Security aspects: Security of network carrying mobile code has often been cited as one of the challenges for active networks to gain acceptability in the Internet of today. The ANTS system allows any untrusted user to customize the network based on his requirements, but without compromising on security. This is achieved by the sandbox model of execution provided by the Java Virtual Machine. The system also relies on certification of capsule code by a trusted authority.

Potential problems:

One problem I see is that the overhead incurred because of the additional security mechanisms (be it certification of the capsule code by an authority, or the use of sandbox approach provided by JVM) could potentially increase when this is to be deployed on a large scale. The author does mention this, but claims that proof carrying code could solve the problem. He does not substantiate wih results. Also, we need to keep in mind the extra traffic introduced by capsules.

Future:

The asymmetry introduced among the network nodes due to the presence of active nodes requires us to design a different routing algorithm. More research can be on optimizing the routes so that each flow has to pass through a minimum number of active nodes in its lifetime. Also, we need to validate whether passing code by reference will hold advantage over passing by value.

Active network vision and reality: lessons from a capsule-based system April 14, 2009

Important:

Current router technology requires that router vendors implement new networking protocols before they can be deployed in a production environment. Routers must be taken out of service while their software is upgraded. Active networks provides a facility for the deployment of after-market routing technology. Deployed active network routers can distribute and interpret new router software dynamically.

Capsule-based active network technology allows deployment of new software over an operating network in an incremental fashion. The new software can be the result of local devlopment or purchased from a software vendor. Incremental deployment allows new router software to be tested in a limited deployment before it is installed globally. Deployment of new software does not require taking routers offline for a software upgrade, as is required by current routers.

Problem:

Software based routers are quickly being replaced with hardware routers. Software based routers are too slow to keep up with the latest broadband networks. Operational high speed networks are based on hardware router technology.

Future:

Active network technology can be used in network testbeds for the evaluation of new network technologies.

Wireless networks tend to lag behind wired networks in speed and active networking technology may be appropriate in a wireless environment where speed is not a limitation. Low speed networks have to most to gain from improved routing capabilities and the ability to easily deploy the latest technology to remote routers has promise.

Active Network Vision and Reality: Lessons from a Capsule-based System April 14, 2009

The paper offers interesting insight into a technique for experimenting with new networking services/protocols using active networks. An active network is one where custom user code can be executed on each router or node through which the packet passes in order to make forwarding decisions etc. The authors describe their experiences and learning from designing and implementing the ANTS toolkit which is their model for programming/introducing new services on the active networks.

One of the primary contributions of their work is the formalization of how user code should be distributed to the routers/active nodes. The authors describe the value in passing around references to the code in each packet rather than the code itself and then distributing the code to the active node on demand and caching it locally. This reduces the overhead of distributing the custom user code to the active nodes. The notion of capsules encapsulated in IP packets is an interesting technique.

The second important contribution is the notion of protection that they achieve. The vision for active networks is to allow all users to customize processing of their traffic in the network. The authors describe how they try to achieve this goal but targeting robustness rather than fairness and by having a restrictive API with several clear constraints on the programming model itself. This has a lot of similarities to an operating system that wishes to offer time-shared services to a set of applications. The applications must be protected and isolated from each other while at the same time, the operating system needs to protect itself from the applications.

Another important contribution of their work is their recognition of the fact that active networks offer a suitable model for the internet to evolve incrementally. Some nodes in the network might be active nodes while other nodes might just be simple IP routers, so the services that can be implemented by this ‘hybrid’ network should not require each node to be an active node. Both active nodes and regular IP routers would coexist while active nodes might be incrementally deployed.

One of the points against the paper is that the techniques seem useful for experimentation, but the lower performance of software based routing would still be challenge to widespread deployment and use in the internet. If the purpose of the idea is experimentation with new services and techniques, it would not offer sufficient incentive for everyone to deploy active nodes considering the relative small fraction of researchers who would use the active networks relative to the large number of internet users.

From a research perspective, it would be useful to explore what are the kind of experimental services that can be built over active networks. Also, the notion of capsules in the active network model allows the source of traffic to indicate the processing that it wishes to have in the network. However it does not offer control to the receiver of the traffic. Extending the idea to provide control to the receiver or having a complementary protocol that can offer control to receivers would widely expand the sort of services and network protocols that can be experiemented with.

Active network vision and reality: Lessons from a capsule-based system April 14, 2009

Paper discusses the a way of providing more flexible network layer while considering the performance and security concerns raised by the presence of mobile code in the network.

Three areas have been mentioned: capsule model of programmability, accessibility of this model to all users and applications that can be constructed in practice.

Active networks have been pursued in previous research but this paper differs in the approach taken. Traditionally, active network has been supported to provide extensibility to individual devices well beyond the currently supported devices. (e.g. active bridge, router plugins). These systems are good for task of imposing policy or functionality at a particular network location in the manner of a firewall or other edge device. But their applicability is limited because they are meant to be used by network administrators or other privileged users.

In another approach they have been used for control tasks rather than new data transfer. Some of the systems combine both these aspects.(e.g. Netscript) but problem with these approaches is the fact they restrict either where program is run or who can use them to be run. This limits their applicability.

ANTS proposes and belongs to a new class of system which does not a priori who can program which nodes. It aims to allow each user to construct new data transfer services across wide area network such ar routing for host mobility, through the controlling the handling of their own packets within the network. ANTS proposes aggressive “Capsule based approach in which code is associated with the packets and they run at selected IP routers that are extensible. This approach is quite similar to two other systems e.g. PAN, PLAN. It differs from these system in a way that it provides the security through safety properties of java byte codes.

ANT uses the capsule having a format as an extension to the IP packet format. It has IP header, ANTS specific header, and higher layers. Depending upon the routers forwarding can be performed in a custom fashion or in tradition fashion. If node is conventional then it uses IP headers for forwarding. If the node is active then it uses custom forwarding mechanism.

Security has been enforced by having the IETF like authority to ensure that overlall network resources are used in a reasonable fashion. ANTS further propose to cache the code data based on the traffic patterns to remove the overhead. When a code needed to forward a capsule is not found in a cache a request id sent to the previous active node that the capsule visited. Previous address header field is maintained by the by the active nodes for this purpose.

Once code is distributed, capsules are processed by demultiplexing using the type field associated with the forwarding routines. After that routine is executed within a sandbox. Sandbox prevents the corruption of nodes so that it does not affect the state of other services that are running concurrently.Capsule can affect the node behaviour only through the node API system calls.

ANTS can be deployed widely because it does not require all nodes to be active. It further provides the flexibility for being active for selective series but performing IP forwarding for other services. Paper supports the claim that ANTS provides a competitive mechanism wherever software-based routers are viable. In brief ANTS provides a clean means of upgrading processing along an entire network path. It further provides the flexibility that any untrusted user can freely customize. It introduces much variation of services and a valuable means for experimentation in the network.

Active Network Vision and Reality April 14, 2009

This paper discussed an early implementation of an active network and focused on building upon the ideas presented by others in an attempt to create a working prototype to prove the feasibility of the active network idea. The paper did a good job of evaluating the performance and pointing out the benefits and cost of deploying such a network and provided a working kit that could be used for further research and development. The three key ideas were:

1. The use of capsules to transmit code fragments provided for adequate performance within the network and the flexibility for any user to affect the way that their packets were handled within the network. This was key to meeting two of their design goals in minimizing central control over the network and providing extensibility to any user and to ensure that the proposed network was fast enough to be feasible

2. Security is a critical concern for a network of this type and the authors readily admit that the capsule idea does not provide for adequate security from untrusted code without an outside-authority verification system. I fell that this is likely one of the key issues with a network of this type. It is is simply not possible to secure it from all of the different types of manipulations that would likely be attempted at this time. However, this does give future research a starting point for experimenting with ways to secure such a network.

3. Any major change to the current Internet protocols must be incrementally and locally deployable or it is not likely that it will ever be adopted due to the cost involved. Ipv6 is their primary example, and a good one. The system that they have designed would be difficult to put in place initially but very easy to upgrade and modify in the future.

The greatest weakness that I saw in the paper was the lack of ideas involving security of the active network. However, the authors did a good job discussing the issues involved and stating what difficulties they had encountered that prevented the implementation of a solid security protocol. This provides a good deal of information for someone to build on in an area that they were not able to solve.

Further research in this area is ongoing and it appears that it is going to become more necessary as the Internet scales to even greater size. There are several institutions working on a completely new design for the Internet in an attempt to deal with the scale, performance, and security concerns that are not adequately addressed by the current configuration or are expected to fail in the future. Some specific areas for research could especially focus on how to adequately secure a network of this type, something that the authors admit that they could not do.

Active network vision and reality: lessons from a capsule-based system April 14, 2009

The papers talks about the design, implementation and use of ANTS active network toolkit for deployment of new network services using a capsule based approach. It also talks about the protection and security concerns raised by presence of such mobile and untrusted code of new network services and provides measures taken in ANTS to counter them.

In ANTS approach, the code is associated with packets in the form of a capsule and run at selected IP routers that are extensible. The programmable routers are referred to as active nodes. The capsules contain an ANTS specific header field which provides information at active nodes regarding the type of forwarding routine to use, the address of previous node (in the event code is not cached) and the version information of the code. Also, the ANTS provides a pool of API’s using which the application developers can code new services as has been discussed further in the paper. Several measures have been provided to preserve performance as is guaranteed by IP forwarding. The code size is limited to 16KB for rapid transfer between nodes, the active node sandbox builds directly on Java’s type-safety and security management framework and code distribution is managed by dynamic loading mechanisms. Also, the code is cached depending on traffic patterns and so code distribution is rarely needed. The papers talks about incremental deployment of ANTS where only certain nodes in strategic locations need to be active nodes. The author supports the feasibility of capsules by arguing that capsule code can be carried by reference and loaded on demand and the intrinsic overhead of capsule processing is low and adds little to cost of IP forwarding if both are done in software.

The author provides a comparison of capsule processing with IP packet processing and notes that capsule decoding and encoding are the main cost contributors in ANTS framework. The cost incurred by packet receive and transmit can be mitigated if ANTS is running in the kernel. The author argues that security concerns posed by running mobile code on shared resources are far more challenging than those of performance. The paper discusses some measures taken by ANTS for providing protection and resource management. Protection is provided by not allowing type changes by a capsule, use of fingerprint-based capsule types and guarding the state shared across services. The paper still accomplishes read and write sharing between different capsules using hierarchical fingerprint scheme. ANTS provides resource management using node runtime bounds, TTL field decrement and placing large number of object in the soft-store. The author comments that any new service with the characteristics of expressibility, compactness, speed and readily deployable can be easily introduced in ANTS. The author also comments on the conformance of ANTS framework with end-to-end argument with the exception of encryption. The author concludes that most compelling application of capsules is to evolve as network layer service evolution rather than migration of application code to locations within the network.

Active network vision and reality: lessons from a capsule-based system April 14, 2009

(i) Three most important things

1. There should be a flexible network layer so that users can construct new Internet services. The paper discusses the implementation of the ANTS active network toolkit and how the use of capsules as a competitive forwarding mechanism allows users to control the handling of their own packets in the network.

2. Performance should be addressed when increasing the flexibility of the network.

The paper determines that only capsule forwarding limits node performance in practice because code caching is effective so code distribution is rarely needed. Their thorough analysis of capsule forwarding shows that there few complex processing steps required and the steps that incur more overhead could easily be in alternative designs.

3. Protection must be maintained even when flexibility has been increased. The paper determines there are only three kinds of threats that could results in capsules of one service being handled in an unintended manner: the node runtime maybe be corrupted by service code, service code distributed to an active node may be correct or spoofed, and the state cached at an active node on behalf of one service may be inadvertently manipulated by another service. The paper goes on in explaining how ANTS addresses each of these threats.

(ii) Most glaring problem

The most glaring problem would be that the ANTS network toolkit adds an overhead of about 30% to IP. The paper claims there are a number of steps that aren’t required but alternative design have not been implemented yet.

(iii) Future Research Directions

Future research directions for this work would be to actually implement the ANTS network toolkit over a wide-area network where users can freely customize and analyze the results.

Active network vision and reality: lessons from a capsule-based system April 14, 2009

As states in the paper, Active Networks are an approach to network architecture in which customized programs are executed within the network.

So formulated it sounds to be a very interesting and promising field. Unfortunately this paper does not have any of those characteristics. This is why, instead of pointing out the three most important features of the paper, I will list the three biggest flaws:

1)Complexity, performance and security. Accordingly to the paper and the results shown, the proposed architecture introduces a lot of complexity since it is executed on a Java virtual machine running on a pc acting as a router. Hence it cannot big executed on high performance routers since they work only up to layer 3. As stated, a pc-based router is 2 orders of magnitude slower that high-end commercial routers that are typically deployed over the network (70.000 vs. 4.000.000 handled packets/sec). These pc-based routers should then be able to forward standard IP packets in a regular way as well as read capsules and execute the requested code. The fact that a capsule carries user-generated code introduces a big flaw in the network security and integrity since it could compromise the machine on which it is being executed.  To try to reduce this issue, the author reduces the Java API down to very few instructions (10). Moreover, he suggests the code should be certified by a digital signature by a trusted authority. It is not clear how this certification should be performed. It is also the author himself that declares that certifying a program is a difficult task.

2)Implementation and testing. The handling and the execution of capsules is performed on a Java virtual machine. There is not justification whatsoever why the author picked this environment. It is well known, and it also clearly shown  in the graphs about performance, that the higher is the level of execution, the worse are the performance. The author claims the benefits and the easiness of the Java language as the reason why he picked that enviroment. This is in my personal opinion a strong contradiction with the fact that on the final implementation there is basically no more JavaA since he removed all the functions from the API.  Another not clear aspect of the paper is the author’s analysis of the results. He basically removes all the aspects that are related with the Java environment and that would slow down the active node’s performance by a factor of more than the 50%. The author  says that a lower level environment, such as C, would be more appropriate and better performing. So then why did he go with Java? Still, even with the C environment, the system is about 30% slower than a normal IP forwarding system. 30% sounds really a big number to me. Moreover, this is a 30% of reduction on a pc-based router. As said at the previous point, there is a 2 order of magnitude performance reduction because of the type of machine we need to use in order to be able to read and execute the capsules, plus another 30% of reduction. So the capsule-based system is really bad performing when compared to a regular IP communication.

1)Why should I want the capsule based system? To do what? This is probably the worst point of the paper. After 16 pages it is not clear where the benefits of such a heavy structure are. What is it possible to do with a capsule based system? In the paper the author speaks about user-defined forwarding policy. To do what? In a common use scenario, the user does not know at all the location of the resource he or she is requesting, nor he or she is interested in knowing it. If a performance enhancement is the target of having user-defined forwarding policies, then it has been completely missed out since, as said, this architecture considerably slows down the communication. Other already existing technologies can offer a better result with much less overhead (i.e. ATM network). The author himself claims that “no single application (“killer application”) that proves the value of extensibility has emerged”. He only suggests that testing new network protocols  like IPv6 would be a possible application for the capsule-based system. The IPv4 has been used for more than 30 years and probably the same, or even longer, would be for the IPv6…

So again, why should someone want to use the capsule-based system if not even the author can suggest an useful application?

Active Network Vision and Reality: Lessons from a Capsule-based System. April 14, 2009

The authors provide a description of their experience building and using an active network system, ANTS. ANTS is a system that routes capsules (i.e. network packets) through a network of active nodes according to custom software, as provided by the capsules themselves. Because the software is custom, it can provide support for deploying a new protocol without changing all the routers currently in the network.

ANTS is a Java based active router that runs on PCs called active nodes in the paper. The capsules are augmented IP packets that contain additional header information that (among other things) defines the custom software to run. The custom software is not actually contained in the capsule itself. It is referenced by a signature in the capsule and acquired separately via a directory service.

One of the key characteristics of this implementation is that despite the fact that the capsule doesn’t contain the custom code itself, the code is still acquired on demand. When an active node receives a capsule that doesn’t have the necessary custom code, a header in the capsule defines the previous active node. This previous active node can supply the necessary missing code on demand. This solution is efficient in that it only requires distributing custom code when necessary and only to those nodes on the path of actively routed capsules.

Another benefit of the ANTS design is that the active nodes are based on soft state. Thus each active node has the flexibility to unload state as necessary. The state can be reacquired at some later point if necessary. This flexibility may result in dropped capsules, but the authors argue that this behavior is consistent with “normal” levels of packet loss in traditional forwarding networks.

Lastly, and possibly the most important contribution, the ANTS implementation supports incremental deployment. All custom protocols must support heterogeneous network environments, where active nodes are connected by traditional IP forwarding nodes. This requirement allows the ANTS system to be deployed over existing networks. Ultimately, any new protocol will need to be deployed incrementally as it is unrealistic to expect any large network to change nodes completely and instantaneously.

Unfortunately, their security model is not as well crafted. The authors describe how they tried to balance security with the idea of making ANTS available to anyone with a new protocol. It seems that their compromises were less than successful at achieving either goal. Although the ANTS runtime environment provides significant protection in terms of protocol isolation and resource usage, the validity of the custom routing code ultimately boils down to third party certification. This approach seems to be used when no other alternative to programmatic security can be thought of.

Despite some faults, the ANTS system seems like a reasonable implementation for trying active network approaches. I’d like to see further research in terms of developing low cost devices that can function as active nodes. FPGAs are a likely candidate as they can perform a constrained set of active node API operations at wire line speeds.

Active Network Vision and Reality: Lessons from a Capsule-based System April 14, 2009

Contributions

This paper describes an extensible forwarding architecture for the internet and presents design experiences and experimental results for security and performance concerns. It is a concrete implementation of the active network model, which envisioned distributing computing resources to many nodes on the network, to leverage their computing power in order to solve complex compute-intensive tasks. Since the architecture is extensible in respect to tasks, the computing code (or for this paper, the forwarding code) has to be distributed to all participating nodes.

To achieve backwards compatibility and adhere to slow adaption of the new architecture in the internet, the proposed packet format is an extension to IP’s packet format, which allows the so-called “capsules” to be forwarded as normal IP packets by existing routers, and be forwarded according to their associated forwarding code by the so-called “active nodes” which have adapted to the capsule standard and the new architecture. Therefore, it creates an overlay network.

The services supported by this network are identified by the MD5-hashes of their forwarding code, which each of the nodes on the route to the target receives from its upstream node. These MD5-hashes are stored in the capsule and due to security measures, they cannot change on any node in the network. The code itself is executed in a sandbox environment and has limited access to its environment, although services belonging to the same family can share state information.

Furthermore, the paper presents resource allocation problems in this overlay network, for the solution of which the authors fall back to certification mechanisms by a trusted authority (e.g. the IETF).

The authors also provide performance measurements, they report a slow-down ratio of around 4, due to the software forwarding in Java (1.2).

Overall, the authors imagine this network to support different multicast schemes and congestion notifications.

Most glaring problem

In retrospect, the advances in MD5-collision finding suggest that it may be possible to inject service code in the network for an existing service, therefore possibly breaking it. Due to the fixed nature of the packet format changing the hash function is non-trivial, so future versions should be extensible in respect to the type field.

Future work

It would be very interesting to see if these software-based forwarding mechanisms can also be implemented in hardware, being extensible by using FPGAs, to achieve higher performance goals while preserving the architecture goals.

Active Network Vision and Reality: Lessons from a Capsule-based System April 14, 2009

This paper presents ANTS, an active network toolkit that allows the existence of a flexible active network without compromising security. ANTS is mainly based on the idea of capsules which extends the IP packet design. This is done without breaking backwards compatibility such that a network can be incrementally upgraded to support ANTS. That is, ANTS capsules can be transmitted over traditional routers, while the same packets can be realized as capsules while passing through ANTS active nodes. This capsule model allows for programmability by including a segment of code which is executed securely at active nodes. This code determines the next forwarding route for the packet.

When doing software routing, ANTS gives an extraordinary amount of flexibility in packet forwarding, without restricting the forwarding mechanism to a limited set of devices. Thus compared to other active network approaches, such as an administrator configuring the software on a router, ANTS allows any certified node on the network to use any arbitrary forwarding mechanism by using capsules. Security is enforced by executing the code in a “sandbox” that cannot corrupt the rest of the system. Further, capsules are identified by their MD5 check-sum, thus making it impossible for one capsule to claim the data of another on the active node.

Some of the main contributions of this paper are:

1. The authors prove the flexibility and advantages of using the idea of capsules as a forwarding mechanism. Their design is extremely flexible because it allows untrusted users to handle how their packets are forwarded in any arbitrary way. Other active networks are less flexible in the sense that they either only let administrators configure the network, or that the set of devices that can be configured are very limited.
2. The authors show that it is possible to upgrade a network using an incremental approach without breaking backwards compatibility. This is made possible by the use of capsules, because the capsule design is basically an extended IP package, and existing routers can treat the capsules as traditional IP passages.
3. The authors provide a solution that can potentially be used in research environments even if its performance costs make it impractical for wide deployment. ANTS can be used as a cheap and quick method to verify new forwarding protocol designs.

One glaring problem with the paper is the performance measurements. The authors chose to implement their system in Java, and spend a good part of the paper trying to attribute the poor performance (relative to other implementations) to the use of Java. While their analysis seems rather convincing, it is hard to convince the readers that the architecture and the design itself has acceptable performance, unless the authors choose to implement a more efficient version in the future, perhaps in C++. Further, requiring the users to obtain a digital certificate before they are trusted drastically reduces the flexibility of their design.

Possible options for future research are a faster implementation of ANTS. Due to performance issues, currently ANTS is only practical when replacing software routing. If ANTS is to be used for such purposes as upgrading existing network infrastructure from IPv4, it would require highest efficiency possible, thus requiring a hardware implementation. Therefore it would be an interesting research idea to try to implement ANTS at the hardware layer (ie using FPGAs). Perhaps some existing routers can be ‘hacked’ to run ANTS software instead.

Active network vision and reality: lessons from a capsule-based system April 14, 2009

“Active network vision and reality: lessons from a capsule-based system” by David Wetherall is a paper that readdresses active networks in research by reporting the progress that the author made in using the ANTS active network toolkit. The motivation for active networks according to David Wetherall is it would accelerate the pace of innovation by seperating services and underlying infrastructure and it would allow for new applications that leverages computation within the network. The difference between Wetherall and other implementations is that Wetherall tries to acheive the original vision for active networks. His paper address three charactistics of a pure active network: capsule model programmability; accessibility of that model to all users; and applications can be constructued in practice.
The major goal of the paper was to give untrusted users the ability to control handling of their packets in the network. With this in mind, performance and security were major issues. Using the capsule model, they increased performance by passing the code in the capsules by reference instead of the copy by value type of code carrying schemes. They also limited the code size to be at most 16 KB and state that the code must run fast so there is not a lot of resources and time taken at the smart routers that execute the code. For security they make sure that the code that is to be executed is certified by a trusted authority. With this in mind they deployed their capsules as an extension of a IP packet. It is not necessary to upgrade every router so that they can handle the capsules because if the router cannot read the capsules it will just use the default routing. Capsules allow the user to potentially control the path its packet takes in the network which is a big benefit and can lead to more evolutions in network services. Another thing mention by Wetherall is that capsules allow rapid upgrading of wide area networks like the Internet. The main thing is that with capsules, it is possible for untrusted users to control their packets path in the network.
The major problem with this paper is that active networks make the network unpredictable. More problems are it is hard to write code that runs fast especially when the code has to be at most 16 KB. It is also hard to stop a user from writing code that monopolizes resources in the network.
This paper reminds me of “Implementation and Performance of Integrated Application-Controlled File Caching, Prefetching, and Disk Scheduling.” by Pei Cao, Edward W. Felten, Anna R. Karlin, and Kai Li. because allowing users to control their packet’s path is very similar to allowing applications the ability to control their prefetches. They both talk about the constraints that a bad user/application should not make it worse for other users/applications. Overall the paper reintroduces the idea of active networks. Some possible uses for this paper in the future can be used to deploy new protocols on large networks for experimenting.

Active Network Vision and Reality: Lessons from a Capsule-based System April 14, 2009

(i) the three most important things the paper says:

1. This paper discusses the results of two years of work on the ANTS active network toolkit, which is meant to be a proof of concept of a “useful” active network, a network architecture which allows programs to be executed within the network in order to provide extensible functionality. The active network passes “capsules”, packets containing executable code, to programmable routers, called “active nodes”, in the network via custom forwarding routines. At the active node, the capsules are demultiplexed and executed within a sandbox.
2. The paper makes the argument that capsules can be used as a competitive forwarding mechanism. They present an implementation which allows capsule code to be carried by reference and to be loaded on demand. They furthermore ran a number of performance studies to show that the intrinsic latency of capsule processing is relatively low compared to a comparable IP implementation. However, these measurements are speculative since the capsule implementation was done in Java and is user-level, whereas they speculate the times for a kernel-level implementation without Java-imposed costs.
3. Protection is obtained by using type checking to ensure isolation between services, as well as certification authorities to ensure untrusted services do not gain access to the network.

(ii) the most glaring problem with the paper:

The paper makes a number of claims with regards to the security properties and performance of their implementation, and what needs to be done in order to achieve these properties. However, many of these seem to be speculative and possibly not entirely correct. For example, the authors claim that the node runtime cannot be corrupted by service code, similar to how operating systems protect themselves from user applications. In both these cases, bugs and holes in implementation can allow an attacker to compromise a system. Another sticking point is that many of the protection mechanisms are Java-dependent and are thus not factored into the performance measurements, or do not seem to be implemented at all. The performance measure itself seems unreliable, as many overheads in the processing steps are disregarded since the implementation is a Java proof-of-concept (i.e. overhead for user-level implementation, overhead from Java artifacts etc. are ignored completely). However, potential alternatives used in the “real” implementation will likely have overheads to contribute as well, but this is not mentioned in the paper.

(iii) the future research directions of the work:

One area of research that may extend on the work in this paper is to provide better support for the classes of applications that are not suited to ANTS in the current architecture. For example, one way to allow firewalls to be used with ANTS is to allow a single unifying type to be used (such as the “top” type in language theory. I think Java uses Objects as their unifying type). This however may have security ramifications and would likely have to be used judiciously.

The paper also leaves many items unimplemented or left to speculation, such as the impact of code signing and signature checking. Another research direction is to fill in the gaps in the implementation in order to verify the claims made in the paper.

Active network vision and reality: lessons from a capsule-based system April 14, 2009

i. Important Points

1) Active networks provide a mechanism to easily deploy new routing protocols by having programs supply “active routers” with code to control the handling of that applications packets as they get routed through the network.

2) The same code tends to get executed along the same network path, so having the capsule’s simply reference the code rather than actually carrying the code allows the system to be much more efficient.

3) Using a 1-way hash function on the code to create an identifier for the code deals with the problem of making a unique reference to the code as well as providing security since an attacker cannot spoof the code and run their own malicious code in place of the original code.

ii. Most glaring problem

I think the most glaring problem was failing to address the issue of how effective protocols using the active network are when there are only a few active nodes. They do address using overlays for incremental deployments, but they fail to address how useful would it be when a large percentage of the nodes are only ip routers and not active nodes.

iii. Future research directions

I think future research directions include assessing the effectiveness and feasibility of deploying a system like this on the internet. What services could be offered when only a small number of nodes on the network use it? Could any end user benefit from the system or could only end users with an active node benefit?

Active Network Vision and Reality: Lessons from a Capsule-based System April 14, 2009

1. Active Networks. Bound to happen.

The paper states that it is necessary to provide an infrastructure to support active networks and allow them to grow in an organized, controlled manner. It claims that active networks are bound to grow and if the proper environment to support their growth is not provided, they will end up being added to the existing structure of the internet in an unorganized and inefficient manner. The paper does a good job of identifying the major issues with active networks. They use the ANTS platform which allows them to implement, fairly efficiently, the solutions they come up with to counter the major issues with active networks.

2. Forward capsule code by reference and demand loading of code.

The paper suggests a methodology where by capsule code is forwarded by reference and once on a node, is cached for future use. This exploits the fact that the same set of nodes tends to be reused to provide a certain type of service. This way the overhead of carrying code each time is reduced. It also provides for a method of capsule code forwarding and code identification using fingerprinting. This makes the process both robust and secure. The method is capable of handling packet loss, node failures, changing routes etc.

3. Security by certification from trusted authority in addition to protective mechanisms within the system

The paper suggests keeping malicious code out of the system by requiring that all code be certified before they can be implemented. The paper claims that this provides for a lot more flexibility than not allowing new code and services at all while at the same time not compromising on security. In addition to this, it proposes the sandbox technique to keep one code from interfering with others. It also prevents code spoofing via fingerprinting techniques.

Problems:

The system proposed does not seem to be very fault tolerant and robust. If service-code is unavailable because the previous active node to forward the capsule is down, the capsule is dropped. The underlying robustness that a connectionless system provides is lost. One might argue that this is because the underlying system itself doesn’t make any guarantees and only provides best effort delivery and that a partially working system is better than no system at all. Forwarding service-code by reference means considerable time is lost if code needs to be brought in from another node. The delay introduced might lead to time outs in the end-to-end connection. Of course the paper assumes that the frequency of this event is small enough to ignore it.

Future Work:

Future work in this area could involve trying to make the protocol more robust and less prone to capsule dropping due to non-availability of code. Also, currently the entire system seems to be completely dependant on ANTS for imposing some of the security measures. It assumes that ANTS runtime sandbox provides code isolation. The system could be implemented on real nodes without using the ANTS toolkit and see how it scales and if the same level of security can be achieved. It can also be implemented in C instead of Java to see if it functions just as well in the absence of some of the safety properties of Java byte-code.

Active network vision and reality: lessons from a capsule-based system April 14, 2009

The paper presents the lessons learnt from implementing and realizing the vision of Active Networks using the ANTS toolkit. Active nodes allow untrusted user code to run on them for ease of development and experimentation with Internet services. The authors propose the introduction of a network security standard (by a third party authority) which the users should comply to when using the active networks idea. Active network implementation as discussed in the paper is achieved by adding ‘capsules’ to the IP header which dynamically configure the network and decoding these capsules by ad hoc software in the ANTS toolkit and deployed at each router. This permits multiple users to tailor routing and forwarding according to their application requirements without actually having to modify the underlying network but at the cost of performance and compromise of security. The paper mainly talks about the implementation of capsules, the issues with protection in active networks and the nature of services that can be deployed.

According to the paper ANTS supports the implementation of capsules by using caching and demand loading mechanisms. For performance the authors place a limitation on the size of the code and the duration for which it can run on a software-based active router node. They also propose that the code services be expressible and created from a minimal set of API and also be incrementally deployable so that the services be active even when some nodes are inactive. State information is shared among different routines by a hierarchical fingerprint mechanism proposed in the paper which is actively supported by the ANTS toolkit that provides code and state isolation. The active network idea violates the end-to-end argument in part and poses various security challenges that are highlighted by the authors. Since active networks have access to the router software, end-to-end encryption cannot be successfully achieved. As an obvious implication malicious routines can result inconsistent soft state of a given current flow.

The practical implementation and scalability of active networks is probably not feasible given networking model used today. To support active networks each service provider will have to support dynamic changes to their routers and this idea might be faced with resistance since a flawed code might hog the bandwidth and limit utilization by the other users. Although the authors propose a third party authority for capsule code write off, there is no strengthening evidence on what network resource constraints need to be imposed by them.

The possible future trends than can be drawn off starting at active networks idea the implementation of reconfigurable networks which in which applications dynamically change the routing and forwarding routines in best way suited for their usage patterns. Possibly a new layer abstraction can be created and the active network idea be seamlessly overlaid over the existing networks but all this calls for strict security protocols to be enforced and monitor the security compliance of untrusted code. Also there would be a need to transform existing network routers in to software-based systems that can support capsule de-multiplexing and on the fly configuration.