Existing authorization mechanisms fail to provide powerful and robust tools for handling security at the scale necessary for today's Internet. These mechanisms are coming under increasing strain from the development and deployment of systems that increase the programmability of the Internet. Moreover, this "increased flexibility through programmability" trend seems to be accelerating with the advent of proposals such as Active Networking and Mobile Agents.

The Internet protocols were designed to emphasize simple routing elements and intelligent hosts. However, there are applications that benefit from allowing hosts to customize or program routers, a concept known as active networking. Since routers are shared, this raises challenges with delivering sufficient flexibility while preserving or improving performance, security, and safety. PLAN (Packet Language for Active Networks) is a language designed for the SwitchWare active network architecture. This architecture comprises active packets containing PLAN programs that invoke service routines over an active OS. PLAN is based on the polymorphic lambda calculus and provides a restricted set of primitives and datatypes that enables reasoning about its impact on network resources based on features of the language design. This paper focuses on the PLAN language with the aim of consolidating a variety of studies that were carried out in the years after its introduction in 1998. These studies include the requirements for PLAN, its design, programming in PLAN, the specification and theory of PLAN, and its use in networking applications.

Abstract not found

This paper formalizes the folklore result that strongly-typed applets are more secure than untyped ones. We formulate and prove several security properties that all well-typed applets possess, and identify sufficient conditions for the applet execution environment to be safe, such as procedural encapsulation, type abstraction, and systematic type-based placement of run-time checks. These results are a first step towards formal techniques for developing and validating safe execution environments for applets.

Active Networks is a network infrastructure which is programmable on a per-user or even per-packet basis. Increasing the flexibility of such network infrastructures invites new security risks. Coping with these security risks represents the most fundamental contribution of Active Network research. The security concerns can be divided into those which affect the network as a whole and those which affect individual elements. It is clear that the element problems must be solved first, as the integrity of networklevel solutions will be based on trust of the network elements. In this

Active networking in environments built to support link rates up to several gigabits per second poses many challenges. One such challenge is that the memory bandwidth and individual processing power of the router's microprocessors limit the total available processing power of a router. In this paper, we identify and describe three key components, which promise a high performance active network solution. This solution implements the key features typical to active networking, such as automatic protocol deployment and application specific processing, and it is suitable for a gigabit environment. First, we describe the hardware of the Active Network Node (ANN), a scalable, high performance platform based on off-the-shelf CPUs connected to a gigabit ATM switch backplane. Second, we introduce the ANN's modular, extensible and highly efficient operating system (NodeOS). Third, we describe an Execution Environment running on top of the NodeOS, which implements a novel large-scale active networ...

Video distribution over the Internet poses many challenges. Due to the best-effort nature of today's public data networks, end system applications cannot rely on either bandwidth or delay guarantees. We designed and implemented a prototype of a multicast video distribution architecture involving knowledgeable active routers, a scalable video codec based on wavelet transformation, and a high-performance video scaling algorithm implemented as a router plugin. The plugin scales the video with an average overhead of only 22 tts per video datagram and is installed on-the-fly on the routers after the sender starts transmitting video for the first time. Through experiments on our test network, we show that we can dramatically improve the video quality on the receivers (up to 15 dB PSNR) by scaling the video on the routers to almost any target bandwidth. The target bandwidth is evaluated by the router solely based on monitoring of the load situation of the router's downstream links and can be adjusted within 50 ms.

Active Networks promise greater #exibility than current networks, but threaten safety and securityby virtue of their programmability.

The deployment of new network architectures, services, and protocols is often manual, adhoc and time consuming. In this paper we introduce "spawning networks", a new class of programmable networks that automate the life cycle process for the creation, deployment and management of network architectures. These networks are capable of spawning distinct "child" virtual networks with their own transport, control and management systems. A child network operates on a subset of its "parent's" network resources and in isolation from other spawned networks. Spawned child networks represent programmable virtual networks and support the controlled access to communities of users with specific connectivity, security and quality of service requirements. In this paper we present a framework for the realization of spawning networks based on the notion of the Genesis Kernel, a virtual network operating system capable of creating distinct virtual network architectures on-the-fly. We discuss the motivation and principles that underpin spawning networks and focus on the design of the transport, programming and life cycle environments, which comprise the main architectural components of the Genesis Kernel. 1.

A capsule-based active network transports capsules containing code to be executed on network nodes through which they pass. Active networks facilitate the deployment of new protocols, which can be used without any changes to the underlying network infrastructure. This paper describes the design, implementation, and evaluation of a high-performance active network node which supports multiple mobile code systems. Experiments, using capsules executing unsafe native Intel ix86 object code, indicate that active networks may be able to provide significant flexibility relative to traditional networks with only a small performance overhead (as little as 13% for 1500 byte packets). However, capsules executing JavaVM code performed far worse (with over three times the performance overhead of native code for 128 byte packets), indicating that mobile code system performance is critical to overall node performance.