The Active/Programmable networks allow the end users to inject customized programs into special network nodes, making them able to let their data being processed (in the way they want) directly in the network as it passes through. This approach has been presented as a reaction to a certain fossilization of the traditional computer networks, which on the one hand behave as a simple and extremely fast forwarding infrastructure, but which on the other have not been designed for fast and dynamic reconfigurations and novel services’ deployment. Multimedia application processing (e.g., videoconferencing, video transcoding, video on demand, etc.), security services (data encryption over untrusted links, secure and reliable multicast, etc.), intrusion detection systems, and dynamically adapting Intranet firewalls are just a few possible services, which could be provided.The fundamental issues, which have to be addressed by all the architectures, are:

• Execution Environment Flexibility - the active/programmable nodes have to provide an execution environment (EE), inside which all the user active programs (APs) are processed. Ideally, the nodes should be able to accept and run the user-supplied APs designed for an arbitrary EE, which will provide the highest flexibility possible.
• Resource Isolation and Security - for security purposes, the running APs have to be strongly isolated from each other, so that a malicious/compromized AP cannot affect another APs sharing the same HW/SW resource(s) nor it can directly affect the simultaneously running APs themselves.

We claim, that these issues could be essentially addressed by making use of the virtualization techniques. The virtualization, properly combined with the other useful concepts, then allows us to propose a very flexible and powerful programmable node, which allows its users to develop their active programs for arbitrary execution environments and dynamically compose them into complex processing applications. Besides the execution environments’ flexibility, the employed virtualization makes the proposed node further able to provide higher security and strong isolation capabilities, additionally enhanced by robust resource reservations and guarantees.

Contributions:

The set of features provided by the proposed DiProNN node (DiProNN = Distributed Programmable Network Node) could be summarized as follows:

• The built-in execution environment flexibility - the active programs, which can be processed by the node, could be provided for multiple arbitrary execution environments the node supports.
• Execution environments’ uploading - once the execution environments, which are provided by the node, are not suitable for the users because of any reason, they are able to upload their active programs encapsulated in their own execution environments, which the APs should be processed in.
• Component-based programming - to simplify the node programming, the node is able to accept user sessions consisting of multiple single-purpose cooperating active programs (components) and data flows among them defined on the basis of the workflow principles. The sessions’ workflows could by dynamically adapted to changing conditions and, as results from the previous items, each component (AP) might be further designed for a different execution environment (provided by the node or uploaded by the user).
• Parallel/Distributed processing - to make the node capable of processing higher amounts of data, its architecture is based on commodity PC clusters, allowing both parallel and distributed processing of the user sessions. The APs, which are intended to run in parallel, do not have to be adapted in any way to make such a processing possible.
• Complex resource management and QoS support - to provide a different priority to different applications, users, or data flows, or to guarantee a certain level of a processing performance to a session, the node provides complex resource management capabilities, which allow the users to specify the resources required by the particular APs processing their sessions.
• Strong APs’ and resources’ isolation - for security purposes, the running APs are strongly isolated from each other, so that a malicious/compromised AP cannot affect another APs sharing the same HW/SW resource(s) nor it can affect the simultaneously running APs themselves. Such a strong isolation also eliminates a hidden influence among the APs and ensures, that the APs cannot compromise each other in other way than through the network. Once the APs are strongly isolated, the accounting of the resources’ utilization might be performed as well.
• Mechanisms for fast APs’ communication - since the processing components might want to communicate with each other (e.g., because of an internal synchronization and/or state sharing), and since such a communication should be provided as fast as possible, the node allows the definition of the control communication channels among the APs, which are provided by a specialized low-latency interconnect. The APs themselves do not have to be aware of these interconnects during their development, so that they do not have to be adapted to a particular interconnect the different nodes’ implementations use.
• Virtualization system-independent architecture - the node architecture is neither designed for a particular virtualization system nor for a specific kind of them. It uses common networking techniques only, which allow the node to be built upon almost any existing virtualization solution.

Publications:

REBOK, Tomáš. DiProNN: Distributed Programmable Network Node. Brno : Masaryk University in Brno, 2009. 200 pp. Ph.D. Thesis.

Contact:

Tomáš Rebok, xrebok@fi.muni.cz