Network control is decomposed in six parts: switch control, resource partitioning, virtual network building, virtual network control, generic services, and data-path components. Each of these parts can benefit from support for dynamically loadable code, which allows users to extend and customize the basic functionality. This is related to active networks, except that dynamic code exercises control at the granularity of connections (flows), rather than individual packets and all aspects of network control are explicitly considered. Network resources are recursively partitionable, so that dynamic code is able to control partitions of virtual networks in any way it sees fit. Policing these partitions may occur at varying levels of `strictness'.