It appears that some degree of programmability is inevitable within the net
work, whether it be through active networks, active services, or programmab
le middleware. We argue that programming network elements with languages de
signed for use within a single machine is inappropriate, since the only def
ense for the shared resource of the network is through the use of sandboxes
? which are prone to performance problems and are difficult to implement co
rrectly. Instead, we believe that new languages should be designed for prog
rammable networks, using type systems that ensure safe programs, and encour
age correct programs. We have designed and provided the full semantics for
such a language, SafetyNet. Building upon this, we have implemented a compi
ler, run time environment and a simulation environment for our language. In
this paper we describe the major features of the language that protect the
network: abstracted locations; located objects; volatile routing; thread a
nd class loading; and enforced resource counting. We show how these feature
s are used in a number of small case studies, and in implementing optimised
communication libraries. We describe the implications of the language desi
gn for the implementation of the run time support environment. The ease wit
h which these demonstrations have been built and debugged shows the potenti
al for enforcing network programming models with well-typed languages. (C)
2001 Elsevier Science B,V, All rights reserved.