This invention relates to packet-switched computer networks, and more particularly, to an element in such a network that controls and/or manipulates packet traffic flowing through it in some predetermined programmed manner.
In packet-switched computer networks routers perform the function of forwarding the packet traffic that flows through them. Routers generally implement standardized functions to enable them to interact with other routers on the network. Routers are currently available that perform specialized functions in addition to routing, such as load balancing, web caching, encryption and fault tolerance. Layer 4 switches, for example, are available that can make decisions about packet forwarding based on TCP/UDP headers as well as IP headers. Such switches also may sometimes be augmented with capabilities such as load balancing. Network address translators are also available for connecting a number of computers on a private network with unadvertised IP addresses to the Internet (see, e.g., K. Egerang and P. Francis, xe2x80x9cThe IP Network Address Translator (NAT)xe2x80x9d, IETF RFC No. 1631, 1994; and the SonicWALL product from Sonic Systems, Inc., http://www.sonicsys.com). Such prior art routers are special function xe2x80x9cboxesxe2x80x9d that are designed to perform the specific function required. Such special function routers perform their specific function by means of software or hardware within their structure and are thus only able to perform the function for which they have been designed.
In the research community the term xe2x80x9cactive networkingxe2x80x9d has been coined to refer to the type of networking in which programmable routers are incorporated in the network. Such programmable routers would provide the standard router functionality and, in addition, execute programs which manipulate the packets passing through the router. As envisioned, the programs to be executed in the router would be contained in the normal traffic that passes through the router; i.e., packets (called xe2x80x9ccapsulesxe2x80x9d) containing programs with embedded data are sent through the network instead of the standard data programs (see, e.g., D. L. Tennenhouse, J. M. Smith, W. D. Sincoskie, D. J. Wetherall, G. J. Minden, xe2x80x9cA Survery of Active Network Researchxe2x80x9d, IEEE Communications Magazine, Vol. 35, no. 1, pp. 80-86, 1997). Since programmable routers must coexist with non-programmable routers in the network, capsules must be tunneled through the non-programmable routers which cannot execute them. Active networking is motivated by goals such as: having specialized network support for particular applications (e.g., application-level Quality of Service [QoS]), introducing new protocols, performing caching in network nodes, and, in general, being able to add any desirable new functionality that may be helpful for emerging new uses of networks where the routers are the natural location to incorporate such new functionality. Designing such programmable routers as described above must by necessity encompass work in many areas such as OS support, programming languages and execution environments for the router programs, security, protocols, interoperability with the non-programmable routers, etc. Disadvantageously, such an approach requires significant interoperability between these many elements and can not be applied to standard packet network traffic without modifications. Until such time at which a network consists entirely of such general programmable routers, support of such applications will be difficult.
In accordance with the present invention, a programmable network element operates on standardized packet traffic passing through the network element in accordance with a program which is dynamically uploaded into the network element or unloaded from it via a mechanism separate from the actual packet traffic as the element operates. Such programmable network element is capable of simultaneously operating on plural packet flows with different or the same programs being applied to each flow. Each program applies a user definable set of processing rules to those packets flowing through the element that satisfy packet criteria defined by the program. Further, the network element operates on standardized IP packet traffic that does not have to be modified to enable the functionalities of the network element to be invoked. Even further, the network element is transparent to the endpoints of the connection, thus requiring no modification at the endpoints or in the packet data transmitted from or to them. The programmable network element of the present invention can be positioned in a network as a router, or can sit at the edge of a network between one or more Local Area Networks (LANs) and the rest of the network, or at the edge between an internal network and an external one. The network element scan be located at the edge between server farms (such as FTP or HTTP servers) and the rest of the network. The programmable network element could serve as a xe2x80x9cvirtual serverxe2x80x9d anywhere on the network. Further, the network element could also be incorporated as software on servers or clients, in the latter acting as a gateway between an application and the network. Even further, the programmable network element of the present invention could be placed as a combination of the above.
The embodiment of the present invention described below consists of a number of processes running on a Linux Operating System (OS). A dispatcher process provides a packet filter in the Linux kernel with a set of rules provided by one or more dynamically loaded and invoked programs. These rules define, for each program, the characteristics of those packets flowing through the network element that are to be operated upon in some manner by the network element. A packet that then flows from the network through the packet filter and satisfies one or more of such rules is sent by the packet filter to the dispatcher process. The dispatcher process then, in accordance with one of the dynamically loaded and invoked programs with which it is interacting, either sends such a packet to the program for processing by the program itself, or itself acts upon the packet in a manner as instructed by the program. The processed packet is then sent back to the kernel through the packet filter and onto the network for routing to its intended destination. Each program itself is dynamically registered with the dispatcher process either locally from a local program injector by an administrator of the network element using usual OS mechanisms for invoking programs, or over the network from a remote program injector.