IP Transparency

The ActivStation makes it possible to insert services into a network in a Transparent and Invisible manner. This type of service can therefore intercept a TCP/IP connection and perform processing on the protocol as well as the data.

"Transparent" means that the service inserted into the network dynamically reroutes connections to the original destination without requiring any configuration.

"Invisible" means that, from an IP point of view, the inserted service is impossible to detect.

Inserting a service into a network this way is the simplest operation needed to make it active. Inserting many such services leads to the notion of an active network. It is as if the network cabling itself becomes intelligent and processes the traffic passing through it.

ActivStation is ActivNetworks' key technology in facilitating quick and simple installation and complete unobstrusiveness for UAs and servers.

The ActivStation is an appliance that behaves as an intelligent cable. It is connected inline, so all the network traffic traveling on the cable now passes through the ActivStation. The fact that all data must flow through the ActivStation is a key factor for security-related inserted services.

The ActivStation is based on a dedicated UNIX operating system. Its kernel and improved IP stack allow applications, running as services, to intercept TCP connections

Interception and end-point substitution

The term "interception" is used for the imagery it evokes, but in reality it is the connection to the destination that is intercepted. This means that BoostEdge actually accepts a connection aimed at a different destination. It therefore substitutes itself for the original end-point. The client, the appliance that generated the connection, only "sees" the original recipient.

Furthermore, the A.O.S API can provide the address and port number of the original destination. This allows services to connect to this address. However, this isn't usually necessary because the service can process the connection using its own resources, or connect to another address and/or port.

The first case occurs, for instance, when BoostEdge's HTTP service responds to requests using its code. The second case occurs during load balancing.

Spider : cooperation mode

Whenever an ActivStation connects to an IP address, it can determine whether any other ActivStation exist on the route and whether they have already intercepted the connection. This allows ActivStation to cooperate without any existing knowledge of the network topology and therefore without any additional configuration.

SpiderOne uses the cooperation mode to encapsulate and decompress protocols.

The benefit of this system is immediate. Most protocols are not designed to negotiate compression; this is the case for FTP, Telnet and SNMP. There is therefore no way to centralize compression as is the case with HTTP. In this case, the protocol must be "encapsulated" in order to be compressed or encrypted.

SpiderOne uses ActivStation's automatic recognition mechanism. There is therefore no need for any configuration to specify what equipment is installed elsewhere on the network.

ActivStation and Services

IP transparency is at the heart of the ActivStation's technology. The IP transparency mechanism allows a program working in a "user land" to take over a connection, process the data and re-inject it into the network. Programs compatible with the ActivStation architecture and its APIs run as services.

The ActivStation currently implements IP transparency. It is a powerful, dedicated appliance incorporating the operating system that runs the services. This system architecture is based on a UNIX kernel and a specific IP stack allowing complete transparency. The ActivStation also exposes the API used by services to process connections.

The ActivStation features two gigabyte Ethernet ports on its failover network card. When the ActivStation is powered off, the failover card works as a simple connection cable; the two ports are electronically connected and the Ethernet signal passes through the card.

The connections to be intercepted are determined by a set of rules. One rule configures a set of IP sources and a set of destination IP addresses and ports. It also indicates which service will be involved in the processing.

The interception mechanism, known as an interception bridge, is the core of the ActivStation. It examines packets, matching them to interception rules and passing them to the appropriate service.

For example, to intercept a connection from network address 192.168.5 to an SMTP server at address 192.168.1.50 and process it usin a given service, the rule is be as illustrated below :

192.168.5.* — 192.168.1.50:25 → 8

In the following figure, the first connection will be processed, because it matches the rule. The second connection does not match and will therefore pass through without being processed; it is bridged.

Connections that do not match an interception rule are simply sent from one port to the other. In this case, the packet is copied at the kernel level. The appliance is behaving like a switch, at the same speed as the network.

This is the type of interception rule used for a spam-detection service.

The transparent mode makes it easier to insert a service in front of one or more servers. The only prerequisite is that there must be single physical route for all the traffic between the servers and the rest of the network. As a general rule, this route will be a simple Ethernet cable.

Services can be deployed incrementally by adding interception rules. A service can be tested on a single machine – a unique IP source – and then rolled out to a set of IP addresses.

Example

ActivStation is installed on a network with an initial configuration of three servers connected to the rest of the network through a switch.

The ActivStation is inserted between the switch and the network. The Ethernet cable is disconnected from the switch and connected to one of the ActivStation's two ports.

The only task to be performed is to "sever" the cable connection and "splice in" the ActivStation.