The Price of Safety in an Active Network
Lack of security is a major threat to "Active Networking," as programmability creates numerous opportunities for mischief. The point at which programmability is exposed, e.g., through the loading of code into network elements, must therefore be carefully crafted to ensure security. This paper makes two contributions. First, it describes the implementation of a solution, the Secure Active Network Environment (SANE), which is intended to operate on an active network router. The SANE architecture provides a secure bootstrap process, which includes cryptographic certificate exchange and results in execution of a module loader for introducing new code, as well as a packet execution environment. SANE thus permits a direct comparison of security implications of active packets (such as "capsules") with active extensions (used for "flows" of packets). The second contribution of the paper is a performance study using a combination of execution traces and end-to-end throughput measurements. The example code performs an "active ping" and allows us to break down costs into categories such as authentication. In our SANE implementation on 533 Mhz Alpha PCs, securing active packets effectively increases the time required to process a packet by a third. This result implies that the majority of packets must remain unauthenticated in high performance active networking solutions. We discuss some solutions which preserve security.