Active Networks (eBook)

Preface 6
Organization 7
Table of Contents 8
GateScript: A Scripting Language for Generic Active Gateways 10
Management and Performance of Virtual and Execution Environments in FAIN 30
Secure, Customizable, Many-to-One Communication 44
Distributed Instrusion Prevention in Active and Extensible Networks 63
Secure Service Signaling and Fast Authorization in Programmable Networks 75
Tackling the Complexity of Future Networks 87
Evaluation of Integration Effect of Content Location and Request Routing in Content Distribution Networks 97
Building a Reliable Multicast Service Based on Composite Protocols for Active Networks 110
Network Programmability for VPN Overlay Construction and Bandwidth Management 123
A Framework for Developing Mobile Network Services 135
Using Active Networking’s Adaptability in Ad Hoc Routing 147
Active Networking for TCP over Wireless 165
A Detection and Filter System for Use Against Large-Scale DDoS Attacks in the Internet Backbone 178
Dynamic Link Measurements Using Active Components 197
Simple Active Mechanisms for Measuring and Monitoring Service Level Topologies 214
Author Index 226

GateScript: A Scripting Language for Generic Active Gateways (p. 1-2)

Hoa-Binh Nguyen and Andrzej Duda
LSR-IMAG Laboratory
Institut National Polytechnique de Grenoble
BP. 72, 38402 Saint Martin d’Hères, France

Abstract. In this paper, we present GateScript, a scripting language for active applications to be executed on generic active gateways. Unlike other active networking platforms, it o.ers a simple scripting language for expressing custom processing of packets at di.erent protocol layers without the need for interpretation of complex protocol data structures. In this way, the user writes statements in a script-like language while using protocol-speci.c variables and prede.ned function calls acting on the packet’s content. From a textual description, we automatically create a packet parser and reassembler for a given protocol. The parser decomposes PDUs arriving in an active application into protocol variables that can be used in the script language. After processing, outcoming packets are reconstructed from the protocol variables. GateScript also enables active applications to react to the state of the environment: they can receive events from monitors and test variables re.ecting the state of the environment.

We have designed an architecture for a generic active gateway (GAG) that supports GateScript. An active application can dynamically install/ remove a packet .lter that intercepts relevant packets and passes them to the application. We have implemented GAG on Linux: its packet forwarding part is implemented in the kernel and all other components as user space processes.

1 Introduction

In our work, we address the problem of customizing user .ows in active gateways at the border of the network infrastructure. Unlike traditional proxy nodes, active gateways provide transparent processing of data streams without the need of con.guring client hosts. An active gateway may be placed in the access network, for example in the last router connected to a LAN. Many applications may benefit from custom processing physically located close to the client host, especially if it has limited resources. Consider for example small mobile devices that require some adaptation or reaction to changing conditions, and pervasive environments with various devices such as sensors or actuators—an active gateway can provide additional processing in the fixed network infrastructure. In some cases, we may even want to place the gateway functionality on the end system, so that the user can easily control, filter, or adapt flows arriving to the device.

We have designed and developed GateScript, a scripting language for easy programming of active applications that process packets in active gateways. Although there are several platforms for adding programmability to a network node, usually they are programmed in a full-.edged programming language such as Java [8,18], C [5,21], or TCL [1]. Moreover, many platforms require kernel modules or plugins to be developed [13,14], which can be done by experts, but it is too tedious for most of users.With GateScript we want to o.er a simple scripting language for expressing custom processing of packets at different protocol layers without the need for interpretation of complex protocol data structures. In this way, the user just writes a script that uses variables relative to a given protocol and calls prede.ned functions working on the packet’s content.

More specifically, GateScript provides a higher level view than traditional languages and automates the tasks of interpreting/constructing data packets. Coupling protocol variables to values in a received packet is automatically done by a packet parser generated from a formal description of a protocol. The variables available to script programs represent either protocol header fields (e.g. $http.content type for a HTTP Reply or $tcp.window for a TCP segment) or elements of the packet data content (e.g. $html.title for the title HTML markup). When some values of variables are detected in a packet by the protocol parser, they are made available to a script program so it can take some action or modify them. Simple statements allow to test the values contained in a packet and invoke functions able to modify its content or perform other actions such as packet duplication or drop.

With GateScript, we also explore the possibility of coupling the behavior of an active gateway with the state of the environment. Some active applications that we call proactive are able to dynamically react and adapt to varying conditions [17]. They cooperate with monitors, special entities that observe the state of the network, routers, or hosts. GateScript proposes a statement for waiting for an event to execute some operations when a monitor signals an event.

To support GateScript, we have designed and implemented an architecture for a generic active gateway called GAG. An active application can install a packet filter that recognizes some packets according to the information in the packet header and passes them to the application. Then, it is parsed and the GateScript engine interprets the code of a script that processes the packet. Intercepting packets can be activated and disabled dynamically, so that there is no overhead for forwarding packets that do not require active processing.