Applications developed with the Junos SDK are protected in various ways, as follows:
- No Junos system processes, including those developed using the Junos SDK, can consume an excess amount of CPU or memory resources or write in the memory space of another process. In this way, the underlying operating system is protected, even if an application malfunction occurs.
- Running a developed application requires that it carry a valid signature and that a network administrator with the appropriate authorization load and enable it on a Junos device. By configuration defaults, no SDK applications can run on any Junos device unless an authorized administrator explicitly permits them, with options available to restrict the valid sources of the permitted applications. To complete the install, the administrator then explicitly loads the selected applications.
Some additional security features allow applications to protect themselves in various ways. This functionality includes the following:
- The modular design of the Junos Software protects both the operating system functions and the enabled SDK applications. SDK applications run on top of the operating system instead of being deeply imbedded into it, so as to fully protect the security and stability of Junos Software. You have complete control over what SDK applications run in your networks.
- The ability to monitor application thrashing and to stop applications.
- Support for dumping application core files along with application-specific information for debugging failures. The system can also limit the number of core files.
- Restrictions on the amount of CPU, user memory, kernel memory, flash memory, and disk space that a partner application can use.
- The ability to authenticate other users and to track resource consumption using an authentication and accounting library, libjunos-aaa. The library is in your backing sandbox at
SDK developers and router administrators can implement policies at a number of levels to enforce restrictions on the runtime environment (limits and access privileges) for SDK applications installed on the router:
- The ability to enable and disable certain features of a daemon or plugin based on their license validity. The functions that handle licensing are in your backing sandbox at
- A system-wide, global policy file is included with the Junos release and applies to all SDK partner applications. This is referred as a Level I policy.
- Junos SDK Developer Support can also provide SDK partners with a per-provider set of customized roles and constraints. This is known as a Level II policy.
- SDK developers can write their own, Level III policy file for each SDK package to further restrict the contained environment within which the SDK applications run. For usage details, see Specifying Application Constraints.
The SDK licensing library allows applications to enable or disable features of a daemon or plugin based on their license validity. License keys are entered by the router administrator using CLI commands. Each licensed feature has a unique feature ID that Juniper Networks provides. SDK applications on the Routing Engine can use this feature ID to check the validity of the license for a given feature. Applications can also register to receive asynchronous notifications of license status, such as license expiration, license moving to a grace period, and license cap change (for scale licenses).
- The system administrator can generate a Level IV policy that applies to all SDK applications. This policy is defined in the configuration DDL and specifies further restrictions for SDK applications installed on the router. This policy level allows router administrators to limit the impact of SDK applications more than the other policy levels. For more information on setting resource limits in configurations in the CLI, see Setting Administrator-Defined Resource Limits for SDK Applications in the SDK CLI Configuration section of this documentation.
The licensing functions are in your backing sandbox at
sandbox/src/junos/lib/libjunos-license/junos_license.h and are documented in the Junos SDK Library Reference.
© 2007-2009 Juniper Networks, Inc. All rights reserved. The information contained herein is confidential information of Juniper Networks, Inc., and may not be used, disclosed, distributed, modified, or copied without the prior written consent of Juniper Networks, Inc. in an express license. This information is subject to change by Juniper Networks, Inc. Juniper Networks, the Juniper Networks logo, and JUNOS are registered trademarks of Juniper Networks, Inc. in the United States and other countries. All other trademarks, service marks, registered trademarks, or registered service marks are the property of their respective owners.
Generated on Sun May 30 20:26:47 2010 for Juniper Networks Partner Solution Development Platform JUNOS SDK 10.2R1 by Doxygen 1.4.5